Difference between revisions of "Single Sign On with SAML 2.0"

From Hornbill
Jump to navigation Jump to search
 
(41 intermediate revisions by 5 users not shown)
Line 1: Line 1:
<div style="border:1px solid #90C0FF; background:#D0E0FF; width:99%; padding:4px; margin-bottom:10px;">
+
This documentation has been moved to: -
[[Main Page|Home]] > [[Integration]] > [[Essential Integrations]] > Single Sign On with SAML 2.0
 
</div>
 
{|style="width: 100%"
 
|- valign="top"
 
|style="width:73%"|
 
__TOC__
 
|style="width:5%"|
 
|
 
|style="width:22%; border-style: solid; border-width: 1px; border-color:#e6e6e6; background-color:#f2f2f2;"|
 
  
== Related Articles ==
+
SSO Fundamentals
:* [[SSO Example Config Microsoft ADFS 2.0 for User Accounts|SSO Example Config for Microsoft ADFS 2.0]]
+
* https://docs.hornbill.com/esp-fundamentals/security/single-sign-on
:* [[Single_Sign_On_Profiles|Creating a Hornbill SSO Profile]]
 
:* [[Enabling_Single_Sign_On_in_Your_Web_Browser|Enabling Single Sign On in Your Web Browser]]
 
|}
 
  
==Introduction==
+
SSO Configuration
The Hornbill platform supports single-sign-on as well as policy-based transparent auto provisioning and data updates of both user and guest accounts thus providing enterprise-class user identity integration with your organisations core IT directory services.
+
* https://docs.hornbill.com/esp-config/security/sso/sso-with-saml
 
+
* https://docs.hornbill.com/esp-config/security/sso/single-sign-on
===What is SAML?===
+
* https://docs.hornbill.com/esp-config/security/sso/auto-provisioning
''Security Assertion Markup Language''' ('''SAML''', pronounced "sam-el") is an open standard XML-based framework developed by the Security Services Technical Committee of OASIS and is designed for communicating user authentication, entitlement, and attribute information between parties, in particular between an Identity Provider (IdP) and a Service Provider i.e. Hornbill.
+
[[Category:HDOC]]
 
 
External References:
 
<br/><small>Source: [http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language]</small>
 
<br/><small>Source: [https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security]</small>
 
<br>
 
<br>
 
===SAML and Hornbill===
 
Hornbill makes use of the SAML framework to facilitate two things:
 
:#'''Single Sign On (SSO)''' - this is the method of access control that enables a user to log in to their organisations network one time, but then have transparent authorisation to access resources of multiple software systems without being prompted to log in to each system separately.  In the context of Hornbill, once configured, users may access their Hornbill instance pre-authenticated based on their enterprise desktop or browser login. 
 
:#'''Auto-provision Hornbill User Accounts''' - along with the authorization information needed for SSO, SAML has the ability to transport additional directory attributes of a user. Hornbill is capable of processing this additional information contained in the SAML payload and use it to automatically create a user accounts on your Hornbill instance. This mechanism can remove a significant overhead in terms of system administration.
 
<br>
 
'''PLEASE NOTE:''' While SSO must be set up to utilise auto-provisioning, the auto-provisioning of user accounts in Hornbill is an optional mechanism that can be disabled independently of SSO. Hornbill provides a range of user import utilities that can be used instead of auto-provisioning. More information on the available user imports can be found via the following wiki page: [https://wiki.hornbill.com/index.php/Hornbill_Open_Integration_Tools '''Open Integration Tools''']
 
<br>
 
<br>
 
===How it Works===
 
There are three key actors in any SAML implementation, these are the "user" trying to access the application, the "identity provider" which knows and has identified the user, and the "Service Provider" which provides the application and/or resources that the user wishes to access. Your Hornbill instance is a service provider, and typically your enterprise directory system, very often Microsoft Active Directory Federated Services (ADFS) acts as the identity provider.
 
 
 
Once SSO is configured, when an unauthenticated user navigates to your Hornbill instance via one of the Hornbill URLs, the browser will be re-directed to the identity provider with information needed to request access to the service, this is known as a SAML AuthnRequest. The idP will look at the AuthnRequest and if the user is authorised will return an Assertion back to the browser with a re-direct to the service provider (in this case the Hornbill Instance). The Hornbill instance will validate the Assertion checking its authenticity against a known Hornbill SSO profile and if valid will create a session and allow the user to access Hornbill as required.
 
<br>
 
<br>
 
== Compatible Identity Providers ==
 
The Hornbill SSO implementation follows the SAML 2.0:2005 specification so will work with any commercial or home-grown identity provider that correctly supports this standard. We have tried to make our system as flexible as possible in terms of configuration and compatibility with the standard.  Here is a link to the official standards documentation: -
 
 
 
[https://wiki.oasis-open.org/security/FrontPage SAML 2.0 2005]
 
<br/>
 
 
 
The following list of identity providers are known to have been configured and work with the Hornbill platform (we will expand this list as we integrate successfully with other systems).
 
 
 
* [http://msdn.microsoft.com/en-GB/library/bb897402.aspx Microsoft Active Directory Federation Services (ADFS 2.0)] - we generally test/validate against this platform
 
* Microsoft Active Directory Federation Services (ADFS 3.0)
 
* [http://www.pingidentity.com/ Ping Identity]
 
* [http://ssocircle.com/ SSO Circle]
 
* [https://azure.microsoft.com/en-gb/services/active-directory/ Microsoft Azure Directory Services]
 
* [https://shibboleth.net/products/identity-provider.html Shibboleth Identity Provider]
 
* [http://www.openathens.net/ OpenAthens (EduServ)]
 
<br>
 
'''PLEASE NOTE:''' Although we have expertise around our own platform and its SAML implementation, configuration and behaviour, we use the language associated with the SAML 2.0 standard and not the language/terminology of any specific vendors identity provider platforms. Hornbill's technical staff are not experts with the various identity provider technologies and platforms in use.  It is important to understand that Hornbill support the SAML 2.0 standard to the letter, so if its in the standard we support it.
 
Each organisations identity provider implementation can be unique to their organisation and it will be necessary for you to have someone internally with expertise and a working knowledge of your identity provider and directory services within your own organisation. You should refer your technical network expert to this document which should provide them with sufficient information to allow the planning and configuration of Single Sign On for your organisation.
 
<br>
 
<br>
 
== Setting Up Single-Sign-On ==
 
In order to enable single-sign-on for users a number of steps need to be taken: -
 
 
 
# Decide if Auto-Provisioning will be used as the method for user account creation. If you intend to use auto-provisioning, please read the section below titled: "Preparing for Auto-Provisioning".
 
# Make the necessary configuration in your Identity Provider. Different vendors may use different terminology to describe this but typical examples are "Service Provider Profile" or "Relying Party Trust".
 
# Create an SSO Profile in Hornbill.
 
# Configure the necessary browser settings to ensure a seamless SSO experience.
 
# Create an auto-provisioning User Template in Hornbill (This is optional and only required if implementing Auto-Provisioning as part of SSO).
 
<br>
 
'''PLEASE NOTE:''' We use the browser redirect profile defined by the SAML 2.0 specification so there is no need for your Hornbill instance (which is running in the Hornbill cloud) to have any direct access your iDP; meaning your iDP and all of your user identity information can remain behind your enterprise firewall - no special firewall configuration is needed for access to the service from '''within''' your network.
 
 
 
=== Example IdP Configurations ===
 
* [[SSO_Example_Config_Microsoft_ADFS_2.0_for_User_Accounts|Microsoft ADFS 2.0 for User Accounts]]
 
 
 
=== Creating a Hornbill SSO Profile ===
 
* [[Single_Sign_On_Profiles|Configuring a Single Sign On Profile in Hornbill]]
 
=== Configuring Single Sign-on in the Browser ===
 
* [[Enabling_Single_Sign_On_in_Your_Web_Browser|Enabling Single Sign On in Your Web Browser]]
 
 
 
== Preparing for Auto-Provisioning (Optional)==
 
The necessary configuration to facilitate auto-provisioning can be considered a small extension of the Single Sign On configuration. In the case where only SSO is needed, there is a single one-to-one mapping between the Hornbill User ID and the "nameID" returned in the SAML communication that identifies the user, typically this is tied into the users login ID.
 
For Hornbill to successfully auto-provision a user account, it will be necessary to specify additional information to be transported in the outgoing claim from your Identity Provider. This information is carried in the additional attributes that are transported during the authentication of a user.
 
 
 
Obvious information such as first name, last name and e-mail address would be especially important when creating a Hornbill user account, but you may wish to bring over other information into the Hornbill instance at the point of auto-provisioning.
 
 
 
==== Hornbill User Account Properties ====
 
The Hornbill instance understands a definitive set of user account target properties. The available properties can be used as a starting point in determining what information you wish to bring into Hornbill via your IDP for auto-provisioning. For each user account property you wish to populate in Hornbill, you will need a directory attribute configured in the outgoing claim coming from your iDP. The mapping is defined in the [https://wiki.hornbill.com/index.php/Single_Sign_On_Profiles '''Hornbill Single Sign On Profile''']
 
The following table lists the user account properties that can be populated during auto-provisioning.
 
 
 
{| class="wikitable"
 
 
 
|-
 
! Name
 
! Required
 
! Description
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:name
 
| No
 
| The users display name/handle. If not specified then the name will be derived from account:firstName a space and the account:lastName.  If these two attributes are not defined either, the name will be the same as the nameID (the users login id)
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:firstName
 
| No
 
| The users given/first name
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:lastName
 
| No
 
| The users given/last name
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:jobTitle
 
| No
 
| The users job title within the organisation
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:phone
 
| No
 
| The users phone number
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:email
 
| No
 
| The users e-mail address
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:mobile
 
| No
 
| The users mobile phone number
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:availabilityStatus
 
| No
 
| The users availability status - there is generally not a good mapping for this so you would not normally include it
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:availabilityMessage
 
| No
 
| The users availability message - there is generally not a good mapping for this so you would not normally include it
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:timeZone
 
| No
 
| The users timezone, see the list of supported times zones in Hornbill Administration
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:language
 
| No
 
| The users language, see the list of supported languages in Hornbill Administration
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:dateTimeFormat
 
| No
 
| The users dateTime format, see the API documentation for admin::userCreate for the format information
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:dateFormat
 
| No
 
| The users date format, see the API documentation for admin::userCreate for the format information
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:timeFormat
 
| No
 
| The users time format, see the API documentation for admin::userCreate for the format information
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:currencySymbol
 
| No
 
| The users default currency symbol
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:countryCode
 
| No
 
| The users country code
 
 
 
|}
 
 
 
==== Hornbill Contact Record Properties ====
 
Like Hornbill user accounts, contact records can be created through auto-provisioning. The following table lists the contact record properties that can be populated during auto-provisioning.
 
 
 
{| class="wikitable"
 
 
 
|-
 
! Name
 
! Required
 
! Description
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:firstName
 
| No
 
| The users given/first name
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:lastName
 
| No
 
| The users given/last name
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:jobTitle
 
| No
 
| The users job title within the organisation
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:phone
 
| No
 
| The users phone number
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:email
 
| No
 
| The users e-mail address
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:company
 
| No
 
| The name of the company the user works at
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:timeZone
 
| No
 
| The users timezone, see the list of supported times zones in Hornbill Administration
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:language
 
| No
 
| The users language, see the list of supported languages in Hornbill Administration
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:countryCode
 
| No
 
| The users country code
 
 
 
|}
 

Latest revision as of 20:52, 18 April 2024

This documentation has been moved to: -

SSO Fundamentals

SSO Configuration

Retrieved from "https://wiki.hornbill.com/index.php?title=Single_Sign_On_with_SAML_2.0&oldid=32372"