Difference between revisions of "Single Sign On with SAML 2.0"
| Line 22: | Line 22: | ||
When an unauthenticated user accesses the Hornbill instance, the browser will be re-directed to the identity provider with information needed to request access to the service, this is known as a SAML AuthnRequest. The idP will look at the AuthnRequest and if the user is authorised will return an Assertion back to the browser with a re-direct to the service provider (in this case the Hornbill Instance). The Hornbill instance will validate the Assertion checking its authenticity against a known Hornbill SSO profile and if valid will create a session and allow the user to access resources as required. | When an unauthenticated user accesses the Hornbill instance, the browser will be re-directed to the identity provider with information needed to request access to the service, this is known as a SAML AuthnRequest. The idP will look at the AuthnRequest and if the user is authorised will return an Assertion back to the browser with a re-direct to the service provider (in this case the Hornbill Instance). The Hornbill instance will validate the Assertion checking its authenticity against a known Hornbill SSO profile and if valid will create a session and allow the user to access resources as required. | ||
| + | |||
| + | == Compatible Identity Providers == | ||
| + | The Hornbill SSO implementation follows the SAML 2.0:2005 specification so should work with any identity provider implementation, either commercial or home-grown. However, not all implementations correctly follow the standards so there may well be interoperability issues. We have tried to make our system as flexible as possible in terms of configuration in order to minimise this but this should be kept in mind. | ||
| + | |||
| + | This is a list of identity providers we know have been configured to work with the Hornbill platform (we will expand this list as we integrate successfully with other systems). | ||
| + | |||
| + | * Microsoft Active Directory Federation Services (version info needed) - we generally test/validate against this platform | ||
| + | * Ping Identity | ||
| + | |||
| + | == Setting Up Hornbill for User Single-Sign-On == | ||
| + | In order to enable single-sign-on for users a number of steps need to be taken: - | ||
| + | |||
| + | # In Hornbill: Create an auto-provisioning User Template | ||
| + | # In Hornbill: Create an SSO Profile | ||
| + | # In idP: Create a service provider profile | ||
Revision as of 21:12, 17 August 2014
PRELIMINARY INFORMATION
The Hornbill platform supports single-sign-on and transparent auto provisioning of both user and guest accounts using SAML 2.0 providing enterprise-class user identity integration.
- Multiple Identity Providers Supported
- User Provisioning Templates
- Digital Signature Validation
- Public Key Verification
- Assertion Value Attribute Mapping
- Flexible NameID override
SAML Overview
Security Assertion Markup Language ('SAML, pronounced "sam-el") is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS (organization) Security Services Technical Committee. SAML dates from 2001; the most recent major update of SAML was published in 2005, but protocol enhancements have steadily been added through additional, optional standards.
Source: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
The use of SAML allows external authentication of users and is often also used for SSO (Single Sign-on), which is a method of access control that enables a user to log in to their organisation one time but then have transparent authorisation to access resources of multiple software systems without being prompted to log in to each system separately. In the context of Hornbill, once configured, users may access their Hornbill instance pre-authenticated based on their enterprise desktop or browser login. As well as supporting single-sign-on but we also provide the ability to auto-provision authorised users on the Hornbill instance which removes a significant overhead in terms of system administration.
There are three key actors in any SAML implementation, these are the "user" trying to access the application, the "identity provider" which knows and had identified the user, and the "service provider" which provides the application and/or resources that the user wishes to access. Your Hornbill instance is a service provider, and typically your enterprise directory system, very often Microsoft Active Directory acts as the identity provider.
How SAML Browser Authentication Works
In order for a user to access the Hornbill instance they must first be known to the identity provider and, the identity provider must know about the service provider (Hornbill Instance), and the user must be authorised by the identity provider to access the services on the identity provider (Hornbill Instance).
When an unauthenticated user accesses the Hornbill instance, the browser will be re-directed to the identity provider with information needed to request access to the service, this is known as a SAML AuthnRequest. The idP will look at the AuthnRequest and if the user is authorised will return an Assertion back to the browser with a re-direct to the service provider (in this case the Hornbill Instance). The Hornbill instance will validate the Assertion checking its authenticity against a known Hornbill SSO profile and if valid will create a session and allow the user to access resources as required.
Compatible Identity Providers
The Hornbill SSO implementation follows the SAML 2.0:2005 specification so should work with any identity provider implementation, either commercial or home-grown. However, not all implementations correctly follow the standards so there may well be interoperability issues. We have tried to make our system as flexible as possible in terms of configuration in order to minimise this but this should be kept in mind.
This is a list of identity providers we know have been configured to work with the Hornbill platform (we will expand this list as we integrate successfully with other systems).
- Microsoft Active Directory Federation Services (version info needed) - we generally test/validate against this platform
- Ping Identity
Setting Up Hornbill for User Single-Sign-On
In order to enable single-sign-on for users a number of steps need to be taken: -
- In Hornbill: Create an auto-provisioning User Template
- In Hornbill: Create an SSO Profile
- In idP: Create a service provider profile