Difference between revisions of "SAML"

Latest revision as of 22:24, 19 September 2012

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between security domains. The Service Provider must enroll with an Identity Provider and obtain an Issuer URL.

How it Works

An enterprise app contains a link to the LongJump Platform. When users who are logged into the enterprise app click that link, they are automatically logged into the LongJump Platform, without requiring additional authentication. For example, an employee of ABC Company logs into the corporate website, which includes a link to the LongJump Platform on the landing page. The user clicks the link and is automatically logged in, without requiring a second login.

The process is shown in the following diagram:

Here is an explanation of the steps:

	User	Your Organization's Web App	Platform	Identity Provider
1.	Logs in to a web app provided by your organization	Provides a link to the platform's SAML handler (generated by the platform when SAML is configured) Includes the desired platform target page as an argument in the link
2.	Clicks the link that goes to the SAML handler
3.			Sends an assertion to the identity provider
4.				Retrieves and validates the user's identity
5.				Sends the user's identity to the platform
6.			Redirects the user to the appropriate page.

Enabling SAML

Click Settings > Administration > Single Sign-On
Click the [Edit] button
For Single Sign-On Settings, choose SAML
Fill in the SAML Settings (below)
Click [Save]

The platform generates a link that goes to the SAML platform's SAML handler.

SAML Settings

Version

SAML Version

Choose from Version 1.0 or Version 2.0

Issuer: The identity provider. (A name or identifier of some sort.)

User Id Type

Determines the type of identifier

Choose from UserId or Federated Id, where:

UserId is the Record Id of the user that is logged in
Federated Identity acts as a user's authentication across multiple IT systems or organizations. Learn more: Federated Identity.

User Id Location

Specifies an attribute tag that defines the location of the User Id

Choose from Subject or Attribute

Third Pary authentication URL

The URL used to authenticate a user or maintain a user's credentials.

Syntax:The URL and Port Number must be specified using a FQDN or an IP address, for example:

www.abc.com:9090
192.168.1.10
abc.def.com

Issuer Certificate

Issuer certificate is used to sign and verify SAML messages. Requires a valid x509 issuer certificate.

Choose one of the following options:

Paste the Issuer Certificate in the text area

Navigate to the Issuer Certificate section, then select and load a file containing the Issuer Certificate

Using SAML

To use single sign-on with SAML, you create links that go to the platform's SAML handler, passing the desired destination page as an argument.

To create a link to the platform in your enterprise app:

Copy the SAML link that was generated when SAML was configured.
Add a done= argument to the link that specifies the target page in the platform.

To create the done= argument:

Go to the standard initial page using Service?t=1&targetpage=ViewPort.jsp
Or:
a. Click the Short URL icon for the page you want to target

b. Copy the URL from the dialog that appears.

c. Edit the URL to remove https://{domain}/networking/" What remains is the argument you'll pass. For example: pages/yourPage.jsp

URL encode the link Learn more: URL Encoding

@@ Line 2: / Line 2: @@
 ===How it Works===
-First, Single Sign-On Settings are configured for SAML in the platform, then a link to the {{enterprisebrand}} is created in the corporate website/portal. Note: the link can be named or branded in any way, as specified by the [[Service Provider]].
+An enterprise app contains a link to the {{enterprisebrand}}. When users who are logged into the enterprise app click that link, they are automatically logged into the {{enterprisebrand}}, without requiring additional authentication. For example, an employee of '''ABC Company''' logs into the corporate website, which includes a link to the {{enterprisebrand}} on the landing page. The user clicks the link and is automatically logged in, without requiring a second login.
-Users logged into a corporate website/portal can click the link and are then automatically logged into the {{enterprisebrand}}, without requiring additional authentication.
+The process is shown in the following diagram:
+:[[File:SSO-SAML.png]]
-For example, an employee of '''ABC Company''' logs into the corporate website, which includes a link to the {{enterprisebrand}} on the landing page. The user clicks the link and is automatically logged in, without requiring a second login.
+Here is an explanation of the steps:
+:{| border="1" cellpadding="5" cellspacing="0"
+!
+!User
+!Your Organization's Web App
+!Platform
+!Identity Provider
+|-
+| 1. || Logs in to a web app provided by your organization
+|
+* Provides a link to the platform's SAML handler (generated by the platform when SAML is configured)
+* Includes the desired platform target page as an argument in the link
+| ||
+|-
+| 2. || Clicks the link that goes to the SAML handler || || ||
+|-
+| 3. || || || Sends an assertion to the identity provider ||
+|-
+| 4. || || || || Retrieves and validates the user's identity
+|-
+| 5. || ||  || || Sends the user's identity to the platform
+|-
+| 6. || || || Redirects the user to the appropriate page. ||
+|}
-==Enable SSO in the Platform==
+===Enabling SAML===
+#Click '''Settings > Administration > Single Sign-On'''
+#Click the '''[Edit]''' button
+#For ''Single Sign-On Settings'', choose '''SAML'''
+#Fill in the SAML Settings (below)
+#Click '''[Save]'''
+The platform generates a link that goes to the SAML platform's SAML handler.
-{{permission|[[Users]] with the [[Default Roles|System Administrator]] role can enable Single Sign On}}
+===SAML Settings===
+;Version:SAML Version
+:*Choose from Version 1.0 or Version 2.0
-Single Sign On must be enabled for each user, individually. This is typically performed when the user account is created in the platform. ''Learn more: [[Users#Add_a_User|Add a User]]''
+;Issuer:The identity provider. (A name or identifier of some sort.)
-To configure Single Sign-On:
+;User Id Type:Determines the type of identifier
-#Click '''Settings > Administration > Single Sign-On'''
+:*Choose from ''UserId'' or ''Federated Id, where:
-#Click the '''[Edit]''' button
+::*UserId is the [[Record Id]] of the user that is logged in
-#In the ''Single Sign-On Settings'' section, complete the following information:
+::*Federated Identity acts as a user's authentication across multiple IT systems or organizations. ''Learn more: [http://en.wikipedia.org/wiki/Federated_identity Federated Identity]''.
-#;Implementation Type:Choose from ''Delegated Authentication'' or ''SAML''
-#:'''Delegated Authentication'''
+;User Id Location:Specifies an attribute tag that defines the location of the User Id
-#:*In the ''Configuration'' section, complete the following information:
+:*Choose from Subject or Attribute
-#::*Specify the URL of the authentication server running in your environment (abc5.abc.com:8080)
-#::*Note that the URL and Port number must be specified using a [http://en.wikipedia.org/wiki/FQDN Fully Qualified Domain Name] or an IP address. Secure HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) protocol is used to access this URL.
+;Third Pary authentication URL: The URL used to authenticate a user or maintain a user's credentials.
-#::*'''If you do not have this information available, contact your IT department or System Administrator.'''
+:*Syntax:The URL and Port Number must be specified using a FQDN or an IP address, for example:
-#:'''SAML'''
+::*<tt>www.abc.com:9090</tt>
-#:*In the ''Configuration'' section, complete the following information:
+::*<tt>192.168.1.10</tt>
-#::;Version:SAML Version
+::*<tt>abc.def.com</tt>
-#:::*Choose from Version 1.0 or Version 2.0
-#::;Issuer:The Issuer URL acts as a identity provider, which is an entity that authenticates a user or maintains user's credentials. The Identity Provider issues a URL, which is used to contact this provider during the login process.
-#:::*Syntax:The URL and Port Number must be specified using a FQDN or an IP address, for example:
-#::::*<tt>www.abc.com:9090</tt>
-#::::*<tt>192.168.1.10</tt>
-#::::*<tt>abc.def.com</tt>
-#::;User Id Type:Determines the type of identifier
-#:::*Choose from ''UserId'' or ''Federated Id, where:
-#::::*UserId is the [[Record Id]] of the user that is logged in
-#::::*Federated Identity acts as a user's authentication across multiple IT systems or organizations. ''Learn more: [http://en.wikipedia.org/wiki/Federated_identity Federated Identity]''.
-#::;User Id Location:Specifies an attribute tag that defines the location of the User Id
-#:::*Choose from Subject or Attribute
-#::;Issuer Certificate:Issuer certificate is used to sign and verify SAML messages. Requires a valid x509 issuer certificate.
-#:::*Choose one of the following options:
-#::::*Paste the Issuer Certificate in the text area
-#:::::*Navigate to the ''Issuer Certificate'' section, then select and load a file containing the Issuer Certificate
-#Enable Single Sign-On for each [[User]], via [[Users#Add_a_User|Add a User]]
-===Guidelines===
+;Issuer Certificate:Issuer certificate is used to sign and verify SAML messages. Requires a valid x509 issuer certificate.
+:*Choose one of the following options:
+::*Paste the Issuer Certificate in the text area
+:::*Navigate to the ''Issuer Certificate'' section, then select and load a file containing the Issuer Certificate
-*The System Administrator can decide to enable some users for SSO and disable SSO for other users. In this case, users with SSO enabled will be validated against their corporate environment and users with SSO disabled will be validated against the platform.
+===Using SAML===
-*SSO cannot be turned off if there exists at least one user who has SSO enabled from the user profile. If the System Administrator tries to disable SSO under this condition, a warning is displayed.
+To use single sign-on with SAML, you create links that go to the platform's SAML handler, passing the desired destination page as an argument.
-*If SSO is disabled, and the System Administrator tries to enable SSO for a user, the System Administrator is asked to enable SSO, and provide a valid SSO URL
-*When disabling SSO for a User, the administrator is asked to use [[Users#Reset a User Password|Reset Password]] for the user. This is to ensure that this user receives a valid password for login.
-===Restrictions===
+To create a link to the platform in your enterprise app:
+# Copy the SAML link that was generated when SAML was configured.
+# Add a <tt>done=</tt> argument to the link that specifies the target page in the platform.
-*Username in the platform should be same as the username in your organization's  environment
+To create the <tt>done=</tt> argument:
-*These password-related options are not allowed:
+# Go to the standard initial page using <tt>Service?t=1&targetpage=ViewPort.jsp</tt>
-:*Reset Password
+# Or:
-:*Change Password
+#: a. Click the [[Short URL]] icon [[File:CopyShortURL.png|CopyShortURL.png]] for the page you want to target
-:*Forgot Password - a Message will be shown prompting the user to contact their organization's system administrator
+#: b. Copy the URL from the dialog that appears.
-*When adding a new user, the Welcome email message will not contain a password.
+#:c. Edit the URL to remove <tt>https://{domain}/networking/"<br>What remains is the argument you'll pass. For example: <tt>pages/yourPage.jsp</tt>
-*SSO can be turned on/off at the user level, if the System Administrator has granted the user rights to change this setting
+# ''URL encode'' the link
+#:''Learn more:'' [[URL Encoding]]

Search

where to start

learn more

Tools

Personal tools