You are here:
Foswiki
>
Main Web
>
SingleSignOn
(31 Mar 2015,
DinosLambropoulos
)
(raw view)
E
dit
A
ttach
---+ Single Sign-On Single sign-on (SSO) enables users to sign in to one application and seamlessly transition into another application without having to enter another set of access credentials. For its SSO implementation, !SmartOffice uses Security Assertion Markup Language (SAML), an XML standard defining how websites can securely trade authentication and credentials. Through SAML, users can transition smoothly from !SmartOffice into a third-party partner application. Note that use of Transport Layer Security (TLS) v1.2 or later is required for both inbound and outbound SSO communications. *Note*: This documentation covers the use of SAML 2.0 for SSO. Although !SmartOffice provides legacy support for existing SSO implementations that use SAML 1.1, use of the older SAML standard is no longer documented here. Developers of new !SmartOffice SSO implementations should use SAML 2.0. %TOC{"SingleSignOn" title="Contents:"}% ---++ Outbound SSO from !SmartOffice To implement outbound SSO from !SmartOffice, the vendor partner develops an adapter (i.e., a package of links or buttons) for the !SmartOffice user interface that users can click to access the vendor partner's application. (This documentation covers only the SAML portion of the implementation; for information about creating an adapter, see SiAdapters.) 1 The user clicks the button or link in !SmartOffice, which sends an SAML assertion from !SmartOffice (the identity provider, or !IdP) to the vendor partner's application (the service provider, or SP). 1 The SP verifies the signature in the assertion using the !IdP's public key and checks the !NameID element in the assertion to determine whether a match exists in the SP's system. 1 If a match is found, the SP logs the user in. 1 If no match is found, the SP presents a login page to the user. Once the user logs in, theSP links the !NameID from the !IdP to the SP user. ---+++ Elements of the SAML Assertion The following table describes the required and optional elements and attributes of a SAML assertion sent from !SmartOffice. | *Element/Attribute* | *Description* | *Required?* | | !NameID | Ebix recommends that the SmartXchange User Name be used because SmartXchange User Names are unique across multiple SmartOffice sites. The format of a SmartXchange User Name is !SiteName _!OfficeName _!UserName. | Yes | | Issuer | https://www.ebix.com | No | | Audience | Provided by vendor partner. | Yes | | Recipient | Provided by vendor partner. | Yes | | Destination | Provided by vendor partner. | Yes | | !AssertionConsumerServiceURL | This is the endpoint URL to which Ebix will post the SAML response XML. Provided by vendor partner. | Yes | | Attribute | One or more SAML attributes that the vendor partner would like SmartOffice to pass along (see example below). | No | ---+++ Example Outbound SAML Assertion from !SmartOffice Here is an example of a typical SAML assertion sent from !SmartOffice. Note the following:* To keep this example short, elements related to the signature (!DigestValue, !SignatureValue, Modulus) have been left blank. <verbatim> <?xml version="1.0" encoding="UTF-8"?> <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://destination.parner.com/dest.aspx" IssueInstant="2016-12-13T13:04:14.196Z" Version="2.0"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue/> </Reference> </SignedInfo> <SignatureValue/> <KeyInfo> <KeyValue> <RSAKeyValue> <Modulus/> <Exponent>AQAB</Exponent> </RSAKeyValue> </KeyValue> </KeyInfo> </Signature> <samlp:Issuer>http://www.ebix.com</samlp:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_4d49d6894ee4e6f734b53bf6439d6fc9" IssueInstant="2016-12-13T13:04:14.191Z" Version="2.0"> <saml:Issuer>http://www.ebix.com</saml:Issuer> <saml:Subject> <saml:NameID>SiteName_OfficeName_jdoe</saml:NameID> </saml:Subject> <saml:Conditions NotBefore="2016-12-13T12:59:14.191Z" NotOnOrAfter="2016-12-13T13:09:14.191Z"> <saml:AudienceRestriction> <saml:Audience>https://so.partnersite.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2016-12-13T13:04:14.191Z" SessionNotOnOrAfter="2016-12-13T13:09:14.191Z"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement> <saml:Attribute FriendlyName="userName" Name="userName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jdoe</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="USERNAME" Name=" USERNAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jdoe</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="USERFIRSTNAME" Name=" USERFIRSTNAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="USERLASTNAME" Name=" USERLASTNAME" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Doe</saml:AttributeValue> </saml:Attribute> <saml:Attribute FriendlyName="USEREMAIL" Name=" USEREMAIL" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"> <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">jdoe@domain.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion> </samlp:Response></verbatim> ---++ Inbound SSO to !SmartOffice When !SmartOffice is the receiving (relying) party in a SAML exchange, the following information is from the asserting party. | Assertion Retrieval URL | <p>The URL that identifies where the assertion for a given SAML artifact may be retrieved from. Partners should use the following URL for the assertion consumer:</p> <ul> <li>Production Environment for SAML 2.0 <a href="https:/dxo20.ez-data.com/dxoapp/sso/domain/identityprovider.com*/saml" target="_top">https:/dxo20.ez-data.com/dxoapp/sso/domain/identityprovider.com*/saml</a></li> <li>Development Environment for SAML 2.0 <a href="https://dxo20.ez-data.com/dxoapp/sso/domain/identityprovider.com*/saml" target="_top">https:/dxo20qa.ez-data.com/dxoapp/sso/domain/identityprovider.com*/saml</a></li> </ul><p>* identityprovider.com is the domain of the identity provider (!IdP).</p> | | Browser Artifact Parameters | When a partner uses the browser artifact profile, the assertion consumer requires these query string parameters:<br /><br /> <ul> <li>NameIdentifier?/NameID – UserID?: The ID that identifies the asserting party</li> </ul><ul> <li>ISSUER – The ISSUER of the target application the partner will connect to. This value should always be ezdata.com/qaenv for production environment and ezdata.com/devenv for development environment.</li> </ul><ul> <li>SAMLResponse – The assertion to be posted. The assertion must be signed and base 64 encoded.</li> </ul><ul> <li>SIGNED – SAML Response should be signed with the partner certificate so that it can be authenticated by !SmartOffice by using same certificate.</li> </ul> | ---+++ Destination Point Types Destination points are !SmartOffice modules that partner applications can access directly via SSO. Three destination points are currently supported: * Home Page: This is a default page. * Contact List: If the “TaxId” parameter is in the request and !SmartOffice doesn’t contain a contact with that !TaxId, the user will land on the Contact List in !SmartOffice. * Contact Detail: If the “TaxId” parameter is in the request and !SmartOffice contains a contact with that !TaxId, the user will land on the contact Detail page in !SmartOffice. ---+++ Example Inbound SAML Assertion to !SmartOffice <verbatim><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xenc="http://www.w3.org/2001/04/xmlenc#" ID="liodgkcdanjlndocpbbfnhdimfgkamfnjhklgnpm" IssueInstant="2009-12-23T12:02:44Z" Version="2.0"> <Signature xmlns="http://www.w3.org/2000/09/xmldsig#"> <SignedInfo> <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315#WithComments"/> <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#dsa-sha1"/> <Reference URI=""> <Transforms> <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> </Transforms> <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> <DigestValue>w/QBCt7ssFqjk89pSPBnLBbHjDA=</DigestValue> </Reference> </SignedInfo> <SignatureValue>icoAP0vmBuRMdt0M68ee2EIqPTmGL1whwkGKVcAF5jG7G4Zqw2Wq7g==</SignatureValue> <KeyInfo> <KeyValue> <DSAKeyValue> <P>/KaCzo4Syrom78z3EQ5SbbB4sF7ey80etKII864WF64B81uRpH5t9jQTxeEu0ImbzRMqzVDZkVG9xD7nN1kuFw==</P> <Q>li7dzDacuo67Jg7mtqEm2TRuOMU=</Q> <G>Z4Rxsnqc9E7pGknFFH2xqaryRPBaQ01khpMdLRQnG541Awtx/XPaF5Bpsy4pNWMOHCBiNU0NogpsQW5QvnlMpA==</G> <Y>VMoV//Oh7VytBbZVySNmVZevV1bw7vmJwx5hHszeR25bforBFA19nk+3ehg6SgUjWiXn7HsybemjRFs5x4+XFg==</Y> </DSAKeyValue> </KeyValue> </KeyInfo> </Signature> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <Assertion ID="mjonobbmjgkjkmfghggepeblgaminchbmnigokjd" IssueInstant="2003-04-17T00:46:02Z" Version="2.0"> <Issuer>ezdata.com/qaenv </Issuer> <Subject> <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified"> Advadam </NameID> <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <SubjectConfirmationData NotOnOrAfter="2009-12-30T09:27:05Z" Recipient="http://localhost:8082/java/sso"/> </SubjectConfirmation> </Subject> <Conditions NotBefore="2003-04-17T00:46:02Z" NotOnOrAfter="2010-06-17T00:51:02Z"> <AudienceRestriction> <Audience>ezdata.com/qaenv</Audience> </AudienceRestriction> </Conditions> <AuthnStatement AuthnInstant="2009-12-23T12:02:44Z" SessionIndex="b07b804c-7c29-ea16-7300-4f3d6f7928ac"> <AuthnContext> <AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </AuthnContextClassRef> </AuthnContext> </AuthnStatement> <AttributeStatement/> </Assertion> </samlp:Response></verbatim> ---+++ Deep-Link SSO There is a way to SSO into !SmartOffice without using the SAML service as long as you know the user's login credentials. Do this: <verbatim><form name='deeplink' id='dailycalendar' action='https://eval.ez-data.com/cdsApp' method='POST' target='_blank'> <input id='trustedWindow' name='trustedWindow' type="hidden" value='1'/> <input id='_pageno' name='_pageno' type="hidden" value='3'/> <input id='Module' name='Module' type="hidden" value='DeepLink'/> <input id='Office' name='Office' type="hidden" value='FastridgeFinance'/> <input id='User' name='User' type="hidden" value='philanderson'/> <input id='Pwd' name='Pwd' type="hidden" value='******'/> </form></verbatim> SampleDeepLinkHTML
E
dit
|
A
ttach
|
P
rint version
|
H
istory
: r17
<
r16
<
r15
<
r14
|
B
acklinks
|
V
iew topic
|
Edit
w
iki text
|
M
ore topic actions
Topic revision: 31 Mar 2015,
DinosLambropoulos
Main
Log In
Toolbox
Create New Topic
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
Users
Groups
Webs
Main
Sandbox
System
Copyright © by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki?
Send feedback