Discovery Service Infrastructure for Test- bädden

Similar documents
Discovery data feed for Eid 2.0

Discovery Service Options

Discovery Service Options. SWITCHaai Team

Discovery Service Options

Discover GALILEO. Institutional Branding

Introduction to HTML5

REST AND AJAX. Introduction. Module 13

Sparrow Client (Front-end) API

Bookmarks to the headings on this page:

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Morningstar ByAllAccounts SAML Connectivity Guide

Configuring Hotspots

Embedded WAYF A slightly new approach to the discovery problem. Lukas Hämmerle

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Stamp Builder. Documentation. v1.0.0

Realistic 3D FlipBook Experience. for Magazines, Photographers, Portfolios, Brochures, Catalogs, Manuals, Publishing and more...

Siteforce Pilot: Best Practices

ThingLink User Guide. Andy Chen Eric Ouyang Giovanni Tenorio Ashton Yon

KonaKart Shopping Widgets. 3rd January DS Data Systems (UK) Ltd., 9 Little Meadow Loughton, Milton Keynes Bucks MK5 8EH UK

HTML Summary. All of the following are containers. Structure. Italics Bold. Line Break. Horizontal Rule. Non-break (hard) space.

django-session-security Documentation

Create a cool image gallery using CSS visibility and positioning property

Asema IoT Central Integration and migration. English

Embedded Discovery Service Or how to save some clicks during AAI authentication. Lukas Hämmerle

Configuring Anonymous Access to Analysis Files in TIBCO Spotfire 7.5

Date Picker Haim Michael

Integration Guide. SafeNet Authentication Service. Protecting SugarCRM with SAS

Implementing a chat button on TECHNICAL PAPER

Design Document V2 ThingLink Startup

Vebra Search Integration Guide

In-ADS User Guide. Estonian Land Board Versioon 1.9.1

As we design and build out our HTML pages, there are some basics that we may follow for each page, site, and application.

UI Plugins. Extending ovirt Web Admin. Vojtech Szöcs Software Engineer, Red Hat January 23, ovirt UI Plugins VOJTECH SZÖCS

COPYRIGHT 2012 DROIDLA LIMITED

How browsers talk to servers. What does this do?

1.1 Text Alternatives: Provide text alternatives for any non-text content. 3.1 Readable: Make text content readable and understandable.

How to Customize Support Portals

Oracle Utilities Opower Energy Efficiency Web Portal - Classic Single Sign-On

PHP & My SQL Duration-4-6 Months

UI Course HTML: (Html, CSS, JavaScript, JQuery, Bootstrap, AngularJS) Introduction. The World Wide Web (WWW) and history of HTML

grabattention The jquery Plug-in

Manual Html A Href Javascript Window Open In New

Application Integration Guide

Flash Ads. Tracking Clicks with Flash Clicks using the ClickTAG

NAVIGATION INSTRUCTIONS

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

A designers guide to creating & editing templates in EzPz

User Interaction: jquery

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

django-sekizai Documentation

JQUERYUI - WIDGET FACTORY

Web Security Model and Applications

Writing Secure Chrome Apps and Extensions

Integration of the platform. Technical specifications

Manual Html A Href Javascript Window Open In Same

Criterion D: Product design Overall structure. Navigation. General outline

Customizing AccountView Consumer User Interface (CUI)

Integrated Security Context Management of Web Components and Services in Federated Identity Environments

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

SAML SSO Okta Identity Provider 2

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Setting up a Shibboleth SP

Attribute Aggregation in Federated Identity Management. David Chadwick, George Inman, Stijn Lievens University of Kent

An implementation of Tree Panel component in EXT JS 4.0

jmaki Overview Sang Shin Java Technology Architect Sun Microsystems, Inc.

jquery & Responsive Web Design w/ Dave #jqsummit #rwd

Static Webpage Development

Web Development and HTML. Shan-Hung Wu CS, NTHU

High -Tech Bridge s Web Server Security Service API Developer Documentation Version v1.3 February 13 th 2018

Overview... 4 JavaScript Charting and Metric Insights... 5

User's Guide Visual Profile Appendix L Version 7.5.2

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Modules Documentation ADMAN. Phaistos Networks

Documentation for the new Self Admin

Configuration Guide - Single-Sign On for OneDesk

One small step for the Shib admin, one giant leap for the SAML community?

How to Customize Support Portals

Technical Specifications Leaderboard + Mobile Leaderboard. 27/12/2018 Tech Specs 1

Lesson 5 Introduction to Cascading Style Sheets

Here are a few easy steps to create a simple timeline. Open up your favorite text or HTML editor and start creating an HTML file.

Master Project Software Engineering: Team-based Development WS 2010/11

Week 8 Google Maps. This week you ll learn how to embed a Google Map into a web page and add custom markers with custom labels.

Client Side Injection on Web Applications

Front-End UI: Bootstrap

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

The Structure of the Web. Jim and Matthew

RoomCloud Booking Engine Integration manual Version /06/2017

CHAPTER. Creating User-Defined Mashups

Design Project. i385f Special Topics in Information Architecture Instructor: Don Turnbull. Elias Tzoc

Alpha College of Engineering and Technology. Question Bank

Yellowfin SAML Bridge Web Application

Using an ArcGIS Server.Net version 10

Composer Help. Web Request Common Block

Advanced Configuration for SAML Authentication

Courslets, a golf improvement web service. Peter Battaglia

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

WebApp development. Outline. Web app structure. HTML basics. 1. Fundamentals of a web app / website. Tiberiu Vilcu

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

CS WEB TECHNOLOGY

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

Transcription:

Discovery Service Infrastructure for Test- bädden för EID 2.0 Implementation guidelines Version 0.70 2013-04-24 This document describes the discovery service infrastructure for testbädden for EID 2.0 and how to implement it at a Service Provider. 1 (10)

1 OVERVIEW 3 2 IMPLEMENTATION OF CENTRAL DISCOVERY SERVICE 4 3 IMPLEMENTATION OF INTEGRATED DISCOVERY 6 4 ARCHITECTURE 9 5 APPENDIX A REVISION HISTORY 10 2 (10)

1 Overview The present discovery service infrastructure can be utilized by service providers in Testbädden for Eid 2.0 to handle users selection of the Identity Provider they want to use when authenticating (logging in) to the service. This discovery service infrastructure supports two main implementation alternatives: 1. Discovery using a central Discovery Service. 2. Integration of the discovery UI into the Service Provider web page. The advantage with using the central Discovery Service is that it is slightly easier than integrating the UI in a service webpage. The main advantage with integrating discovery into the service webpage is that it avoids an extra webpage the user need to visit in order to log into the service. These two modes of operation is demonstrated at the login page of the central signing service when logging into the test authority for signing (SP Myndigheten). See: https://eid2cssp.3xasecurity.com/login/index.jsp In the red banner to the right, there is a choice between central discovery (denoted Central Anvisning ) or integrated discovery (denoted Integrerad Anvisning) The simple difference is that using central discovery, the page just displays a Login button that takes you to central discovery. When selecting integrated discovery the page instead displays the discovery UI directly in login page. Implementation instructions for the two alternatives are outlined below: 3 (10)

2 Implementation of Central Discovery Service Implementation of integrated discovery only involves two steps: 1. Configure your SAML service provider software (here referred to as the authentication server) to use a discovery service. 2. Create a login button that points the user directly to the URL of the protected service (The service requiring login). What then happens is that the user being pointed to the URL of the protected service will be stopped by the authentication server unless the user has an active ongoing session with the service. The user will then automatically be transferred to the Discovery Service to select an Identity Provider. Information about the selected Identity Provider will be returned to the authentication server who initiates an authentication request to the selected service. If the authentication server is a Shibboleth SP implementation, the use of Discovery Service is configured by including the following element in the <Session> element of your <ApplicationDefaults> element (if using default settings) or of your <ApplicationOverride> element (if using an application override profile): <SSO discoveryprotocol="samlds" discoveryurl="https://eid2.3xasecurity.com/disco/idpdisco"> SAML2 SAML1 </SSO> The URL to the Discovery Service described here is (as the example suggests): https://eid2.3xasecurity.com/disco/idpdisco Once the authentication server is setup the step to include a link or a button for login is straightforward. The easiest way is to just provide a hyperlink to the target service. 4 (10)

But just for illustrative purpose and completeness, the following JavaScript example (based on jquery) adds a login function to a html element with id= loginelement when the variable urltoprotectedservice holds the URL to the target service 1 : $('#loginelement').css('cursor','pointer').click(function(){ window.location= urltoprotectedservice; }); 1 The (.css('cursor','pointer')) makes sure that mouse pointer has the form of a pointer when hovering over the element. 5 (10)

3 Implementation of Integrated Discovery Implementation of integrated discovery is almost as easy as implementing central discovery. In a way it is easier since it in its simplest form doesn t involve any server configuration at all as integrated discovery can be fully implemented just in the login webpage sent to the user. Implementing integrated discovery requires the following modifications to the login web page: 1. Import necessary JavaScripts and Stylesheets in the header of the page. 2. Add a container (e.g. a <div id=discoui></div> to the page body where the UI components shall appear on the page. 3. Add a JavaScript to the page that executes on page load, which invokes the discovery JavaScript function ($.eid2disco). 4. Add a login function that should be executed when the user has selected an Identity Provider, that initiates login with that identity provider. 5. Optional: Add an error function that can capture any errors from the discovery JavaScript. Step 5 is really not necessary since errors only can be caused by misconfiguration, not by user error or failure to select an IdP. Failure to select an IdP only means that the login function is never called. JavaScripts and Stylesheets The required JavaScripts and stylesheets are: Script or stylesheet jquery_eid2disco.js jquery-1.8.3.js eid2disco.css Location https://eid2.3xasecurity.com/disco/jquery_eid2disco.js https://eid2.3xasecurity.com/disco/jquery-1.8.3.js http://code.jquery.com/jquery-1.8.3.js or https://eid2.3xasecurity.com/disco/jquery-1.8.3.js https://eid2.3xasecurity.com/disco/eid2disco.css The discovery functions are provided by the jquery_eid2disco.js script. This script is written as a jquery plugin, thus it also requires the jquery JavaScript. It is not necessary to use version 1.8.3 of JQuery. The script has been tested with versions down to 1.4 without any problems. Version 1.8.3 is just the latest version at the time of this implementation. The eid2disco.css stylesheet defines the styles for the discovery UI. 6 (10)

Example implementation: <html> <head> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <title>discovery Test SP</title> <link rel="stylesheet" type="text/css" href="https://eid2.3xasecurity.com/disco/eid2disco.css" /> <script type="text/javascript" src="https://eid2.3xasecurity.com/disco/jquery-1.8.3.js"></script> <script type="text/javascript" src="https://eid2.3xasecurity.com/disco/jquery_eid2disco.js"></script> <script type="text/javascript"> var targetservie = "https://eid2cssp.3xasecurity.com/sign/"; var loginurl = "https://eid2cssp.3xasecurity.com/shibboleth.sso/login"; $(document).ready(function() { /** * Initiates the eid2disco UI * * Supported Parameters * storage: URL to storage service providing iframes for reading and setting local storage * discofeed: URL to json discovery data feed * storagefeed: URL for reading local storage data * discodiv: the id attribute value of the div element where the disco UI is placed * lang: the preferred UI language (Default "en") * jsonp: boolean default true. If set to true, all feed data is retrieved using JSONP javascript import * selectheight: maximum height of select box. Need to be provided in the form of '{number}px'. * Default 300px * logomaxheight: default 20, specifies the max pixel height of Identity Provider logotypes * logomaxwidth: default 70, specifies the max pixel height of Identity Provider logotypes * success: a function that is called when the choice of IdP is completed successfully * error: a function that is called then this disco service encounters an error */ $.eid2disco({ discodiv:"discodiv", success : function(entityid){ idplogin(entityid); }, error : function(message){ alert(message); } }); }); function idplogin(entityid){ window.location = loginurl + "?entityid=" + encodeuricomponent(entityid) +"&target="+encodeuricomponent(targetservie); } </script> </head> <body> <h1>discovery Test SP</h1> <br /> <div id="discodiv"></div> </body> </html> 7 (10)

Notes about the example implementation The discovery UI is invoked through the $.eid2disco(parameter) function. The parameters are provided as an object holding name: value pairs: var parameter = {name1: value1, name2: value2} This function only needs the parameter discodiv and success. All other parameters are optional (See further the comments in the example implementation). The discodiv parameter must specify the name of the html container where the discovery UI is to be placed. The success parameter must provide a function to be called when the user has selected an Identity Provider. The entityid of the selected Identity Provider is returned as a string parameter to this function. The login function idplogin(entityid) in this example is called on success and executes a login call to a Shibboleth SP implementation, where the login URL and the URL to the target service are specified at the start of the page JavaScript. Other types of SAML SP implementations will have their own style of consuming login information, so the login function has to be customized to fit the type of authentication server in use. Advanced implementations As suggested by the comments in the implementation example, this discovery script has a number of optional parameters that can be set for customization. The most important is the selectheight parameter (Default 300px ). This parameter specifies the maximum height of the select window where the user may choose from all IdPs in the federation. If the present IdPs exceeds the maximum height, a vertical scrollbar is added. This gives control to how much space the login page can afford to give the discovery UI. The second most important feature is the ability to configure local URIs for the discover data feed and the storage data feed. These feeds default to: Discovery metadata feed (discofeed): https://eid2.3xasecurity.com/disco/json Storage/Preference data feed (storagefeed): https://eid2.3xasecurity.com/disco/pref These data feeds can be redirected through a local proxy in the service provider domain. If this is the case, then it is advisable to also the parameter jsonp to false. This because if these both feeds are provided through the same domain as the login page, then the data does not have to be transmitted as JSONP data in order to pass the same origin policy of the browser. It can now be transmitted as plan JSON data. Setting jsonp to false makes sure that not data is imported as JavaScript (which is the operation of JSONP). The discofeed data feed can be cached to protect the service from single point of failure. This data is fairly static and does only change on metadata updates in the federation. This by keeping a local cache of this data at the Service Provider, in case the central service is unavailable; the user is ensured the possibility to login even if the central data source is unreachable. 8 (10)

4 Architecture The discovery service is composed of 4 separate components: A JavaScript component that provides the discovery dialogue in the users Browser and communicate with the associated data feeds. A JSON Discovery Data Feed that provides necessary information about the federation metadata to the JavaScript. A Preference Storage Service that receives preference information stored in the user s browser and feed them back to the JavaScript through a JSON data feed. A Discovery Service that implements the SAML Identity Provider Discovery Service Protocol and Profile (OASIS Committee Specification 01, 27 March 2008). The component relationships are outlined in the following table: Component Relationships JavaScript Reads metadata from the JSON discovery data feed Loads temporary iframes from the Preference Storage Service that reads user preferences stored under the context of the common domain of the Preference Storage Service. Sends storage information under the context of the common domain to the Preference Storage Service and reads it back under the main window domain context from the same Preference Storage Service. (Thus making this information available to the domain context of the current service provider), JSON Discovery Data Feed Provides metadata information to the JavaScript Preference Storage Service Only communicates with the JavaScript Discovery Service Receives request for discovery by the Service Provider and loads the JavaScript to generate the discovery UI. Service provider Implements discovery by either: Loading and running the discovery JavaScript in its own login web page, or Transfers the user to the discovery service from its login page. 9 (10)

5 Appendix A Revision History Rev Date Update Author 0.10 2013-01-30 First draft with revision history. SS 0.70 2013-04-24 Updated draft with new document structure. SS 10 (10)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback