Difference between revisions of "Single Sign On with SAML 2.0"

PRELIMINARY INFORMATION

Hornbill SSO Capabilities

The Hornbill platform supports single-sign-on and transparent auto provisioning of both user and guest accounts using SAML 2.0 providing enterprise-class user identity integration.

• Multiple Identity Providers Supported
• User Provisioning Templates
• Digital Signature Validation
• Public Key Verification
• Assertion Value Attribute Mapping
• Flexible NameID override

SAML Overview

Security Assertion Markup Language ('SAML, pronounced "sam-el") is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS (organization) Security Services Technical Committee. SAML dates from 2001; the most recent major update of SAML was published in 2005, but protocol enhancements have steadily been added through additional, optional standards.
Source: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

The use of SAML allows external authentication of users and is often also used for SSO (Single Sign-on), which is a method of access control that enables a user to log in to their organisation one time but then have transparent authorisation to access resources of multiple software systems without being prompted to log in to each system separately. In the context of Hornbill, once configured, users may access their Hornbill instance pre-authenticated based on their enterprise desktop or browser login. As well as supporting single-sign-on but we also provide the ability to auto-provision authorised users on the Hornbill instance which removes a significant overhead in terms of system administration.

There are three key actors in any SAML implementation, these are the "user" trying to access the application, the "identity provider" which knows and had identified the user, and the "service provider" which provides the application and/or resources that the user wishes to access. Your Hornbill instance is a service provider, and typically your enterprise directory system, very often Microsoft Active Directory acts as the identity provider.

How SAML Browser Authentication Works

In order for a user to access the Hornbill instance they must first be known to the identity provider and, the identity provider must know about the service provider (Hornbill Instance), and the user must be authorised by the identity provider to access the services on the identity provider (Hornbill Instance).

When an unauthenticated user accesses the Hornbill instance, the browser will be re-directed to the identity provider with information needed to request access to the service, this is known as a SAML AuthnRequest. The idP will look at the AuthnRequest and if the user is authorised will return an Assertion back to the browser with a re-direct to the service provider (in this case the Hornbill Instance). The Hornbill instance will validate the Assertion checking its authenticity against a known Hornbill SSO profile and if valid will create a session and allow the user to access resources as required.

Compatible Identity Providers

The Hornbill SSO implementation follows the SAML 2.0:2005 specification so will work with any identity provider implementation, either commercial or home-grown. However, not all implementations correctly follow the standards so there may well be interoperability issues. We have tried to make our system as flexible as possible in terms of configuration in order to minimise this but this should be kept in mind. Here is a link to the official standards documentation

SAML 2.0 2005

The following list of identity providers are known to have been configured and work with the Hornbill platform (we will expand this list as we integrate successfully with other systems).

• Microsoft Active Directory Federation Services (version info needed) - we generally test/validate against this platform
• Ping Identity

Please be aware that although we have expertise on our own platform, Hornbill's support staff are not necasserily experts with SAML or the various identity provider technologies out there. Each organisations implementation of SAML is unique to their organisation and we strongly recommend that when trying to set up SAML for SSO on Hornbill you have some expertise and working knowledge of federated security services.

Setting Up Hornbill for User Single-Sign-On

In order to enable single-sign-on for users a number of steps need to be taken: -

1. Hornbill: Create an auto-provisioning User Template
2. Hornbill: Create an SSO Profile
3. idP: Create a service provider profile

Its is also required that: -

• Your identity provider supports SAML 2.0
• Your identity provider is already working and authenticating your users for other systems or applications.
• The users that need to access the Hornbill instance can access your idP from their browser.

NOTE: there is no need for the Hornbill instance which is runnning in the cloud to be able to directly access your iDP; meaning your iDP and all of your user identity information can remain behind your enterprise firewall.

Creating an auto-provisioning User Template

TODO: ...

Creating a Hornbill SSO Profile

TODO: ...

Example: Configuring Microsoft Active Directory Federated Services for Hornbill SSO

TODO: ...

Transferring User Attributes to Hornbill

When configuring SSO there is usually a one-to-one mapping between the Hornbill User ID and the nameID returned in the SAML assertion that identifies the user, typically this is tied into the users login ID. However, there is also a need to bring other basic information over from the identity provider to the service provider, this is especially important when provisioning a new user automatically. Obvious information such as first name, last name and e-mail address would be especially important to create a Hornbill user account, but often organisations have much richer information about their users which would be good to bring over into the Hornbill instance and the point of provisioning. The Hornbill instance understands a definitive set of user properties which can be defined in the iDP for the Hornbill service and mapped to the idP's directory of user information. The following table lists all attributes understood by the Hornbill instance