Difference between revisions of "Single Sign On Profiles"
Jump to navigation
Jump to search
| (6 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| + | This document can now be found at its new location in the [https://docs.hornbill.com/esp-config/security/sso/single-sign-on/ Hornbill Document Library]. | ||
| + | |||
| + | [[file:hornbill-document-library.png|Hornbill Cloud|link=https://docs.hornbill.com/esp-config/security/sso/single-sign-on/]] | ||
| + | <!-- | ||
<div style="border:1px solid #90C0FF; background:#D0E0FF; width:99%; padding:4px; margin-bottom:10px;"> | <div style="border:1px solid #90C0FF; background:#D0E0FF; width:99%; padding:4px; margin-bottom:10px;"> | ||
__NOTOC__[[Main Page|Home]] > [[Administration]] > Single Sign On Profiles | __NOTOC__[[Main Page|Home]] > [[Administration]] > Single Sign On Profiles | ||
| Line 25: | Line 29: | ||
<br> | <br> | ||
===How many SSO Profiles do I need?=== | ===How many SSO Profiles do I need?=== | ||
| − | + | If you have multiple identity providers supporting multiple directory sources, then you will need one SSO Profile per identity provider i.e. one SSO Profile is required for each authentication service. | |
| + | <br> | ||
| + | <br> | ||
| + | An SSO profile can contain multiple signing certificates, therefore if your Identity Provider generates multiple signing certificates (e.g. in the case of Azure, where a certificate is generated for each of the Hornbill Service URL's) you will still only need one SSO Profile. | ||
| + | <br> | ||
<br> | <br> | ||
| + | In the situation where you have multiple SSO Profiles, when a user navigates to Hornbill they will be presented with a drop-down menu containing the SSO Profiles that have been configured. It is then up to the user to select the authentication service applicable to them. A good SSO Profile naming convention can help in this scenario. Alternatively, it is possible to supply your users with a URL that contains reference to the SSO Profile relevant to them. This is in the following format: '''<nowiki>https://live.hornbill.com/[instance]/?entityId=[entityId]</nowiki>''' where [entityId] should be replaced with the entity ID found within the relevant SSO profile. | ||
<br> | <br> | ||
| − | [[File:Upload_IDP_Meta_Data.PNG|400px|thumb|<div align="center">'''Clicking the | + | <br> |
| + | [[File:Upload_IDP_Meta_Data.PNG|400px|thumb|<div align="center">'''Clicking the "Import IDP Meta Data" button will prompt you to upload your IDP meta data'''</div>]] | ||
| + | |||
===Uploading Your IdP Meta Data into the Hornbill SSO Profile=== | ===Uploading Your IdP Meta Data into the Hornbill SSO Profile=== | ||
Populating the entity ID, signing certificate(s) and service bindings of the SSO Profile is completely automatic based on the meta data that is generated during the configuration of your IdP. For details on how to obtain information about your Hornbill instance, compatible identity providers, and some example configurations, please click here: [[Single_Sign_On_with_SAML_2.0|'''Single Sign On with SAML 2.0''']]. | Populating the entity ID, signing certificate(s) and service bindings of the SSO Profile is completely automatic based on the meta data that is generated during the configuration of your IdP. For details on how to obtain information about your Hornbill instance, compatible identity providers, and some example configurations, please click here: [[Single_Sign_On_with_SAML_2.0|'''Single Sign On with SAML 2.0''']]. | ||
| Line 41: | Line 52: | ||
:* '''XML''' - If your IdP is not able to present it's certificate meta data via a URL, the file containing this should be opened in a text editor (e.g. Notepad ++) and copy and paste the contents into the "XML" field and then click "Process". If you IdP has produced separate meta data files for each of the Hornbill Service URL's, repeat this step as many times as required. | :* '''XML''' - If your IdP is not able to present it's certificate meta data via a URL, the file containing this should be opened in a text editor (e.g. Notepad ++) and copy and paste the contents into the "XML" field and then click "Process". If you IdP has produced separate meta data files for each of the Hornbill Service URL's, repeat this step as many times as required. | ||
<br> | <br> | ||
| − | + | '''NOTE:''' If the configuration in your Identify Provider results in separate certificate metadata for each of the Hornbill service URLs, either of the steps above can be repeated multiple times. Each time some certificate metadata is processed, the new certificate will be appended into the SSO Profile. Existing certificate metadata is never overwritten. | |
===Review and Set the Profile Details=== | ===Review and Set the Profile Details=== | ||
| Line 51: | Line 62: | ||
:* '''Type''' - This is the secure protocol used in the SSO authentication mechanism. Only SAML 2.0 is used and supported by Hornbill. | :* '''Type''' - This is the secure protocol used in the SSO authentication mechanism. Only SAML 2.0 is used and supported by Hornbill. | ||
:* '''Name Id''' - If the NameID provided by the idP matches the account ID on Hornbill then this should be left blank. If however, the name ID from the idP is opaque (either static or transient) then you can use this parameter to tell Hornbill to override the NameID with a value from one of the SAML assertions attributes. This way the idP can provide a value that matches the account ID on hornbill for the user and Hornbill will use that to identify the user being authenticated | :* '''Name Id''' - If the NameID provided by the idP matches the account ID on Hornbill then this should be left blank. If however, the name ID from the idP is opaque (either static or transient) then you can use this parameter to tell Hornbill to override the NameID with a value from one of the SAML assertions attributes. This way the idP can provide a value that matches the account ID on hornbill for the user and Hornbill will use that to identify the user being authenticated | ||
| + | [[File:EnablingSSOProfiles.PNG|400px|thumb|<div align="center">'''A SSO Profile can be enabled/disabled via the toggle switch available in the SSO profile (shown above) or via the list of SSO profiles'''</div>]] | ||
| + | <br> | ||
| + | ===Enabling an SSO Profile=== | ||
| + | Once you have confgiured the SSO profile, you can easily enable or disable the profile using the toggle switch available within the SSO Profile or located in the list of SSO Profiles. | ||
| + | <br> | ||
| + | <br> | ||
| + | <br> | ||
| + | <br> | ||
==Auto Provisioning (Optional)== | ==Auto Provisioning (Optional)== | ||
| Line 151: | Line 170: | ||
[[Category:Administration]] | [[Category:Administration]] | ||
| + | --> | ||
| + | [[Category:HDOC]] | ||
Latest revision as of 20:12, 11 April 2024
This document can now be found at its new location in the Hornbill Document Library.
