Difference between revisions of "Single Sign On Profiles"
| Line 1: | Line 1: | ||
__NOTOC__[[Main Page|Home]] > [[Administration]] > Single Sign On Profiles | __NOTOC__[[Main Page|Home]] > [[Administration]] > Single Sign On Profiles | ||
==Introduction== | ==Introduction== | ||
| − | The Single Sign On Profiles let you define integration with an | + | The Single Sign On Profiles let you define integration with an identity provider such as Active Directory Federated Services (ADFS). With Single Sign On configured, authentication into Hornbill will be securely managed by your preferred authentication service. |
| + | |||
| + | An SSO profile is created and configured in Hornbill Administration, '''Home > System > Security > SSO Profiles'''. To create and begin the configuration of a new SSO Profile, click the "'''+'''" button located at the top right of the list. | ||
==Profile Details== | ==Profile Details== | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | ==Bindings== | + | Populating the Profile Details and Service Bindings, aside from the Profile Name and toggle options, is completely automatic based on the Identity Provider (IdP) meta data that is generated during the configuration of your IdP. Therefore the prerequisite here is to have already performed this work within your organisations environment. An example configuration using the Microsoft ADFS 2.0 identity provider can be found [[SSO_Example_Config_Microsoft_ADFS_2.0_for_Guest_Accounts|'''here''']]. |
| − | For | + | |
| + | ===Processing Your IdP Meta Data=== | ||
| + | Clicking on the cloud icon on the top right of the Profile Details form will present you with a pop-up containing two fields; '''URL''' and '''XML'''. Only one of these needs to be populated. | ||
| + | |||
| + | * '''URL''' - If your IdP can present it's certificate meta data via a URL, then that URL should be pasted in the URL field, and then click "Process". Referencing the Microsoft ADFS 2.0 example, the URL that is required here is: ''https ://<yourserver.yourdomain.com>/Federationmetadata/2007-06/FederationMetadata.xml'' where "<yourserver.yourdomain.com>" is replaced by the name of your federation server. | ||
| + | |||
| + | * '''XML''' - If your IdP is not able to present it's certificate meta data via a URL, the file containing this should be opened in a text editor (e.g. Notepad ++) and copy and paste the contents into the "XML" field and then click "Process". | ||
| + | |||
| + | Upon clicking "Process", the Entity Id and Bindings will be automatically populated. All that remains is to complete the following: | ||
| + | |||
| + | ===Profile Details=== | ||
| + | |||
| + | * Name - specify a suitable name for your SSO profile | ||
| + | * Enabled - when you are ready to switch on SSO, toggle this to the "ON" position. | ||
| + | * Validate Time - toggle this to the "ON" position. | ||
| + | * Validate certificate - toggle this to the "ON" position. | ||
| + | * Realm - for a SSO Profile facilitating single sign on for the User App, Hornbill Administration, or the Service Portal, this should be set to "User". For a SSO Profile facilitating SSO for the Customer Portal, this should be set to "Guest". | ||
| + | * Type - This is the secure protocol used in the SSO authentication mechanism. Only SAML 2.0 is used and supported by Hornbill. | ||
| + | * Name Id - In a typical SSO implementation this will be left blank. | ||
| − | + | ===Bindings=== | |
| − | + | For Web Browser Single Sign On, the bindings are used to transmit requests and responses between a service provider and an identity provider. Although these will be populated automatically based on the processing of the meta data, it is possible to manually configure the following bindings: | |
| − | |||
| − | + | * HTTP-Post | |
| − | + | * HTTP-Redirect | |
| − | + | * HTTP-Artifact | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | + | Click the "'''+'''" located towards the right of the "bindings" section. Select the type of binding and specify the location and click "OK". | |
==Auto Provisioning== | ==Auto Provisioning== | ||
Revision as of 16:52, 14 July 2016
Home > Administration > Single Sign On Profiles
Introduction
The Single Sign On Profiles let you define integration with an identity provider such as Active Directory Federated Services (ADFS). With Single Sign On configured, authentication into Hornbill will be securely managed by your preferred authentication service.
An SSO profile is created and configured in Hornbill Administration, Home > System > Security > SSO Profiles. To create and begin the configuration of a new SSO Profile, click the "+" button located at the top right of the list.
Profile Details
Populating the Profile Details and Service Bindings, aside from the Profile Name and toggle options, is completely automatic based on the Identity Provider (IdP) meta data that is generated during the configuration of your IdP. Therefore the prerequisite here is to have already performed this work within your organisations environment. An example configuration using the Microsoft ADFS 2.0 identity provider can be found here.
Processing Your IdP Meta Data
Clicking on the cloud icon on the top right of the Profile Details form will present you with a pop-up containing two fields; URL and XML. Only one of these needs to be populated.
- URL - If your IdP can present it's certificate meta data via a URL, then that URL should be pasted in the URL field, and then click "Process". Referencing the Microsoft ADFS 2.0 example, the URL that is required here is: https ://<yourserver.yourdomain.com>/Federationmetadata/2007-06/FederationMetadata.xml where "<yourserver.yourdomain.com>" is replaced by the name of your federation server.
- XML - If your IdP is not able to present it's certificate meta data via a URL, the file containing this should be opened in a text editor (e.g. Notepad ++) and copy and paste the contents into the "XML" field and then click "Process".
Upon clicking "Process", the Entity Id and Bindings will be automatically populated. All that remains is to complete the following:
Profile Details
- Name - specify a suitable name for your SSO profile
- Enabled - when you are ready to switch on SSO, toggle this to the "ON" position.
- Validate Time - toggle this to the "ON" position.
- Validate certificate - toggle this to the "ON" position.
- Realm - for a SSO Profile facilitating single sign on for the User App, Hornbill Administration, or the Service Portal, this should be set to "User". For a SSO Profile facilitating SSO for the Customer Portal, this should be set to "Guest".
- Type - This is the secure protocol used in the SSO authentication mechanism. Only SAML 2.0 is used and supported by Hornbill.
- Name Id - In a typical SSO implementation this will be left blank.
Bindings
For Web Browser Single Sign On, the bindings are used to transmit requests and responses between a service provider and an identity provider. Although these will be populated automatically based on the processing of the meta data, it is possible to manually configure the following bindings:
- HTTP-Post
- HTTP-Redirect
- HTTP-Artifact
Click the "+" located towards the right of the "bindings" section. Select the type of binding and specify the location and click "OK".
Auto Provisioning
With Auto Provisioning enabled, a user account will be automatically created for the user provided they have been authenticated by the IDP.
- Name
- Template
- Enable
- Mapping