Difference between revisions of "Single Sign On with SAML 2.0"

Hornbill SSO Capabilities

The Hornbill platform supports single-sign-on as well as policy based transparent auto provisioning and data updates of both user and guest accounts using SAML 2.0, providing enterprise-class user identity integration with your organisations core IT directory services.

• Multiple Identity Providers Supported
• User Provisioning Templates
• Digital Signature Validation
• Public Key Verification
• Assertion Value Attribute Mapping
• Flexible NameID override

SAML Overview

Security Assertion Markup Language ('SAML, pronounced "sam-el") is an XML-based open standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a product of the OASIS (organization) Security Services Technical Committee. SAML dates from 2001; the most recent major update of SAML was published in 2005, but protocol enhancements have steadily been added through additional, optional standards.
Source: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

The use of SAML allows external authentication of users and is often also used for SSO (Single Sign-on), which is a method of access control that enables a user to log in to their organisation one time but then have transparent authorisation to access resources of multiple software systems without being prompted to log in to each system separately. In the context of Hornbill, once configured, users may access their Hornbill instance pre-authenticated based on their enterprise desktop or browser login. As well as supporting single-sign-on but we also provide the ability to auto-provision authorised users on the Hornbill instance which removes a significant overhead in terms of system administration.

There are three key actors in any SAML implementation, these are the "user" trying to access the application, the "identity provider" which knows and has identified the user, and the "service provider" which provides the application and/or resources that the user wishes to access. Your Hornbill instance is a service provider, and typically your enterprise directory system, very often Microsoft Active Directory Federated Services acts as the identity provider.

Web Browser SSO Profile

In order for a user to access the Hornbill instance they must first be known to the identity provider and, the identity provider must know about the service provider (Hornbill Instance), and the user must be authorised by the identity provider to access the services on the identity provider (Hornbill Instance).

When an unauthenticated user accesses the Hornbill instance, the browser will be re-directed to the identity provider with information needed to request access to the service, this is known as a SAML AuthnRequest. The idP will look at the AuthnRequest and if the user is authorised will return an Assertion back to the browser with a re-direct to the service provider (in this case the Hornbill Instance). The Hornbill instance will validate the Assertion checking its authenticity against a known Hornbill SSO profile and if valid will create a session and allow the user to access resources as required.

SECURITY NOTE: We use the "browser redirect" profile defined by the SAML 2.0 specification, so there is no need for the Hornbill instance which is running in the Hornbill cloud to have any direct network access your iDP; meaning your iDP and all of your user identity information can remain behind your enterprise firewall. This of course also means that there is no special firewall configuration needed to use SAML SSO to control access to the Hornbill service from within your network

Compatible Identity Providers

The Hornbill SSO implementation follows the SAML 2.0:2005 specification so will work with any identity provider implementation, either commercial or home-grown that correctly supports this standard. We have tried to make our system as flexible as possible in terms of configuration and compatibility with the standard. Here is a link to the official standards documentation: -

SAML 2.0 2005

The following list of identity providers are known to have been configured and work with the Hornbill platform (we will expand this list as we integrate successfully with other systems).

• Microsoft Active Directory Federation Services (ADFS 2.0) - we generally test/validate against this platform
• Microsoft Active Directory Federation Services (ADFS 3.0) - believed to work
• Ping Identity
• SSO Circle

IMPORTANT NOTE

Please be aware that although we have expertise around our own platform and its SAML implementation, configuration and behaviour, we use the language associated with the SAML 2.0 standard and not the vendor specific language and/or terminology of any specific vendors identity providers platforms, this means Hornbill's technical staff are not experts with the various identity provider technologies and platforms in use. It is important to understand that Hornbill support the SAML 2.0 standard to the letter, so if its in the standard we aim to support it. Each organisations implementation of SAML can be unique to their organisation and we strongly recommend that when setting up SAML for SSO on the Hornbill platform that you have someone internally with expertise and a working knowledge of federated security services within your own organisation. You should refer your technical security/SAML expert to this document which should provide them with sufficient information to allow the planning and configuration of SSO integration of Hornbill for your organisation.

Setting Up Hornbill for User Single-Sign-On

In order to enable single-sign-on for users a number of steps need to be taken: -

1. idP: Create a Service Provider profile
2. Hornbill: Create an SSO Profile
3. Hornbill: Create an auto-provisioning User Template

It is also required that: -

• Your identity provider supports SAML 2.0
• Your identity provider is already working and authenticating your users for other systems or applications.
• The users that need to access the Hornbill instance can access your idP from their browser.

Create a Service Provider Profile on your IdP

The metadata that is required when configuring a Service Provider profile on your IdP can be downloaded via Hornbill Administration. Metadata is downloadable for the Hornbill User App, Hornbill Administration, and Hornbill Service Portal. This is available via the "Security" > "SSO Profiles" menu items.
Next to the "Create New Profile" button, there is an arrow that, when clicked, will expose a drop down menu containing access to the metadata for each of the Hornbill Service URL's.

Creating a Hornbill SSO Profile

SSO Profile creation is carried out from within Hornbill Administration. The "SSO Profiles" menu item can be found in the context of "Instance Configuration" (selected using the drop down menu at the top of the left hand navigation menu) under "Security" > "SSO Profiles"

1. Click "Create New Profile" to open the Create New SSO Profile form. The simplest way to populate this form is to click the "Import SAML Meta" button located at the top right of the form, this will present a pop-up containing two fields.
2. Only one of the fields is required. In the "URL" field, paste the URL associated with your Federation Metadata (typically https://{your_federation_service_name}/federationmetadata/2007-06/federationmetadata.xml) and click "Process". Alternatively, it is possible to paste the XML Metadata directly into the "XML" field, and hit process.
3. Upon success, the pop-up will disappear and the Profile Details will be fully populated.
4. Click "Create Profile" to save the form.

Creating an auto-provisioning User Template

"User Templates" are found in the context of "Instance Configuration", under the "Users, Roles and Organizations" menu item in Hornbill Administration.

A "User Template" contains the account information that is common to all Users being auto-provisioned in Hornbill via a particular SSO Profile. The template contains regional settings such as time and date format, time zone, and language but also the Hornbill roles that will be applied to the new user account.
When creating a new User template for the purposes of auto-provisioning Co-Workers, as a minimum the "Collaboration Role" should be specified in the template. Additional roles are optional.

Once the User template has been configured, the relevant SSO Profile should be re-visited, and the template referenced in the "Auto Provisioning" section of the form.

Transferring User Account Attributes to Hornbill

When configuring SSO there is usually a one-to-one mapping between the Hornbill User ID and the nameID returned in the SAML assertion that identifies the user, typically this is tied into the users login ID. However, there is also a need to bring other basic information over from the identity provider to the service provider, this is especially important when provisioning a new user automatically. Obvious information such as first name, last name and e-mail address would be especially important to create a Hornbill user account, but often organisations have much richer information about their users which would be good to bring over into the Hornbill instance and the point of provisioning. The Hornbill instance understands a definitive set of user account target properties which can be defined directly in the iDP for the Hornbill service, mapping them appropriately to the idP's user information attributes. When the Hornbill instance receives a SAML assertion for authentication it will automatically map these to the Hornbill account attributes as required.

The following table lists the account target attributes understood by Hornbill

Setting Up Hornbill for Guest Account Single-Sign-On

In order to enable single-sign-on for guests a number of steps need to be taken: -

1. Hornbill: Create an auto-provisioning Guest Template
2. Hornbill: Create an SSO Profile
3. idP: Create a service provider profile
4. Hornbill: Create a Guest Portal

Its is also required that: -

• Your identity provider supports SAML 2.0
• Your identity provider is already working and authenticating your users for other systems or applications.
• The users that need to access the Hornbill instance can access your idP from their browser.

NOTE: there is no need for the Hornbill instance which is running in the cloud to be able to directly access your iDP; meaning your iDP and all of your user identity information can remain behind your enterprise firewall.

Creating an auto-provisioning Guest Template

TODO: ...

Creating a Hornbill SSO Profile

TODO: ...

Example iDP Configurations

• Microsoft ADFS 2.0 for Guest Accounts

Transferring Guest Account Attributes to Hornbill

When configuring SSO there is usually a one-to-one mapping between the Hornbill Guest Login ID and the nameID returned in the SAML assertion that identifies the guest, typically this is tied into the users network login ID. However, there is also a need to bring other basic information over from the identity provider to the service provider, this is especially important when provisioning a new guest automatically. Obvious information such as first name, last name and e-mail address would be especially important to create a Hornbill guest account, but often organisations have much richer information about their users which would be good to bring over into the Hornbill instance and the point of provisioning. The Hornbill instance understands a definitive set of guest properties which can be defined in the iDP for the Hornbill service and mapped to the idP's directory of user information. The following table lists all attribute names understood by Hornbill guest authentication