Difference between revisions of "SAML"

From LongJump Support Wiki
imported>Aeric
(Created page with "[http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language Security Assertion Markup Language (SAML)] is an XML-based standard for exchanging authentication and authorizati…")
 
imported>Aeric
Line 6: Line 6:
Users logged into a corporate website/portal can click the link and are then automatically logged into the {{enterprisebrand}}, without requiring additional authentication.
Users logged into a corporate website/portal can click the link and are then automatically logged into the {{enterprisebrand}}, without requiring additional authentication.


For example, an employee of '''ABC Company''' logs into the corporate website, which includes a link to the {{enterprisebrand}} on the landing page. The user clicks the link and is automatically logged in, without requiring a second login.  
For example, an employee of '''ABC Company''' logs into the corporate website, which includes a link to the {{enterprisebrand}} on the landing page. The user clicks the link and is automatically logged in, without requiring a second login.
 
==Enable SSO in the Platform==
 
{{permission|[[Users]] with the [[Default Roles|System Administrator]] role can enable Single Sign On}}
 
Single Sign On must be enabled for each user, individually. This is typically performed when the user account is created in the platform. ''Learn more: [[Users#Add_a_User|Add a User]]''
 
To configure Single Sign-On:
#Click '''Settings > Administration > Single Sign-On'''
#Click the '''[Edit]''' button
#In the ''Single Sign-On Settings'' section, complete the following information:
#;Implementation Type:Choose from ''Delegated Authentication'' or ''SAML''
#:'''Delegated Authentication'''
#:*In the ''Configuration'' section, complete the following information:
#::*Specify the URL of the authentication server running in your environment (abc5.abc.com:8080)
#::*Note that the URL and Port number must be specified using a [http://en.wikipedia.org/wiki/FQDN Fully Qualified Domain Name] or an IP address. Secure HTTPS (Hypertext Transfer Protocol over Secure Socket Layer) protocol is used to access this URL.
#::*'''If you do not have this information available, contact your IT department or System Administrator.'''
#:'''SAML'''
#:*In the ''Configuration'' section, complete the following information:
#::;Version:SAML Version
#:::*Choose from Version 1.0 or Version 2.0
#::;Issuer:The Issuer URL acts as a identity provider, which is an entity that authenticates a user or maintains user's credentials. The Identity Provider issues a URL, which is used to contact this provider during the login process.
#:::*Syntax:The URL and Port Number must be specified using a FQDN or an IP address, for example:
#::::*<tt>www.abc.com:9090</tt>
#::::*<tt>192.168.1.10</tt>
#::::*<tt>abc.def.com</tt>
#::;User Id Type:Determines the type of identifier
#:::*Choose from ''UserId'' or ''Federated Id, where:
#::::*UserId is the [[Record Id]] of the user that is logged in
#::::*Federated Identity acts as a user's authentication across multiple IT systems or organizations. ''Learn more: [http://en.wikipedia.org/wiki/Federated_identity Federated Identity]''.
#::;User Id Location:Specifies an attribute tag that defines the location of the User Id
#:::*Choose from Subject or Attribute
#::;Issuer Certificate:Issuer certificate is used to sign and verify SAML messages. Requires a valid x509 issuer certificate.
#:::*Choose one of the following options:
#::::*Paste the Issuer Certificate in the text area
#:::::*Navigate to the ''Issuer Certificate'' section, then select and load a file containing the Issuer Certificate
#Enable Single Sign-On for each [[User]], via [[Users#Add_a_User|Add a User]]
 
===Guidelines===
 
*The System Administrator can decide to enable some users for SSO and disable SSO for other users. In this case, users with SSO enabled will be validated against their corporate environment and users with SSO disabled will be validated against the platform.
*SSO cannot be turned off if there exists at least one user who has SSO enabled from the user profile. If the System Administrator tries to disable SSO under this condition, a warning is displayed.
*If SSO is disabled, and the System Administrator tries to enable SSO for a user, the System Administrator is asked to enable SSO, and provide a valid SSO URL
*When disabling SSO for a User, the administrator is asked to use [[Users#Reset a User Password|Reset Password]] for the user. This is to ensure that this user receives a valid password for login.
 
===Restrictions===
 
*Username in the platform should be same as the username in your organization's  environment
*These password-related options are not allowed:
:*Reset Password
:*Change Password
:*Forgot Password - a Message will be shown prompting the user to contact their organization's system administrator
*When adding a new user, the Welcome email message will not contain a password.
*SSO can be turned on/off at the user level, if the System Administrator has granted the user rights to change this setting

Revision as of 19:07, 16 August 2011

Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between security domains. The Service Provider must enroll with an Identity Provider and obtain an Issuer URL.

How it Works

First, Single Sign-On Settings are configured for SAML in the platform, then a link to the LongJump Platform is created in the corporate website/portal. Note: the link can be named or branded in any way, as specified by the Service Provider.

Users logged into a corporate website/portal can click the link and are then automatically logged into the LongJump Platform, without requiring additional authentication.

For example, an employee of ABC Company logs into the corporate website, which includes a link to the LongJump Platform on the landing page. The user clicks the link and is automatically logged in, without requiring a second login.