Single Sign-On (SSO) is a technology that lets corporate networks use external user authentication services (also can be called 'identity providers', or IdPs). It is used to set up access authorization within corporate services along with basic authentication methods provided with the local database.
The assigned IdP authenticates users by their logins and passwords. Certain network resources, like applications and servers, are configured to trust the user authentication performed by the IdP. In such cases, users do not need to enter their logins and passwords when accessing these resources.
With SSO enabled, when a user with no active ADFS logon session connects to a SimpleOne instance, they are redirected to the ADFS logon. After typing in their corporate Active Directory (AD) login and password, a user enters an instance with their relevant ID, configuration preferences, membership in groups, roles, and the rest of their personal user context. Every next time such a user connects to the instance before their ADFS logon session is over, they do not enter any login or password and get logged in automatically again.
Configuring Single Sign-On
Role required: admin.
In SimpleOne, SSO relies on ADFS 2.0+ as the IdP and the XML-based Security Assertion Markup Language (SAML) 2.0 to exchange data with it. Therefore, as an administrator, you should complete the following tasks before enabling SSO on your instance:
- Create a SAML connection.
- Enable the SSO property.
- Create ADFS Relying Party Trust:
- Create a SAML Assertion Consumer and Logout Endpoints.
- Create ADFS relying party claim party rules.
- Test SAML connection.
Creating SAML connection
To configure a SAML connection, complete the steps below:
- Navigate to Single Sign-On → SAML2 Settings.
- Click New and fill in the fields
- Click Save or Save and Exit to apply changes.
SAML2 Connection form fields
| Field | Mandatory | Description |
|---|---|---|
| Name | N | Define SAML connection name. |
| User field | Y | Specify a field in the User table containing information for user identification. Available options:
|
| Active | N | Select this checkbox to make this connection active or inactive. |
| SAML Server Metadata tab | ||
| Metadata URL | Y | Specify the external URL provided by a service provider for authentication. By this address, an XML file containing the federation metadata is located. In most cases, this file is named federationmetada.xml. Most catalog services, like Active Directory, provide a link to this file via their management tools. Provide a public link to the file in this field. In case of a SimpleOne SAML connection, the link should be https://adfs.example.com/federationmetadata/2007-06/federationmetadata.xml |
| metadata | N | This field contains an external service answer (SAML federation metadata) and is populated automatically by the federationmetadata.xml file content. |
| Additional information tab | ||
| This tab contains record service information (who and when has created or updated the record, other information). | ||
When the record is created, the Open metadata UI action appears at the bottom of the form. Click it to open the https://instance.simpleone.ru/v1/saml/metadata page that allows you to download a metadata file. This file is needed to import when creating a Relying Party Trust.
Enabling or disabling Single Sign-On
Role required: admin.
To enable SSO for your instance, you need to do the following:
- Configure at least one SAML connection as described below.
- Change the simple.sso.active property value to 'true'.
- The simple.sso.active property cannot be activated until you configure at least one SAML connection and turn it on.
- Once you turn off all your SAML connections, the simple.sso.active value automatically changes to 'false'.
- Only one active SAML connection is possible at every moment.
The simple.sso.active property can also be used to disable SSO and force your instance to authenticate users by logins and passwords from the local profile storage. This may be required, for example, if user authentication data stops coming from the IdP as expected, and users are unable to access the instance.
A user with the admin role can bypass SSO by logging in to the instance with the local login and password at https://instance.simpleone.ru/side-door, and change simple.sso.active value to 'false'.
Creating ADFS Relying Party Trust
Importing ADFS relying party trust settings from XML
To use a pre-set configuration data, you should prepare a metadata file first. To do so, complete the steps below:
- Navigate to https://instance.simpleone.ru/v1/saml/metadata.
- To copy the metadata into a new file with the '.xml' extension (for example, ExampleComSSOMetadata.xml), right-click on the page and click Save as.
- Save the file.
To configure ADFS relying party, you need to:
- Log into your ADFS server and open the management console.
- Select Relying Party Trusts.
- Click Add Relying Party Trust on the top right and click Start.
- Select the Import data about the relying party from a file option and attach the file with the metadata info that you previously saved. For example, ExampleComSSOMetadata.xml.
- Specify a display name and type some notes if needed.
- Do not select any encryption certificate.
- Specify user permissions for this relying party. By default, all users are permitted. Click Next.
- Click Next again, and click Close. The new relying party trust appears.
| Field | Description |
|---|---|
| Import data about the relying party from file | Choose the option to import the metadata file you saved earlier. |
| Federation metadata file location | Browse the metadata .xml file on your device. For example, ExampleComSSOMetadata.xml. |
| Display name | Specify the name of the relying party. |
| Notes | Type notes for the relying party you are creating. |
| Policy | Choose the access control type. By default, all users are permitted access for the application. |
The metadata link like https://instance.simpleone.ru/v1/saml/metadata can be obtained on every instance with SSO onboard, regardless of any SAML connection existing.
Creating relying party trust manually
To create relying party trust manually, complete the steps below:
- Log into your ADFS server and open the management console.
- Select Relying Party Trusts.
- Click Add Relying Party Trust at the top right and click Start with the Claims aware option chosen.
- Specify the Enter data about the relying party manually option.
- Specify a display name and type some notes if needed.
From the Configure Certificate step, click Next. Do not select any encryption certificate.
On the Configure URL step, select the Enable support for the SAML 2.0 WebSSO protocol.
Type https://instance.simpleone.ru
- Specify Relying party trust identifiers.
- Relying party identifiers = https://instance.simpleone.ru. Click Add.
- Specify user permissions for this Relying party. By default, the Permit everyone option is chosen. Click Next.
- Click Next again, and click Close. A new Relying party trust appears.
| Field | Description |
|---|---|
| Enter data about the relying party manually | Choose the option to input the data about the relying party organization manually. |
| Display name | Specify the name of the relying party. |
| Notes | Type notes for the relying party you are creating. |
| Relying party trust identifier | Specify the instance URL and click Add. |
| Policy | Choose the access control type. By default, all users are permitted access for the application. |
You also need to configure the created party trust. To do it, complete the following steps:
- Open the created trust in the ADFS management tool.
- In the Monitoring tab fill in the following fields:
- Monitoring relying party = 'true'
- Relying party's federation metadata URL = https://instance.simpleone.ru/v1/saml/metadata
- Automaticaly update relying party = 'false'.
- In the Endpoints tab you need to create endpoints. Instructions for creating endpoints are given below.
Creating SAML Endpoints
Generally, SAML endpoints are created automatically when the relying party trust created via the setting import. You can create or edit them manually if needed. To create SAML Assertion Consumer Endpoint, complete the steps below:
- Log into your ADFS server and open the management console.
- Right-click the relying party trust created earlier.
- Click on the Endpoints tab.
- Click the Add SAML button.
- Enter values as listed below:
- Endpoint type = SAML
- Binding = Redirect
- Trusted URL = https://instance.simpleone.ru/auth-sso
- Click OK.
To create SAML Logout Endpoint, complete the following steps:
- Log into your ADFS server and open the management console.
- Right-click the relying party trust created earlier.
- Click on the Endpoints tab.
- Click the Add SAML button.
- Enter values as listed below:
- Endpoint type = SAML Logout
- Binding = Redirect
- Trusted URL = https://instance.simpleone.ru/logout
- Click OK.
List of endpoints specific to Single Sign-On
An instance configured to use SSO has the following endpoints available for HTTP requests related to signing users in and out:
| Endpoint URL | HTTP method | Purpose |
|---|---|---|
| https://instance.simpleone.ru/v1/saml/metadata | GET | Metadata .xml file. |
| https://instance.simpleone.ru/auth-sso | HTTP-Redirect (GET) | User authorization with SSO. |
| https://instance.simpleone.ru/logout | HTTP-Redirect (GET) | User sign-out with SSO. |
| https://instance.simpleone.ru/v1/saml/post | POST | The authentication request. |
Creating ADFS relying party claim rules
Relying party claim rules allow for establishing communication between ADFS infrastructure and SimpleOne instance.
There are two main claim rules, that should be configured:
- Send LDAP Attribute as Claims – select attributes from the Active Directory to send as claim to the relying party.
- Transform an Incoming Claim – select an incoming claim, change its claim type and its claim value.
Send LDAP Attribute as Claims
To configure the Send LDAP Attribute as Claims rule, complete the steps below:
- Log into your ADFS server and open the management console.
- Right-click the Relying party trust created earlier.
- Select the Edit Claim Issuance Policy item.
- Click Add Rule.
- Select the Send LDAP Attribute as Claims option in the Claim rule template field and click Next.
- Name the claim. For example, Get LDAP Attributes.
- Enter values as listed below:
- Attribute store = Active directory
- LDAP Attribute = E-Mail-Addresses
Outgoing Claim Type = E-Mail Address.
You can specify more attributes that should be fetched from AD.
- Click Finish.
Transform an Incoming Claim
To configure the Transform an Incoming Claim rule, complete the steps below:
- Click Add Rule again.
- Select the Transform an Incoming Claim option in the Claim rule template field and click Next.
- Name the claim, for example, Email2Name.
- Set the Incoming claim type equal to the outgoing claim type in the previous rule. For example, E-mail Address.
- Set the values as listed below:
- Outgoing claim type = Name ID
- Outgoing name ID format = Email
- Choose the Pass through all claim values option.
- Click Finish.
- Click Apply and then OK to close the window.
Testing Single Sign-On configuration
To test configuration, complete the steps below:
- Navigate to your SimpleOne instance. For example, https://instance.simpleone.ru. If all configurations have been made properly, you will be redirected to https://adfs.example.com/adfs/ls/IdpInitiatedSignon.aspx?logintoRP=https://instance.simpleone.ru/.
- Sign in to your instance. If the configuration is correct, you will be logged in automatically.
- Select Logout from the profile menu to test the logout endpoint functionality.
