Difference between revisions of "Single Sign On with SAML 2.0"
| Line 127: | Line 127: | ||
| style="font-family: courier new;" | account:timeZone | | style="font-family: courier new;" | account:timeZone | ||
| No | | No | ||
| − | | The users timezone, see the list of supported times zones in | + | | The users timezone, see the list of supported times zones in Hornbill Administration |
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| style="font-family: courier new;" | account:language | | style="font-family: courier new;" | account:language | ||
| No | | No | ||
| − | | The users language, see the list of supported languages in | + | | The users language, see the list of supported languages in Hornbill Administration |
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| Line 229: | Line 229: | ||
| style="font-family: courier new;" | contact:timeZone | | style="font-family: courier new;" | contact:timeZone | ||
| No | | No | ||
| − | | The users timezone, see the list of supported times zones in | + | | The users timezone, see the list of supported times zones in Hornbill Administration |
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
| style="font-family: courier new;" | contact:language | | style="font-family: courier new;" | contact:language | ||
| No | | No | ||
| − | | The users language, see the list of supported languages in | + | | The users language, see the list of supported languages in Hornbill Administration |
|- style="vertical-align:top;" | |- style="vertical-align:top;" | ||
Revision as of 17:09, 13 October 2014
PRELIMINARY INFORMATION
Hornbill SSO Capabilities
The Hornbill platform supports single-sign-on as well as policy based transparent auto provisioning and data updates of both user and guest accounts using SAML 2.0, providing enterprise-class user identity integration with your organisations core IT directory services.
- Multiple Identity Providers Supported
- User Provisioning Templates
- Digital Signature Validation
- Public Key Verification
- Assertion Value Attribute Mapping
- Flexible NameID override
SAML Overview
Security Assertion Markup Language ('SAML, pronounced "sam-el") is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS (organization) Security Services Technical Committee. SAML dates from 2001; the most recent major update of SAML was published in 2005, but protocol enhancements have steadily been added through additional, optional standards.
Source: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
The use of SAML allows external authentication of users and is often also used for SSO (Single Sign-on), which is a method of access control that enables a user to log in to their organisation one time but then have transparent authorisation to access resources of multiple software systems without being prompted to log in to each system separately. In the context of Hornbill, once configured, users may access their Hornbill instance pre-authenticated based on their enterprise desktop or browser login. As well as supporting single-sign-on but we also provide the ability to auto-provision authorised users on the Hornbill instance which removes a significant overhead in terms of system administration.
There are three key actors in any SAML implementation, these are the "user" trying to access the application, the "identity provider" which knows and had identified the user, and the "service provider" which provides the application and/or resources that the user wishes to access. Your Hornbill instance is a service provider, and typically your enterprise directory system, very often Microsoft Active Directory acts as the identity provider.
How SAML Browser Authentication Works
In order for a user to access the Hornbill instance they must first be known to the identity provider and, the identity provider must know about the service provider (Hornbill Instance), and the user must be authorised by the identity provider to access the services on the identity provider (Hornbill Instance).
When an unauthenticated user accesses the Hornbill instance, the browser will be re-directed to the identity provider with information needed to request access to the service, this is known as a SAML AuthnRequest. The idP will look at the AuthnRequest and if the user is authorised will return an Assertion back to the browser with a re-direct to the service provider (in this case the Hornbill Instance). The Hornbill instance will validate the Assertion checking its authenticity against a known Hornbill SSO profile and if valid will create a session and allow the user to access resources as required.
Compatible Identity Providers
The Hornbill SSO implementation follows the SAML 2.0:2005 specification so will work with any identity provider implementation, either commercial or home-grown. However, not all implementations correctly follow the standards so there may well be interoperability issues. We have tried to make our system as flexible as possible in terms of configuration in order to minimise this but this should be kept in mind. Here is a link to the official standards documentation
The following list of identity providers are known to have been configured and work with the Hornbill platform (we will expand this list as we integrate successfully with other systems).
- Microsoft Active Directory Federation Services - we generally test/validate against this platform
- Ping Identity
- SSO Circle
Please be aware that although we have expertise on our own platform, Hornbill's support staff are not necasserily experts with SAML or the various identity provider technologies out there. Each organisations implementation of SAML is unique to their organisation and we strongly recommend that when trying to set up SAML for SSO on Hornbill you have some expertise and working knowledge of federated security services within your own organisation. You should refer your technical expert to this document which should provide you with sufficient information to allow the planning and configuration of SSO for your organisation.
Setting Up Hornbill for User Single-Sign-On
In order to enable single-sign-on for users a number of steps need to be taken: -
- Hornbill: Create an auto-provisioning User Template
- Hornbill: Create an SSO Profile
- idP: Create a service provider profile
It is also required that: -
- Your identity provider supports SAML 2.0
- Your identity provider is already working and authenticating your users for other systems or applications.
- The users that need to access the Hornbill instance can access your idP from their browser.
NOTE: We use the browser redirect profile defined by SAML so there is no need for the Hornbill instance which is running in the cloud to be able to directly access your iDP; meaning your iDP and all of your user identity information can remain behind your enterprise firewall and no special firewall configuration is needed.
Creating an auto-provisioning User Template
TODO: ...
Creating a Hornbill SSO Profile
TODO: ...
Example: Configuring Microsoft Active Directory Federated Services for Hornbill SSO
TODO: ...
Transferring User Account Attributes to Hornbill
When configuring SSO there is usually a one-to-one mapping between the Hornbill User ID and the nameID returned in the SAML assertion that identifies the user, typically this is tied into the users login ID. However, there is also a need to bring other basic information over from the identity provider to the service provider, this is especially important when provisioning a new user automatically. Obvious information such as first name, last name and e-mail address would be especially important to create a Hornbill user account, but often organisations have much richer information about their users which would be good to bring over into the Hornbill instance and the point of provisioning. The Hornbill instance understands a definitive set of user account target properties which can be defined directly in the iDP for the Hornbill service, mapping them appropriately to the idP's user information attributes. When the Hornbill instance receives a SAML assertion for authentication it will automatically map these to the Hornbill account attributes as required.
The following table lists the account target attributes understood by Hornbill
| Name | Required | Description |
|---|---|---|
| account:name | No | The users display name/handle. If not specified then the name will be derived from account:firstName a space and the account:lastName. If these two attributes are not defined either, the name will be the same as the nameID (the users login id) |
| account:firstName | No | The users given/first name |
| account:lastName | No | The users given/last name |
| account:homeGroup | No | The home group assigned to the user account |
| account:jobTitle | No | The users job title within the organisation |
| account:phone | No | The users phone number |
| account:email | No | The users e-mail address |
| account:mobile | No | The users mobile phone number |
| account:availabilityStatus | No | The users availability status - there is generally not a good mapping for this so you would not normally include it |
| account:availabilityMessage | No | The users availability message - there is generally not a good mapping for this so you would not normally include it |
| account:timeZone | No | The users timezone, see the list of supported times zones in Hornbill Administration |
| account:language | No | The users language, see the list of supported languages in Hornbill Administration |
| account:dateTimeFormat | No | The users dateTime format, see the API documentation for admin::userCreate for the format information |
| account:dateFormat | No | The users date format, see the API documentation for admin::userCreate for the format information |
| account:timeFormat | No | The users time format, see the API documentation for admin::userCreate for the format information |
| account:currencySymbol | No | The users default currency symbol |
| account:countryCode | No | The users country code |
Setting Up Hornbill for Guest Account Single-Sign-On
In order to enable single-sign-on for guests a number of steps need to be taken: -
- Hornbill: Create an auto-provisioning Guest Template
- Hornbill: Create an SSO Profile
- idP: Create a service provider profile
- Hornbill: Create a Guest Portal
Its is also required that: -
- Your identity provider supports SAML 2.0
- Your identity provider is already working and authenticating your users for other systems or applications.
- The users that need to access the Hornbill instance can access your idP from their browser.
NOTE: there is no need for the Hornbill instance which is running in the cloud to be able to directly access your iDP; meaning your iDP and all of your user identity information can remain behind your enterprise firewall.
Creating an auto-provisioning Guest Template
TODO: ...
Creating a Hornbill SSO Profile
TODO: ...
Example: Configuring Microsoft Active Directory Federated Services for Hornbill SSO
TODO: ...
Transferring Guest Account Attributes to Hornbill
When configuring SSO there is usually a one-to-one mapping between the Hornbill Guest Login ID and the nameID returned in the SAML assertion that identifies the guest, typically this is tied into the users network login ID. However, there is also a need to bring other basic information over from the identity provider to the service provider, this is especially important when provisioning a new guest automatically. Obvious information such as first name, last name and e-mail address would be especially important to create a Hornbill guest account, but often organisations have much richer information about their users which would be good to bring over into the Hornbill instance and the point of provisioning. The Hornbill instance understands a definitive set of guest properties which can be defined in the iDP for the Hornbill service and mapped to the idP's directory of user information. The following table lists all attribute names understood by Hornbill guest authentication
| Name | Required | Description |
|---|---|---|
| contact:firstName | No | The users given/first name |
| contact:lastName | No | The users given/last name |
| contact:jobTitle | No | The users job title within the organisation |
| contact:phone | No | The users phone number |
| contact:email | No | The users e-mail address |
| contact:company | No | The name of the company the user works at |
| contact:timeZone | No | The users timezone, see the list of supported times zones in Hornbill Administration |
| contact:language | No | The users language, see the list of supported languages in Hornbill Administration |
| contact:countryCode | No | The users country code |