Difference between revisions of "Single Sign On with SAML 2.0"

From Hornbill
Jump to navigation Jump to search
 
(117 intermediate revisions by 9 users not shown)
Line 1: Line 1:
<font color="red">PRELIMINARY INFORMATION</font>
+
This documentation has been moved to: -
  
== Hornbill SSO Capabilities ==
+
SSO Fundamentals
The Hornbill platform supports single-sign-on as well as policy based transparent auto provisioning and data updates of both user and guest accounts using SAML 2.0, providing enterprise-class user identity integration with your organisations core IT directory services.
+
* https://docs.hornbill.com/esp-fundamentals/security/single-sign-on
  
* Multiple Identity Providers Supported
+
SSO Configuration
* User Provisioning Templates
+
* https://docs.hornbill.com/esp-config/security/sso/sso-with-saml
* Digital Signature Validation
+
* https://docs.hornbill.com/esp-config/security/sso/single-sign-on
* Public Key Verification
+
* https://docs.hornbill.com/esp-config/security/sso/auto-provisioning
* Assertion Value Attribute Mapping
+
[[Category:HDOC]]
* Flexible NameID override
 
 
 
== SAML Overview ==
 
''Security Assertion Markup Language''' ('''SAML''', pronounced "sam-el") is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS (organization) Security Services Technical Committee. SAML dates from 2001; the most recent major update of SAML was published in 2005, but protocol enhancements have steadily been added through additional, optional standards.
 
<br/><small>Source: [http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language]</small>
 
 
 
The use of SAML allows external authentication of users and is often also used for SSO (Single Sign-on), which is a method of access control that enables a user to log in to their organisation one time but then have transparent authorisation to access resources of multiple software systems without being prompted to log in to each system separately.  In the context of Hornbill, once configured, users may access their Hornbill instance pre-authenticated based on their enterprise desktop or browser login.  As well as supporting single-sign-on but we also provide the ability to auto-provision authorised users on the Hornbill instance which removes a significant overhead in terms of system administration.
 
 
 
There are three key actors in any SAML implementation, these are the "user" trying to access the  application, the "identity provider" which knows and had identified the user, and the "service provider" which provides the application and/or resources that the user wishes to access.  Your Hornbill instance is a service provider, and typically your enterprise directory system, very often Microsoft Active Directory acts as the identity provider.
 
 
 
== How SAML Browser Authentication Works ==
 
In order for a user to access the Hornbill instance they must first be known to the identity provider and, the identity provider must know about the service provider (Hornbill Instance), and the user must be authorised by the identity provider to access the services on the identity provider (Hornbill Instance).
 
 
 
When an unauthenticated user accesses the Hornbill instance, the browser will be re-directed to the identity provider with information needed to request access to the service, this is known as a SAML AuthnRequest.  The idP will look at the AuthnRequest and if the user is authorised will return an Assertion back to the browser with a re-direct to the service provider (in this case the Hornbill Instance). The Hornbill instance will validate the Assertion checking its authenticity against a known Hornbill SSO profile and if valid will create a session and allow the user to access resources as required.
 
 
 
== Compatible Identity Providers ==
 
The Hornbill SSO implementation follows the SAML 2.0:2005 specification so will work with any identity provider implementation, either commercial or home-grown.  However, not all implementations correctly follow the standards so there may well be interoperability issues.  We have tried to make our system as flexible as possible in terms of configuration in order to minimise this but this should be kept in mind.  Here is a link to the official standards documentation
 
 
 
[https://wiki.oasis-open.org/security/FrontPage SAML 2.0 2005]
 
<br/>
 
 
 
The following list of identity providers are known to have been configured and work with the Hornbill platform (we will expand this list as we integrate successfully with other systems).
 
 
 
* [http://msdn.microsoft.com/en-GB/library/bb897402.aspx Microsoft Active Directory Federation Services] - we generally test/validate against this platform
 
* [http://www.pingidentity.com/ Ping Identity]
 
* [http://ssocircle.com/ SSO Circle]
 
 
 
Please be aware that although we have expertise on our own platform, Hornbill's support staff are not necasserily experts with SAML or the various identity provider technologies out there. Each organisations implementation of SAML is unique to their organisation and we strongly recommend that when trying to set up SAML for SSO on Hornbill you have some expertise and working knowledge of federated security services within your own organisation.  You should refer your technical expert to this document which should provide you with sufficient information to allow the planning and configuration of SSO for your organisation.
 
 
 
== Setting Up Hornbill for User Single-Sign-On ==
 
In order to enable single-sign-on for users a number of steps need to be taken: -
 
 
 
# Hornbill: Create an auto-provisioning User Template
 
# Hornbill: Create an SSO Profile
 
# idP: Create a service provider profile
 
 
 
It is also required that: -
 
 
 
* Your identity provider supports SAML 2.0
 
* Your identity provider is already working and authenticating your users for other systems or applications.
 
* The users that need to access the Hornbill instance can access your idP from their browser. 
 
 
 
NOTE: We use the browser redirect profile defined by SAML so there is no need for the Hornbill instance which is running in the cloud to be able to directly access your iDP; meaning your iDP and all of your user identity information can remain behind your enterprise firewall and no special firewall configuration is needed.
 
 
 
=== Creating an auto-provisioning User Template ===
 
TODO: ...
 
 
 
=== Creating a Hornbill SSO Profile ===
 
TODO: ...
 
 
 
=== Example: Configuring Microsoft Active Directory Federated Services for Hornbill SSO ===
 
TODO: ...
 
 
 
==== Transferring User Account Attributes to Hornbill ====
 
When configuring SSO there is usually a one-to-one mapping between the Hornbill User ID and the nameID returned in the SAML assertion that identifies the user, typically this is tied into the users login ID.  However, there is also a need to bring other basic information over from the identity provider to the service provider, this is especially important when provisioning a new user automatically. Obvious information such as first name, last name and e-mail address would be especially important to create a Hornbill user account, but often organisations have much richer information about their users which would be good to bring over into the Hornbill instance and the point of provisioning.  The Hornbill instance understands a definitive set of user account target properties which can be defined directly in the iDP for the Hornbill service, mapping them appropriately to the idP's user information attributes. When the Hornbill instance receives a SAML assertion for authentication it will automatically map these to the Hornbill account attributes as required.   
 
 
 
The following table lists the account target attributes understood by Hornbill
 
 
 
{| class="wikitable"
 
 
 
|-
 
! Name
 
! Required
 
! Description
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:name
 
| No
 
| The users display name/handle. If not specified then the name will be derived from account:firstName a space and the account:lastName.  If these two attributes are not defined either, the name will be the same as the nameID (the users login id)
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:firstName
 
| No
 
| The users given/first name
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:lastName
 
| No
 
| The users given/last name
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:homeGroup
 
| No
 
| The home group assigned to the user account
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:jobTitle
 
| No
 
| The users job title within the organisation
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:phone
 
| No
 
| The users phone number
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:email
 
| No
 
| The users e-mail address
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:mobile
 
| No
 
| The users mobile phone number
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:availabilityStatus
 
| No
 
| The users availability status - there is generally not a good mapping for this so you would not normally include it
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:availabilityMessage
 
| No
 
| The users availability message - there is generally not a good mapping for this so you would not normally include it
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:timeZone
 
| No
 
| The users timezone, see the list of supported times zones in the admin tool
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:language
 
| No
 
| The users language, see the list of supported languages in the admin tool
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:dateTimeFormat
 
| No
 
| The users dateTime format, see the API documentation for admin::userCreate for the format information
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:dateFormat
 
| No
 
| The users date format, see the API documentation for admin::userCreate for the format information
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:timeFormat
 
| No
 
| The users time format, see the API documentation for admin::userCreate for the format information
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:currencySymbol
 
| No
 
| The users default currency symbol
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | account:countryCode
 
| No
 
| The users country code
 
 
 
|}
 
 
 
== Setting Up Hornbill for Guest Account Single-Sign-On ==
 
In order to enable single-sign-on for guests a number of steps need to be taken: -
 
 
 
# Hornbill: Create an auto-provisioning Guest Template
 
# Hornbill: Create an SSO Profile
 
# idP: Create a service provider profile
 
# Hornbill: Create a Guest Portal
 
 
 
Its is also required that: -
 
 
 
* Your identity provider supports SAML 2.0
 
* Your identity provider is already working and authenticating your users for other systems or applications.
 
* The users that need to access the Hornbill instance can access your idP from their browser. 
 
 
 
NOTE: there is no need for the Hornbill instance which is running in the cloud to be able to directly access your iDP; meaning your iDP and all of your user identity information can remain behind your enterprise firewall.
 
 
 
=== Creating an auto-provisioning Guest Template ===
 
TODO: ...
 
 
 
=== Creating a Hornbill SSO Profile ===
 
TODO: ...
 
 
 
=== Example: Configuring Microsoft Active Directory Federated Services for Hornbill SSO ===
 
TODO: ...
 
 
 
==== Transferring Guest Account Attributes to Hornbill ====
 
When configuring SSO there is usually a one-to-one mapping between the Hornbill Guest Login ID and the nameID returned in the SAML assertion that identifies the guest, typically this is tied into the users network login ID.  However, there is also a need to bring other basic information over from the identity provider to the service provider, this is especially important when provisioning a new guest automatically. Obvious information such as first name, last name and e-mail address would be especially important to create a Hornbill guest account, but often organisations have much richer information about their users which would be good to bring over into the Hornbill instance and the point of provisioning.  The Hornbill instance understands a definitive set of guest properties which can be defined in the iDP for the Hornbill service and mapped to the idP's directory of user information.  The following table lists all attribute names understood by Hornbill guest authentication
 
 
 
{| class="wikitable"
 
 
 
|-
 
! Name
 
! Required
 
! Description
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:firstName
 
| No
 
| The users given/first name
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:lastName
 
| No
 
| The users given/last name
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:jobTitle
 
| No
 
| The users job title within the organisation
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:phone
 
| No
 
| The users phone number
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:email
 
| No
 
| The users e-mail address
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:company
 
| No
 
| The name of the company the user works at
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:timeZone
 
| No
 
| The users timezone, see the list of supported times zones in the admin tool
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:language
 
| No
 
| The users language, see the list of supported languages in the admin tool
 
 
 
|- style="vertical-align:top;"
 
| style="font-family: courier new;" | contact:countryCode
 
| No
 
| The users country code
 
 
 
|}
 

Latest revision as of 20:52, 18 April 2024

This documentation has been moved to: -

SSO Fundamentals

SSO Configuration

Retrieved from "https://wiki.hornbill.com/index.php?title=Single_Sign_On_with_SAML_2.0&oldid=32372"