Difference between revisions of "Single Sign On with SAML 2.0"

From Hornbill
Jump to navigation Jump to search
Line 1: Line 1:
<font color="red">PRELIMINARY INFORMATION</font>
+
<div style="border:1px solid #90C0FF; background:#D0E0FF; width:99%; padding:4px; margin-bottom:10px;">
 +
[[Main Page|Home]] > [[Integration]] > [[Essential Integrations]] > Single Sign On with SAML 2.0
 +
</div>
 +
{|style="width: 100%"
 +
|- valign="top"
 +
|style="width:73%"|
 +
__TOC__
 +
|style="width:5%"|
 +
|
 +
|style="width:22%; border-style: solid; border-width: 1px; border-color:#e6e6e6; background-color:#f2f2f2;"|
  
== Hornbill SSO Capabilities ==
+
== Related Articles ==
The Hornbill platform supports single-sign-on as well as policy based transparent auto provisioning and data updates of both user and guest accounts using SAML 2.0, providing enterprise-class user identity integration with your organisations core IT directory services.  
+
:* [[SSO Example Config Microsoft ADFS 2.0 for User Accounts|SSO Example Config for Microsoft ADFS 2.0]]
 +
:* [[Single_Sign_On_Profiles|Creating a Hornbill SSO Profile]]
 +
|}
 +
==Introduction==
 +
The Hornbill platform supports single-sign-on as well as policy-based transparent auto provisioning and data updates of both user and guest accounts thus providing enterprise-class user identity integration with your organisations core IT directory services.  
  
* Multiple Identity Providers Supported
+
===What is SAML?===
* User Provisioning Templates
+
''Security Assertion Markup Language''' ('''SAML''', pronounced "sam-el") is an open standard XML-based framework developed by the Security Services Technical Committee of OASIS and is designed for communicating user authentication, entitlement, and attribute information between parties, in particular between an Identity Provider (IdP) and a Service Provider i.e. Hornbill.
* Digital Signature Validation
 
* Public Key Verification
 
* Assertion Value Attribute Mapping
 
* Flexible NameID override
 
  
== SAML Overview ==
+
External References:
''Security Assertion Markup Language''' ('''SAML''', pronounced "sam-el") is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS (organization) Security Services Technical Committee. SAML dates from 2001; the most recent major update of SAML was published in 2005, but protocol enhancements have steadily been added through additional, optional standards.
 
 
<br/><small>Source: [http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language]</small>
 
<br/><small>Source: [http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language]</small>
 +
<br/><small>Source: [https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security]</small>
 +
<br>
 +
<br>
 +
===SAML and Hornbill===
 +
Hornbill makes use of the SAML framework to facilitate two things:
 +
:#'''Single Sign On (SSO)''' - this is the method of access control that enables a user to log in to their organisations network one time, but then have transparent authorisation to access resources of multiple software systems without being prompted to log in to each system separately.  In the context of Hornbill, once configured, users may access their Hornbill instance pre-authenticated based on their enterprise desktop or browser login. 
 +
:#'''Auto-provision Hornbill User Accounts''' - along with the authorization information needed for SSO, SAML has the ability to transport additional directory attributes of a user. Hornbill is capable of processing this additional information contained in the SAML payload and use it to automatically create a user accounts on your Hornbill instance. This mechanism can remove a significant overhead in terms of system administration.
 +
<br>
 +
'''PLEASE NOTE:''' While SSO must be set up to utilise auto-provisioning, the auto-provisioning of user accounts in Hornbill is an optional mechanism that can be disabled independently of SSO. Hornbill provides a range of user import utilities that can be used instead of auto-provisioning. More information on the available user imports can be found via the following wiki page: [https://wiki.hornbill.com/index.php/Hornbill_Open_Integration_Tools '''Open Integration Tools''']
 +
<br>
 +
<br>
 +
===How it Works===
 +
There are three key actors in any SAML implementation, these are the "user" trying to access the application, the "identity provider" which knows and has identified the user, and the "Service Provider" which provides the application and/or resources that the user wishes to access. Your Hornbill instance is a service provider, and typically your enterprise directory system, very often Microsoft Active Directory Federated Services (ADFS) acts as the identity provider.
  
The use of SAML allows external authentication of users and is often also used for SSO (Single Sign-on), which is a method of access control that enables a user to log in to their organisation one time but then have transparent authorisation to access resources of multiple software systems without being prompted to log in to each system separately.  In the context of Hornbill, once configured, users may access their Hornbill instance pre-authenticated based on their enterprise desktop or browser login.  As well as supporting single-sign-on but we also provide the ability to auto-provision authorised users on the Hornbill instance which removes a significant overhead in terms of system administration.
+
Once SSO is configured, when an unauthenticated user navigates to your Hornbill instance via one of the Hornbill URLs, the browser will be re-directed to the identity provider with information needed to request access to the service, this is known as a SAML AuthnRequest. The idP will look at the AuthnRequest and if the user is authorised will return an Assertion back to the browser with a re-direct to the service provider (in this case the Hornbill Instance). The Hornbill instance will validate the Assertion checking its authenticity against a known Hornbill SSO profile and if valid will create a session and allow the user to access Hornbill as required.
 
+
<br>
There are three key actors in any SAML implementation, these are the "user" trying to access the  application, the "identity provider" which knows and has identified the user, and the "service provider" which provides the application and/or resources that the user wishes to access.  Your Hornbill instance is a service provider, and typically your enterprise directory system, very often Microsoft Active Directory Federated Services acts as the identity provider.
+
<br>
 
 
== How SAML Browser Authentication Works ==
 
In order for a user to access the Hornbill instance they must first be known to the identity provider and, the identity provider must know about the service provider (Hornbill Instance), and the user must be authorised by the identity provider to access the services on the identity provider (Hornbill Instance).
 
 
 
When an unauthenticated user accesses the Hornbill instance, the browser will be re-directed to the identity provider with information needed to request access to the service, this is known as a SAML AuthnRequest. The idP will look at the AuthnRequest and if the user is authorised will return an Assertion back to the browser with a re-direct to the service provider (in this case the Hornbill Instance). The Hornbill instance will validate the Assertion checking its authenticity against a known Hornbill SSO profile and if valid will create a session and allow the user to access resources as required.
 
 
 
 
== Compatible Identity Providers ==
 
== Compatible Identity Providers ==
The Hornbill SSO implementation follows the SAML 2.0:2005 specification so will work with any identity provider implementation, either commercial or home-grown that correctly supports this standard.   We have tried to make our system as flexible as possible in terms of configuration and compatibility with the standard.  Here is a link to the official standards documentation: -
+
The Hornbill SSO implementation follows the SAML 2.0:2005 specification so will work with any commercial or home-grown identity provider that correctly supports this standard. We have tried to make our system as flexible as possible in terms of configuration and compatibility with the standard.  Here is a link to the official standards documentation: -
  
 
[https://wiki.oasis-open.org/security/FrontPage SAML 2.0 2005]
 
[https://wiki.oasis-open.org/security/FrontPage SAML 2.0 2005]
Line 39: Line 54:
 
* [https://shibboleth.net/products/identity-provider.html Shibboleth Identity Provider]
 
* [https://shibboleth.net/products/identity-provider.html Shibboleth Identity Provider]
 
* [http://www.openathens.net/ OpenAthens (EduServ)]
 
* [http://www.openathens.net/ OpenAthens (EduServ)]
 
+
<br>
;IMPORTANT NOTE:
+
'''PLEASE NOTE:''' Although we have expertise around our own platform and its SAML implementation, configuration and behaviour, we use the language associated with the SAML 2.0 standard and not the language/terminology of any specific vendors identity provider platforms. Hornbill's technical staff are not experts with the various identity provider technologies and platforms in use.  It is important to understand that Hornbill support the SAML 2.0 standard to the letter, so if its in the standard we support it.  
:Please be aware that although we have expertise around our own platform and its SAML implementation, configuration and behaviour, we use the language associated with the SAML 2.0 standard and not the vendor specific language and/or terminology of any specific vendors identity providers platforms, this means Hornbill's technical staff are not experts with the various identity provider technologies and platforms in use.  It is important to understand that Hornbill support the SAML 2.0 standard to the letter, so if its in the standard we support it. Each organisations implementation of SAML is unique to their organisation and we strongly recommend that when setting up SAML for SSO on the Hornbill platform that you have someone internally with expertise and a working knowledge of federated security services within your own organisation. You should refer your technical security/SAML expert to this document which should provide them with sufficient information to allow the planning and configuration of SSO integration for your organisation.
+
Each organisations identity provider implementation can be unique to their organisation and it will be necessary for you to have someone internally with expertise and a working knowledge of your identity provider and directory services within your own organisation. You should refer your technical network expert to this document which should provide them with sufficient information to allow the planning and configuration of Single Sign On for your organisation.
 
+
<br>
== Setting Up Hornbill for User Single-Sign-On ==
+
<br>
 +
== Setting Up Single-Sign-On ==
 
In order to enable single-sign-on for users a number of steps need to be taken: -
 
In order to enable single-sign-on for users a number of steps need to be taken: -
  
# IdP: Create a service provider profile
+
# Decide if Auto-Provisioning will be used as the method for user account creation. If you intend to use auto-provisioning, please read the section below titled: "Preparing for Auto-Provisioning")
# Hornbill: Create an SSO Profile
+
# Make the necessary configuration in your Identity Provider. Different vendors may use different terminology to describe this but typical examples are "Service Provider Profile" or "Relying Party Trust".
# Hornbill: Create an auto-provisioning User Template (This is optional and only required if implementing Auto-Provisioning as part of SSO)
+
# Create an SSO Profile in Hornbill.
 
+
# Create an auto-provisioning User Template in Hornbill (This is optional and only required if implementing Auto-Provisioning as part of SSO).
It is also required that: -
+
<br>
 
+
'''PLEASE NOTE:''' We use the browser redirect profile defined by the SAML 2.0 specification so there is no need for your Hornbill instance (which is running in the Hornbill cloud) to have any direct access your iDP; meaning your iDP and all of your user identity information can remain behind your enterprise firewall - no special firewall configuration is needed for access to the service from '''within''' your network.
* Your identity provider supports SAML 2.0
 
* Your identity provider is already working and authenticating your users for other systems or applications.
 
* The users that need to access the Hornbill instance can access your idP from their browser. 
 
 
 
NOTE: We use the browser redirect profile defined by the SAML 2.0 specification so there is no need for the Hornbill instance which is running in the Hornbill cloud to have any direct access your iDP; meaning your iDP and all of your user identity information can remain behind your enterprise firewall - there are no special firewall configuration is needed for access to the service from within your network
 
  
 
=== Example IdP Configurations ===
 
=== Example IdP Configurations ===
Line 63: Line 74:
 
=== Creating a Hornbill SSO Profile ===
 
=== Creating a Hornbill SSO Profile ===
 
* [[Single_Sign_On_Profiles|Configuring a Single Sign On Profile in Hornbill]]
 
* [[Single_Sign_On_Profiles|Configuring a Single Sign On Profile in Hornbill]]
 +
<br>
 +
== Preparing for Auto-Provisioning ==
 +
The necessary configuration to facilitate auto-provisioning can be considered a small extension of the Single Sign On configuration. In the situation where only SSO is needed, there is usually a one-to-one mapping between the Hornbill User ID and the nameID returned in the SAML communication that identifies the user, typically this is tied into the users login ID.
 +
For Hornbill to successfully auto-provision a user account, it will be necessary to specify additional information to be transported in the outgoing claim from your Identity Provider. This information is carried in the additional attributes that are transported during the authentication of a user.
  
==== Transferring User Account Attributes to Hornbill ====
+
Obvious information such as first name, last name and e-mail address would be especially important when creating a Hornbill user account, but you may wish to bring over other information into the Hornbill instance at the point of auto-provisioning.
When configuring SSO there is usually a one-to-one mapping between the Hornbill User ID and the nameID returned in the SAML assertion that identifies the user, typically this is tied into the users login ID.  However, there is also a need to bring other basic information over from the identity provider to the service provider, this is especially important when provisioning a new user automatically. Obvious information such as first name, last name and e-mail address would be especially important to create a Hornbill user account, but often organisations have much richer information about their users which would be good to bring over into the Hornbill instance and the point of provisioning. The Hornbill instance understands a definitive set of user account target properties which can be defined directly in the iDP for the Hornbill service, mapping them appropriately to the idP's user information attributes. When the Hornbill instance receives a SAML assertion for authentication it will automatically map these to the Hornbill account attributes as required.   
 
  
The following table lists the account target attributes understood by Hornbill
+
==== Hornbill User Account Properties ====
 +
The Hornbill instance understands a definitive set of user account target properties. The available properties can be used as a starting point in determining what information you wish to bring into Hornbill via your IDP for auto-provisioning. For each user account property you wish to populate in Hornbill, you will need a directory attribute configured in the outgoing claim coming from your iDP. The mapping is defined in the [https://wiki.hornbill.com/index.php/Single_Sign_On_Profiles|'''Hornbill Single Sign On Profile''']
 +
The following table lists the user account properties that can be populated during auto-provisioning.
  
 
{| class="wikitable"
 
{| class="wikitable"
Line 159: Line 175:
  
  
== Setting Up Hornbill for Guest Account Single-Sign-On ==
+
==== Hornbill Contact Record Properties ====
In order to enable single-sign-on for guests a number of steps need to be taken: -
+
Like Hornbill user accounts, contact records can be created through auto-provisioning. The following table lists the contact record properties that can be populated during auto-provisioning.
 
 
# IdP: Create a service provider profile
 
# Hornbill: Create an SSO Profile
 
# Hornbill: Create an auto-provisioning Guest Template (This is optional and only required if implementing Auto-Provisioning as part of SSO)
 
# Hornbill: Configure Your Portal
 
 
 
Its is also required that: -
 
 
 
* Your identity provider supports SAML 2.0
 
* Your identity provider is already working and authenticating your users for other systems or applications.
 
* The users that need to access the Hornbill instance can access your IdP from their browser. 
 
 
 
NOTE: there is no need for the Hornbill instance which is running in the cloud to be able to directly access your IdP; meaning your IdP and all of your user identity information can remain behind your enterprise firewall.
 
 
 
=== Example IdP Configurations ===
 
* [[SSO_Example_Config_Microsoft_ADFS_2.0_for_Guest_Accounts|Microsoft ADFS 2.0 for Guest Accounts]]
 
 
 
=== Creating a Hornbill SSO Profile ===
 
* [[Single_Sign_On_Profiles|Configuring a Single Sign On Profile in Hornbill]]
 
 
 
==== Transferring Guest Account Attributes to Hornbill ====
 
When configuring SSO there is usually a one-to-one mapping between the Hornbill Guest Login ID and the nameID returned in the SAML assertion that identifies the guest, typically this is tied into the users network login ID.  However, there is also a need to bring other basic information over from the identity provider to the service provider, this is especially important when provisioning a new guest automatically. Obvious information such as first name, last name and e-mail address would be especially important to create a Hornbill guest account, but often organisations have much richer information about their users which would be good to bring over into the Hornbill instance and the point of provisioning. The Hornbill instance understands a definitive set of guest properties which can be defined in the iDP for the Hornbill service and mapped to the idP's directory of user information.   The following table lists all attribute names understood by Hornbill guest authentication
 
  
 
{| class="wikitable"
 
{| class="wikitable"

Revision as of 11:11, 2 January 2018

Home > Integration > Essential Integrations > Single Sign On with SAML 2.0

Related Articles

Introduction

The Hornbill platform supports single-sign-on as well as policy-based transparent auto provisioning and data updates of both user and guest accounts thus providing enterprise-class user identity integration with your organisations core IT directory services.

What is SAML?

Security Assertion Markup Language ('SAML, pronounced "sam-el") is an open standard XML-based framework developed by the Security Services Technical Committee of OASIS and is designed for communicating user authentication, entitlement, and attribute information between parties, in particular between an Identity Provider (IdP) and a Service Provider i.e. Hornbill.

External References:
Source: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
Source: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

SAML and Hornbill

Hornbill makes use of the SAML framework to facilitate two things:

  1. Single Sign On (SSO) - this is the method of access control that enables a user to log in to their organisations network one time, but then have transparent authorisation to access resources of multiple software systems without being prompted to log in to each system separately. In the context of Hornbill, once configured, users may access their Hornbill instance pre-authenticated based on their enterprise desktop or browser login.
  2. Auto-provision Hornbill User Accounts - along with the authorization information needed for SSO, SAML has the ability to transport additional directory attributes of a user. Hornbill is capable of processing this additional information contained in the SAML payload and use it to automatically create a user accounts on your Hornbill instance. This mechanism can remove a significant overhead in terms of system administration.


PLEASE NOTE: While SSO must be set up to utilise auto-provisioning, the auto-provisioning of user accounts in Hornbill is an optional mechanism that can be disabled independently of SSO. Hornbill provides a range of user import utilities that can be used instead of auto-provisioning. More information on the available user imports can be found via the following wiki page: Open Integration Tools

How it Works

There are three key actors in any SAML implementation, these are the "user" trying to access the application, the "identity provider" which knows and has identified the user, and the "Service Provider" which provides the application and/or resources that the user wishes to access. Your Hornbill instance is a service provider, and typically your enterprise directory system, very often Microsoft Active Directory Federated Services (ADFS) acts as the identity provider.

Once SSO is configured, when an unauthenticated user navigates to your Hornbill instance via one of the Hornbill URLs, the browser will be re-directed to the identity provider with information needed to request access to the service, this is known as a SAML AuthnRequest. The idP will look at the AuthnRequest and if the user is authorised will return an Assertion back to the browser with a re-direct to the service provider (in this case the Hornbill Instance). The Hornbill instance will validate the Assertion checking its authenticity against a known Hornbill SSO profile and if valid will create a session and allow the user to access Hornbill as required.

Compatible Identity Providers

The Hornbill SSO implementation follows the SAML 2.0:2005 specification so will work with any commercial or home-grown identity provider that correctly supports this standard. We have tried to make our system as flexible as possible in terms of configuration and compatibility with the standard. Here is a link to the official standards documentation: -

SAML 2.0 2005

The following list of identity providers are known to have been configured and work with the Hornbill platform (we will expand this list as we integrate successfully with other systems).


PLEASE NOTE: Although we have expertise around our own platform and its SAML implementation, configuration and behaviour, we use the language associated with the SAML 2.0 standard and not the language/terminology of any specific vendors identity provider platforms. Hornbill's technical staff are not experts with the various identity provider technologies and platforms in use. It is important to understand that Hornbill support the SAML 2.0 standard to the letter, so if its in the standard we support it. Each organisations identity provider implementation can be unique to their organisation and it will be necessary for you to have someone internally with expertise and a working knowledge of your identity provider and directory services within your own organisation. You should refer your technical network expert to this document which should provide them with sufficient information to allow the planning and configuration of Single Sign On for your organisation.

Setting Up Single-Sign-On

In order to enable single-sign-on for users a number of steps need to be taken: -

  1. Decide if Auto-Provisioning will be used as the method for user account creation. If you intend to use auto-provisioning, please read the section below titled: "Preparing for Auto-Provisioning")
  2. Make the necessary configuration in your Identity Provider. Different vendors may use different terminology to describe this but typical examples are "Service Provider Profile" or "Relying Party Trust".
  3. Create an SSO Profile in Hornbill.
  4. Create an auto-provisioning User Template in Hornbill (This is optional and only required if implementing Auto-Provisioning as part of SSO).


PLEASE NOTE: We use the browser redirect profile defined by the SAML 2.0 specification so there is no need for your Hornbill instance (which is running in the Hornbill cloud) to have any direct access your iDP; meaning your iDP and all of your user identity information can remain behind your enterprise firewall - no special firewall configuration is needed for access to the service from within your network.

Example IdP Configurations

Creating a Hornbill SSO Profile


Preparing for Auto-Provisioning

The necessary configuration to facilitate auto-provisioning can be considered a small extension of the Single Sign On configuration. In the situation where only SSO is needed, there is usually a one-to-one mapping between the Hornbill User ID and the nameID returned in the SAML communication that identifies the user, typically this is tied into the users login ID. For Hornbill to successfully auto-provision a user account, it will be necessary to specify additional information to be transported in the outgoing claim from your Identity Provider. This information is carried in the additional attributes that are transported during the authentication of a user.

Obvious information such as first name, last name and e-mail address would be especially important when creating a Hornbill user account, but you may wish to bring over other information into the Hornbill instance at the point of auto-provisioning.

Hornbill User Account Properties

The Hornbill instance understands a definitive set of user account target properties. The available properties can be used as a starting point in determining what information you wish to bring into Hornbill via your IDP for auto-provisioning. For each user account property you wish to populate in Hornbill, you will need a directory attribute configured in the outgoing claim coming from your iDP. The mapping is defined in the Hornbill Single Sign On Profile The following table lists the user account properties that can be populated during auto-provisioning.

Name Required Description
account:name No The users display name/handle. If not specified then the name will be derived from account:firstName a space and the account:lastName. If these two attributes are not defined either, the name will be the same as the nameID (the users login id)
account:firstName No The users given/first name
account:lastName No The users given/last name
account:jobTitle No The users job title within the organisation
account:phone No The users phone number
account:email No The users e-mail address
account:mobile No The users mobile phone number
account:availabilityStatus No The users availability status - there is generally not a good mapping for this so you would not normally include it
account:availabilityMessage No The users availability message - there is generally not a good mapping for this so you would not normally include it
account:timeZone No The users timezone, see the list of supported times zones in Hornbill Administration
account:language No The users language, see the list of supported languages in Hornbill Administration
account:dateTimeFormat No The users dateTime format, see the API documentation for admin::userCreate for the format information
account:dateFormat No The users date format, see the API documentation for admin::userCreate for the format information
account:timeFormat No The users time format, see the API documentation for admin::userCreate for the format information
account:currencySymbol No The users default currency symbol
account:countryCode No The users country code


Hornbill Contact Record Properties

Like Hornbill user accounts, contact records can be created through auto-provisioning. The following table lists the contact record properties that can be populated during auto-provisioning.

Name Required Description
contact:firstName No The users given/first name
contact:lastName No The users given/last name
contact:jobTitle No The users job title within the organisation
contact:phone No The users phone number
contact:email No The users e-mail address
contact:company No The name of the company the user works at
contact:timeZone No The users timezone, see the list of supported times zones in Hornbill Administration
contact:language No The users language, see the list of supported languages in Hornbill Administration
contact:countryCode No The users country code
Retrieved from "https://wiki.hornbill.com/index.php?title=Single_Sign_On_with_SAML_2.0&oldid=16577"