You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 12 Next »
Single Sign-On (SSO) authorization allows using external authorization services (also can be called "identity providers", IdP). It allows configuring authorization within corporate services along with basic authentication methods provided with the local database. SSO uses SAML (Security Assertion Markup Language), an XML-based markup language, for data exchanging between identity providers and service providers. This procedure can be implemented based on ADFS 2.0.
To configure SSO in your system, you need to follow a simple procedure:
- Configure at least one SAML connection.
- Change the simple.sso.active property value to 'true'.
Until this steps are not completed, the authentication will proceed using the local profile storage.
- This property cannot be activated until you configure at least one SAML connection and turn it on.
- Once you turn off all your SAML connections, the simple.sso.active value automatically changes to 'false'.
- Only one active SAML connection is possible at every moment.
To configure SSO properly, you need to follow a procedure as listed below:
- Create ADFS relying party trust.
- Create ADFS relying party claim party rules.
- (optional) Create a SAML logout endpoint.
- Create a SAML connection.
- Test connection.
Role required: admin.
Create ADFS relying party trust
We are using instance.example.com as an example hostname. Replace it with your real hostname when configuring SAML.
In this step, you should prepare a metadata file first. To perform this, please complete the steps below:
- Navigate to https://instance.example.com/v1/saml/metadata
- Copy the metadata into a new file with an XML extension (for example, ExampleComSSOMetadata.xml)
- Save the file.
To configure ADFS relying party, you need to:
- Log into your ADFS server and open the management console.
- Select Relying Party Trusts.
- Click Add Relying Party Trust on the top right and click Start.
- Select the Import data about the relying party from a file option.
- Specify a display name and type some notes if needed.
- Do not select any encryption certificate.
- Specify user permissions for this relying party. By default, all users are permitted. Click Next.
- Click Next again, and click Close. The new relying party trust appears.
The metadata link looking alike https://instance.example.com/v1/saml/metadata can be obtained on every instance with SSO onboard, regardless of any SAML connection existing.
Manual relying party trust creation
To create relying party trust manually, please complete the steps below:
- Log into your ADFS server and open the management console.
- Select Relying Party Trusts.
- Click Add Relying Party Trust on the top right and click Start.
- Specify the Enter data about the relying data manually option.
- Specify a display name and type some notes if needed.
Do not select any encryption certificate.
- Select the Enable support for the SAML 2.0 WebSSO protocol
- Type https://instance.example.com/adfs/fs
- Specify relying parties identifiers
- Type https://instance.example.com/adfs/services/trust
- Specify user permissions for this relying party. By default, all users are permitted. Click Next.
- Click Next again, and click Close. The new relying party trust appears.
Create ADFS relying party claim rules
Relying party claim rules allow to establish communication between ADFS infrastructure and SimpleOne instance.
To configure them, please complete the steps below:
- Log into your ADFS server and open the management console.
- Right-click the relying party trust created earlier.
- Select the Edit Claim Issuance Policy item.
- Click Add Rule.
- Select the Send LDAP Attribute as Claims option and click Next.
- Name the claim. for example, Get LDAP Attributes.
- Enter values as listed below:
- Attribute store = Active directory
- LDAP Attribute = E-Mail-Addresses
- Outgoing Claim Type = E-mail Address
- Click Finish.
- Click Add Rules again.
- Select the Transform an Incoming Claim option and click Next.
- Name the claim, for example, Email2Name.
- Set the Incoming claim type equal to the outgoing claim type in the previous rule. For example, Email Address.
- Set the values as listed below:
- Outgoing claim type = Name ID
- Outgoing name ID format = Email
- Choose the Pass through all claim values option.
- Click Finish.
- Click OK to close the window.
Create SAML logout endpoint
Generally, SAML logout endpoints are created automatically within relying party trust creating. You can create or edit them manually if needed. To perform this, please complete the steps below:
- Log into your ADFS server and open the management console.
- Right-click the relying party trust created earlier.
- Click on the Endpoints tab.
- Click the Add SAML button.
- Enter values as listed below:
- Endpoint type = SAML Logout
- Binding = POST
- Trusted URL = https://instance.example.com/logout
- Click OK.
Create a SAML connection
To configure a SAML connection, please complete the steps below:
- Navigate to Single Sign-On → SAML Definition.
- Click New and fill in the fields
- Click Save or Save and Exit to apply changes.
SAML definition form fields
Field | Mandatory | Description |
---|---|---|
Name | N | SAML connection name |
User field | Y | Specify a field in the User table containing information for user identification. Available options:
|
Active | Select this checkbox to make this connection active or inactive. | |
SAML Server Metadata tab | ||
Metadata URL | Y | Specify the external URL provided by a service provider for authentication. By this address, an XML file containing the federation metadata is located. Generally, in most cases, this file is named federationmetada.xml. Most of catalog services, like Active Directory, provide link to this file via management console. Provide a public link to the file in this field. In our case, the link is https://instance.example.com/federationmetadata/2007-06/federationmetadata.xml |
Metadata | This field contains an external service answer (SAML federation metadata) and is populated automatically by the federationmetadata.xml file content. | |
Additional information tab | ||
This tab contains record service information (who and when has created or updated the record, other information). |
Test configuration
To test configuration, please complete the steps below:
- Navigate to your SimpleOne instance. For example, https://instance.example.com. If all configurations have been made properly, you will be redirected to https://adfs.example.com/adfs/ls/IdpInitiatedSignon.aspx?logintoRP=https://instance.example.com/
- adfs.example.com is an example hostname for the ADFS instance.
- instance.example.com is an example hostname for the SimpleOne instance.
- Sign in to your instance. If configurations have been made correctly, you will be logged automatically.
- Select Logout from the profile menu to test the logout endpoint functionality.
- No labels