SAML

From AgileApps Support Wiki
Revision as of 19:02, 16 August 2011 by imported>Aeric (Created page with "[http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Security Assertion Markup Language (SAML)] is an XML-based standard for exchanging authentication and authorizati…")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between security domains. The Service Provider must enroll with an Identity Provider and obtain an Issuer URL.

How it Works

First, Single Sign-On Settings are configured for SAML in the platform, then a link to the AgileApps Cloud platform is created in the corporate website/portal. Note: the link can be named or branded in any way, as specified by the Service Provider.

Users logged into a corporate website/portal can click the link and are then automatically logged into the AgileApps Cloud platform, without requiring additional authentication.

For example, an employee of ABC Company logs into the corporate website, which includes a link to the AgileApps Cloud platform on the landing page. The user clicks the link and is automatically logged in, without requiring a second login.

Enable SSO in the Platform

Lock-tiny.gif

Users with the System Administrator role can enable Single Sign On 

Single Sign On must be enabled for each user, individually. This is typically performed when the user account is created in the platform. Learn more: Add a User

To configure Single Sign-On:

  1. Click Settings > Administration > Single Sign-On
  2. Click the [Edit] button
  3. In the Single Sign-On Settings section, complete the following information:
    Implementation Type
    Choose from Delegated Authentication or SAML
    Delegated Authentication
    • In the Configuration section, complete the following information:
    • Specify the URL of the authentication server running in your environment (abc5.abc.com:8080)
    • Note that the URL and Port number must be specified using a Fully Qualified Domain Name or an IP address. Secure HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) protocol is used to access this URL.
    • If you do not have this information available, contact your IT department or System Administrator.
    SAML
    • In the Configuration section, complete the following information:
    Version
    SAML Version
    • Choose from Version 1.0 or Version 2.0
    Issuer
    The Issuer URL acts as a identity provider, which is an entity that authenticates a user or maintains user's credentials. The Identity Provider issues a URL, which is used to contact this provider during the login process.
    • Syntax:The URL and Port Number must be specified using a FQDN or an IP address, for example:
    • www.abc.com:9090
    • 192.168.1.10
    • abc.def.com
    User Id Type
    Determines the type of identifier
    • Choose from UserId or Federated Id, where:
    • UserId is the Record Id of the user that is logged in
    • Federated Identity acts as a user's authentication across multiple IT systems or organizations. Learn more: Federated Identity.
    User Id Location
    Specifies an attribute tag that defines the location of the User Id
    • Choose from Subject or Attribute
    Issuer Certificate
    Issuer certificate is used to sign and verify SAML messages. Requires a valid x509 issuer certificate.
    • Choose one of the following options:
    • Paste the Issuer Certificate in the text area
    • Navigate to the Issuer Certificate section, then select and load a file containing the Issuer Certificate
  4. Enable Single Sign-On for each User, via Add a User

Guidelines

  • The System Administrator can decide to enable some users for SSO and disable SSO for other users. In this case, users with SSO enabled will be validated against their corporate environment and users with SSO disabled will be validated against the platform.
  • SSO cannot be turned off if there exists at least one user who has SSO enabled from the user profile. If the System Administrator tries to disable SSO under this condition, a warning is displayed.
  • If SSO is disabled, and the System Administrator tries to enable SSO for a user, the System Administrator is asked to enable SSO, and provide a valid SSO URL
  • When disabling SSO for a User, the administrator is asked to use Reset Password for the user. This is to ensure that this user receives a valid password for login.

Restrictions

  • Username in the platform should be same as the username in your organization's environment
  • These password-related options are not allowed:
  • Reset Password
  • Change Password
  • Forgot Password - a Message will be shown prompting the user to contact their organization's system administrator
  • When adding a new user, the Welcome email message will not contain a password.
  • SSO can be turned on/off at the user level, if the System Administrator has granted the user rights to change this setting