Single Sign On with SAML 2.0

Introduction

The Hornbill platform supports single-sign-on as well as policy-based transparent auto provisioning and data updates of both user and guest accounts thus providing enterprise-class user identity integration with your organisations core IT directory services.

What is SAML?

Security Assertion Markup Language ('SAML, pronounced "sam-el") is an open standard XML-based framework developed by the Security Services Technical Committee of OASIS and is designed for communicating user authentication, entitlement, and attribute information between parties, in particular between an Identity Provider (IdP) and a Service Provider i.e. Hornbill.

External References:
Source: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
Source: https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=security

SAML and Hornbill

Hornbill makes use of the SAML framework to facilitate two things:

1. Single Sign On (SSO) - this is the method of access control that enables a user to log in to their organisations network one time, but then have transparent authorisation to access resources of multiple software systems without being prompted to log in to each system separately. In the context of Hornbill, once configured, users may access their Hornbill instance pre-authenticated based on their enterprise desktop or browser login.
2. Auto-provision Hornbill User Accounts - along with the authorization information needed for SSO, SAML has the ability to transport additional directory attributes of a user. Hornbill is capable of processing this additional information contained in the SAML payload and use it to automatically create a user accounts on your Hornbill instance. This mechanism can remove a significant overhead in terms of system administration.

PLEASE NOTE: While SSO must be set up to utilise auto-provisioning, the auto-provisioning of user accounts in Hornbill is an optional mechanism that can be disabled independently of SSO. Hornbill provides a range of user import utilities that can be used instead of auto-provisioning. More information on the available user imports can be found via the following wiki page: Open Integration Tools

How it Works

There are three key actors in any SAML implementation, these are the "user" trying to access the application, the "identity provider" which knows and has identified the user, and the "Service Provider" which provides the application and/or resources that the user wishes to access. Your Hornbill instance is a service provider, and typically your enterprise directory system, very often Microsoft Active Directory Federated Services (ADFS) acts as the identity provider.

Once SSO is configured, when an unauthenticated user navigates to your Hornbill instance via one of the Hornbill URLs, the browser will be re-directed to the identity provider with information needed to request access to the service, this is known as a SAML AuthnRequest. The idP will look at the AuthnRequest and if the user is authorised will return an Assertion back to the browser with a re-direct to the service provider (in this case the Hornbill Instance). The Hornbill instance will validate the Assertion checking its authenticity against a known Hornbill SSO profile and if valid will create a session and allow the user to access Hornbill as required.

Compatible Identity Providers

The Hornbill SSO implementation follows the SAML 2.0:2005 specification so will work with any commercial or home-grown identity provider that correctly supports this standard. We have tried to make our system as flexible as possible in terms of configuration and compatibility with the standard. Here is a link to the official standards documentation: -

SAML 2.0 2005

The following list of identity providers are known to have been configured and work with the Hornbill platform (we will expand this list as we integrate successfully with other systems).

• Microsoft Active Directory Federation Services (ADFS 2.0) - we generally test/validate against this platform
• Microsoft Active Directory Federation Services (ADFS 3.0)
• Ping Identity
• SSO Circle
• Microsoft Azure Directory Services
• Shibboleth Identity Provider
• OpenAthens (EduServ)

PLEASE NOTE: Although we have expertise around our own platform and its SAML implementation, configuration and behaviour, we use the language associated with the SAML 2.0 standard and not the language/terminology of any specific vendors identity provider platforms. Hornbill's technical staff are not experts with the various identity provider technologies and platforms in use. It is important to understand that Hornbill support the SAML 2.0 standard to the letter, so if its in the standard we support it. Each organisations identity provider implementation can be unique to their organisation and it will be necessary for you to have someone internally with expertise and a working knowledge of your identity provider and directory services within your own organisation. You should refer your technical network expert to this document which should provide them with sufficient information to allow the planning and configuration of Single Sign On for your organisation.

Setting Up Single-Sign-On

In order to enable single-sign-on for users a number of steps need to be taken: -

1. Decide if Auto-Provisioning will be used as the method for user account creation. If you intend to use auto-provisioning, please read the section below titled: "Preparing for Auto-Provisioning".
2. Make the necessary configuration in your Identity Provider. Different vendors may use different terminology to describe this but typical examples are "Service Provider Profile" or "Relying Party Trust" (see below for Example IDP configurations and references)
3. Create an SSO Profile in Hornbill (Configuring a Single Sign On Profile in Hornbill).
4. Configure the necessary browser settings to ensure a seamless SSO experience (Enabling Single Sign On in Your Web Browser).
5. Create an auto-provisioning User Template in Hornbill (This is optional and only required if implementing Auto-Provisioning as part of SSO).

PLEASE NOTE: We use the browser redirect profile defined by the SAML 2.0 specification so there is no need for your Hornbill instance (which is running in the Hornbill cloud) to have any direct access your iDP; meaning your iDP and all of your user identity information can remain behind your enterprise firewall - no special firewall configuration is needed for access to the service from within your network.

Example IdP Configurations

• Microsoft ADFS 2.0 for User Accounts

Preparing for Auto-Provisioning (Optional)

The necessary configuration to facilitate auto-provisioning can be considered a small extension of the Single Sign On configuration. In the case where only SSO is needed, there is a single one-to-one mapping between the Hornbill User ID and the "nameID" returned in the SAML communication that identifies the user, typically this is tied into the users login ID. For Hornbill to successfully auto-provision a user account, it will be necessary to specify additional information to be transported in the outgoing claim from your Identity Provider. This information is carried in the additional attributes that are transported during the authentication of a user.

Obvious information such as first name, last name and e-mail address would be especially important when creating a Hornbill user account, but you may wish to bring over other information into the Hornbill instance at the point of auto-provisioning.

Hornbill User Account Properties

The Hornbill instance understands a definitive set of user account target properties. The available properties can be used as a starting point in determining what information you wish to bring into Hornbill via your IDP for auto-provisioning. For each user account property you wish to populate in Hornbill, you will need a directory attribute configured in the outgoing claim coming from your iDP. The mapping is defined in the Hornbill Single Sign On Profile The following table lists the user account properties that can be populated during auto-provisioning.

Hornbill Contact Record Properties

Like Hornbill user accounts, contact records can be created through auto-provisioning. The following table lists the contact record properties that can be populated during auto-provisioning.