Single Sign-On

Single sign-on (SSO) enables users to sign in to one application and seamlessly transition into another application without having to enter another set of access credentials.

For its SSO implementation, SmartOffice uses Security Assertion Markup Language (SAML), an XML standard defining how websites can securely trade authentication and credentials. Through SAML, users can transition smoothly from SmartOffice into a third-party partner application.

Note: This documentation covers the use of SAML 2.0 for SSO. Although SmartOffice provides legacy support for existing SSO implementations that use SAML 1.1, use of the older SAML standard is no longer documented here. Developers of new SmartOffice SSO implementations should use SAML 2.0.

Outbound SSO from SmartOffice

To implement outbound SSO from SmartOffice, the vendor partner develops an adapter (i.e., a package of links or buttons) for the SmartOffice user interface that users can click to access the vendor partner's application. (This documentation covers only the SAML portion of the implementation; for information about creating an adapter, see SiAdapters.)
  1. The user clicks the button or link in SmartOffice, which sends an SAML assertion from SmartOffice (the identity provider, or IdP) to the vendor partner's application (the service provider, or SP).
  2. The SP verifies the signature in the assertion using the IdP's public key and checks the NameID element in the assertion to determine whether a match exists in the SP's system.
  3. If a match is found, the SP logs the user in.
  4. If no match is found, the SP presents a login page to the user. Once the user logs in, theSP links the NameID from the IdP to the SP user.

Elements of the SAML Assertion

The following table describes the required and optional elements and attributes of a SAML assertion sent from SmartOffice.
Element/Attribute Description Required?
NameID Ebix recommends that the SmartXchange User Name be used because SmartXchange User Names are unique across multiple SmartOffice sites. The format of a SmartXchange User Name is SiteName_!OfficeName _!UserName. Yes
Issuer https://www.ebix.com No
Audience Provided by vendor partner. Yes
Recipient Provided by vendor partner. Yes
Destination Provided by vendor partner. Yes
AssertionConsumerServiceURL This is the endpoint URL to which Ebix will post the SAML response XML. Provided by vendor partner. Yes
Attribute One or more SAML attributes that the vendor partner would like SmartOffice to pass along (see example below). No

Example Outbound SAML Assertion from SmartOffice

Here is an example of a typical SAML assertion sent from SmartOffice. Note the following:* To keep this example short, elements related to the signature (DigestValue, SignatureValue, Modulus) have been left blank.
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://destination.parner.com/dest.aspx" IssueInstant="2016-12-13T13:04:14.196Z" Version="2.0">
   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
         <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
         <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <Reference URI="">
            <Transforms>
               <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
            <DigestValue/>
         </Reference>
      </SignedInfo>
      <SignatureValue/>
      <KeyInfo>
         <KeyValue>
            <RSAKeyValue>
               <Modulus/>
               <Exponent>AQAB</Exponent>
            </RSAKeyValue>
         </KeyValue>
      </KeyInfo>
   </Signature>
   <samlp:Issuer>http://www.ebix.com</samlp:Issuer>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
   </samlp:Status>
   <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4d49d6894ee4e6f734b53bf6439d6fc9" IssueInstant="2016-12-13T13:04:14.191Z" Version="2.0">
      <saml:Issuer>http://www.ebix.com</saml:Issuer>
      <saml:Subject>
         <saml:NameID>SiteName_OfficeName_jdoe</saml:NameID>
      </saml:Subject>
      <saml:Conditions NotBefore="2016-12-13T12:59:14.191Z" NotOnOrAfter="2016-12-13T13:09:14.191Z">
         <saml:AudienceRestriction>
            <saml:Audience>https://so.partnersite.com</saml:Audience>
         </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement AuthnInstant="2016-12-13T13:04:14.191Z" SessionNotOnOrAfter="2016-12-13T13:09:14.191Z">
         <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
         </saml:AuthnContext>
      </saml:AuthnStatement>
      <saml:AttributeStatement>
         <saml:Attribute FriendlyName="userName" Name="userName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jdoe</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute FriendlyName="USERNAME" Name=" USERNAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jdoe</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute FriendlyName="USERFIRSTNAME" Name=" USERFIRSTNAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute FriendlyName="USERLASTNAME" Name=" USERLASTNAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Doe</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute FriendlyName="USEREMAIL" Name=" USEREMAIL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jdoe@domain.com</saml:AttributeValue>
         </saml:Attribute>
      </saml:AttributeStatement>
   </saml:Assertion>
</samlp:Response>

Inbound SSO to SmartOffice

When SmartOffice is the receiving (relying) party in a SAML exchange, the following information is from the asserting party.
Assertion Retrieval URL

The URL that identifies where the assertion for a given SAML artifact may be retrieved from. Partners should use the following URL for the assertion consumer:

* identityprovider.com is the domain of the identity provider (IdP).

Browser Artifact Parameters When a partner uses the browser artifact profile, the assertion consumer requires these query string parameters:

  • NameIdentifier?/NameID – UserID??: The ID that identifies the asserting party
  • ISSUER – The ISSUER of the target application the partner will connect to. This value should always be ezdata.com/qaenv for production environment and ezdata.com/devenv for development environment.
  • SAMLResponse – The assertion to be posted. The assertion must be signed and base 64 encoded.
  • SIGNED – SAML Response should be signed with the partner certificate so that it can be authenticated by SmartOffice by using same certificate.

Destination Point Types

Destination points are SmartOffice modules that partner applications can access directly via SSO. Three destination points are currently supported:
  • Home Page: This is a default page.
  • Contact List: If the “TaxId” parameter is in the request and SmartOffice doesn’t contain a contact with that TaxId, the user will land on the Contact List in SmartOffice.
  • Contact Detail: If the “TaxId” parameter is in the request and SmartOffice contains a contact with that TaxId, the user will land on the contact Detail page in SmartOffice.

Example Inbound SAML Assertion to SmartOffice

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" ID="liodgkcdanjlndocpbbfnhdimfgkamfnjhklgnpm" IssueInstant="2009-12-23T12:02:44Z" Version="2.0">
  <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
    <SignedInfo>
      <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/>
      <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/>
      <Reference URI="">
        <Transforms>
          <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
        </Transforms>
        <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
        <DigestValue>w/QBCt7ssFqjk89pSPBnLBbHjDA=</DigestValue>
      </Reference>
    </SignedInfo>
    <SignatureValue>icoAP0vmBuRMdt0M68ee2EIqPTmGL1whwkGKVcAF5jG7G4Zqw2Wq7g==</SignatureValue>
    <KeyInfo>
      <KeyValue>
        <DSAKeyValue>
          <P>/KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxeEu0ImbzRMqzVDZkVG9xD7nN1kuFw==</P>
          <Q>li7dzDacuo67Jg7mtqEm2TRuOMU=</Q>
          <G>Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/XPaF5Bpsy4pNWMOHCBiNU0NogpsQW5QvnlMpA==</G>
          <Y>VMoV//Oh7VytBbZVySNmVZevV1bw7vmJwx5hHszeR25bforBFA19nk+3ehg6SgUjWiXn7HsybemjRFs5x4+XFg==</Y>
        </DSAKeyValue>
      </KeyValue>
    </KeyInfo>
  </Signature>
  <samlp:Status>
    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
  </samlp:Status>
  <Assertion ID="mjonobbmjgkjkmfghggepeblgaminchbmnigokjd" IssueInstant="2003-04-17T00:46:02Z" Version="2.0">
    <Issuer>ezdata.com/qaenv </Issuer>
    <Subject>
      <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"> Advadam </NameID>
      <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <SubjectConfirmationData NotOnOrAfter="2009-12-30T09:27:05Z" Recipient="http://localhost:8082/java/sso"/>
      </SubjectConfirmation>
    </Subject>
    <Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2010-06-17T00:51:02Z">
      <AudienceRestriction>
        <Audience>ezdata.com/qaenv</Audience>
      </AudienceRestriction>
    </Conditions>
    <AuthnStatement AuthnInstant="2009-12-23T12:02:44Z" SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac">
      <AuthnContext>
        <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </AuthnContextClassRef>
      </AuthnContext>
    </AuthnStatement>
    <AttributeStatement/>
  </Assertion>
</samlp:Response>

Deep-Link SSO

There is a way to SSO into SmartOffice without using the SAML service as long as you know the user's login credentials. Do this:
<form name='deeplink' id='dailycalendar' action='https://eval.ez-data.com/cdsApp' method='POST' target='_blank'>
  <input id='trustedWindow' name='trustedWindow' type="hidden" value='1'/>
  <input id='_pageno' name='_pageno' type="hidden" value='3'/>
  <input id='Module' name='Module' type="hidden" value='DeepLink'/>
  <input id='Office' name='Office' type="hidden" value='FastridgeFinance'/>
  <input id='User' name='User' type="hidden" value='philanderson'/>
  <input id='Pwd' name='Pwd' type="hidden" value='******'/>
</form>

SampleDeepLinkHTML
Topic revision: 09 Jun 2017, DinosLambropoulos
 

This site is powered by FoswikiCopyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback