Single Sign-On (SSO)Technical Specification

Similar documents
Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Configuration Guide - Single-Sign On for OneDesk

Configuring Alfresco Cloud with ADFS 3.0

Microsoft ADFS Configuration

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

SAML-Based SSO Solution

D9.2.2 AD FS via SAML2

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

Qualys SAML & Microsoft Active Directory Federation Services Integration

SAML-Based SSO Solution

All about SAML End-to-end Tableau and OKTA integration

TECHNICAL GUIDE SSO SAML Azure AD

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Unity Connection Version 10.5 SAML SSO Configuration Example

RSA SecurID Access SAML Configuration for Datadog

Webthority can provide single sign-on to web applications using one of the following authentication methods:

SAML-Based SSO Configuration

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Morningstar ByAllAccounts SAML Connectivity Guide

Cloud Secure Integration with ADFS. Deployment Guide

RSA SecurID Access SAML Configuration for StatusPage

VIEVU Solution AD Sync and ADFS Guide

NETOP PORTAL ADFS & AZURE AD INTEGRATION

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

April Understanding Federated Single Sign-On (SSO) Process

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

Access Manager Applications Configuration Guide. October 2016

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

How to Use ADFS to Implement Single Sign-On for an ASP.NET MVC Application

Integrating YuJa Active Learning into ADFS via SAML

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Colligo Console. Administrator Guide

This section includes troubleshooting topics about single sign-on (SSO) issues.

ComponentSpace SAML v2.0 Okta Integration Guide

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Quick Start Guide for SAML SSO Access

Manage SAML Single Sign-On

Single Sign-On with Sage People and Microsoft Active Directory Federation Services 2.0

ADFS Setup (SAML Authentication)

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Quick Start Guide for SAML SSO Access

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

CLI users are not listed on the Cisco Prime Collaboration User Management page.

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

AD FS CONFIGURATION GUIDE

REVIEWERS GUIDE NOVEMBER 2017 REVIEWER S GUIDE FOR CLOUD-BASED VMWARE WORKSPACE ONE: MOBILE SINGLE SIGN-ON. VMware Workspace ONE

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Configuring the vrealize Automation Plug-in for ServiceNow

CA SiteMinder Federation

Integrating YuJa Active Learning with ADFS (SAML)

Okta Integration Guide for Web Access Management with F5 BIG-IP

IBM IBM IBM Tivoli Federated Identity Manager V6.1. Practice Test. Version

Your Auth is open! Oversharing with OpenAuth & SAML

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

RSA SecurID Access SAML Configuration for Kanban Tool

IBM InfoSphere Information Server Single Sign-On (SSO) by using SAML 2.0 and Tivoli Federated Identity Manager (TFIM)

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

Five9 Plus Adapter for Agent Desktop Toolkit

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Oracle Access Manager Configuration Guide

Single Sign On (SSO) with Polarion 17.3

Version 7.x. Quick-Start Guide

Configure the Identity Provider for Cisco Identity Service to enable SSO

Quick Connection Guide

MyWorkDrive SAML v2.0 Azure AD Integration Guide

SafeNet Authentication Manager

IBM Domino WEB Federated Login

CA CloudMinder. SSO Partnership Federation Guide 1.51

Identity Provider for SAP Single Sign-On and SAP Identity Management

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

CA CloudMinder. SSO Partnership Federation Guide 1.53

ArcGIS Server and Portal for ArcGIS An Introduction to Security

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

Add OKTA as an Identity Provider in EAA

Quick Connection Guide

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

SAML 2.0 SSO Implementation for Oracle Financial Services Lending and Leasing

Cloud Access Manager Configuration Guide

O365 Solutions. Three Phase Approach. Page 1 34

MyWorkDrive SAML v2.0 Okta Integration Guide

SAML-Based SSO Configuration

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

Setting Up Resources in VMware Identity Manager. VMware Identity Manager 2.8

October 14, SAML 2 Quick Start Guide

Configure Unsanctioned Device Access Control

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

Setting Up Resources in VMware Identity Manager

IBM Exam C IBM Tivoli Federated Identity Manager V6.2.2 Implementation Version: 6.0 [ Total Questions: 134 ]

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

Transcription:

Single Sign-On (SSO)Technical Specification Audience: Business Stakeholders IT/HRIS

Table of Contents Document Version Control:... 3 1. Overview... 4 Summary:... 4 Acronyms and Definitions:... 4 Who Should be Involved?... 4 2. Delivery... 5 How does SSO work?... 5 Benefits:... 5 Unique Identifier:... 5 Troubleshooting SSO Configuration... 5 IT Skillset Required... 5 Review SAML 2.0 SSO:... 6 Client Responsibilities:... 6 SAML SSO WORK FLOW... 6 SAML Requests:... 8 Appendix... 9 Appendix A Frequently Asked Questions (FAQ)... 9 Single Sign-On (SSO) Technical Specification 2

Document Version Control: Change Date Version Change Description Updated by Feb 2016 1.0 Created Final Version Bernard Brazeau Single Sign-On (SSO) Technical Specification 3

1. Overview Summary: The purpose of this document is to describe, in functional and technical details, the out-of-thebox Single Sign-On solutions to the BirdDogHR platform (application). For discussions around any custom SSO solution not detailed in this document, please contact your Sales Representative, or Account Manager. Acronyms and Definitions: The following are definitions of Acronyms identified in the project. Term BirdDogHR or BDHR Client IdP SAML SP SSO Definition The BirdDogHR team or platform (application). Prospective Clients and Clients implementing Single Sign On to BDHR. Identity Provider (On client side.) Security Assertion Markup Language. Service Provider (on BDHR). Single Sign-On. Who Should be Involved? This document is intended for two primary audiences: Business Stakeholders who have in-depth knowledge of the overall business requirements and objectives IT/HRIS individuals tasked with implementing SSO on the client-side interface. This technical specification will assist your organization in the planning and implementation of a SAML SSO between the client-side interface and BDHR. Single Sign-On (SSO) Technical Specification 4

2. Delivery How does SSO work? The Single Sign-On (SSO) solution allows BDHR to authenticate users into the platform upon user s request to access BDHR. (https:\\<domain Prefix>.portal.bdhr.com). This affords user s access to BDHR without having to log-in; once the user has been authenticated on client side. BirdDogHR supports an out-of-the-box SAML 2.0 SSO solution. Benefits: Some benefits of integrating SSO with BDHR include: Ability to leverage existing security and authentication policies. Simplify the User log-in experience without requiring additional authentication (no need for users to know their BDHR credentials). Prevent simultaneous log-in by a User into BDHR from multiple locations Prevent login replay with time-based tokens Unique Identifier: User authentication process uses a user s unique identifier value. The default unique identifier is the SAML Username. To facilitate a successful login, client is responsible to make sure: 1. The unique identifier value is indeed unique (no two users share the same Username). 2. Only one instance of the user record in BDHR has a given identifier value, for example one user s email address is not another user s username or vice versa. Troubleshooting SSO Configuration If client faces any issue with configuring the SSO, client must provide a fiddler trace to the project manager, please see appendix C on how to capture a fiddler trace. BirdDogHR will evaluate the fiddler trace and provide feedback the client to identify the source of the issue. IT Skillset Required SAML SSO: requires a Tech Savvy IT resource familiar with SAML Server setup BirdDogHR can provide very limited tech support on the tasks that are defined as client s tasks, due to security concerns. Single Sign-On (SSO) Technical Specification 5

Review SAML 2.0 SSO: SAML is a XML-based standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (IdP), producer of assertions on the Client side, and a service provider (SP), a consumer of assertions on the BirdDogHR side. Note 1: Clients that implement SSO using the SAML solution typically have a SAML/IdP server in place and have used it to integrate SSO with other applications. Note 2: Utilizing SAML 2.0 allows the Client to send a logout assertion to BirdDogHR to log a User out of BirdDogHR if he/she has logged out of the Client network. Note 3: BirdDogHR supports both IdP initiated and SP initiated SSOs. Client Responsibilities: The Client is responsible for: 1. Submitting their AD FS Metadata URL. 2. Configuring their server: a. Create Trust Relationship (from BDHR s Metadata URL) b. Add Claim Note: The nature of SAML authentication necessitates technical implementation on the client side. BirdDogHR will assist by answering basic questions and/or providing an FAQ document as a resource. If the Cclient Name requires additional technical resources from BirdDogHR, additional fees will be assessed on an hourly basis at $175/hour with a minimum of 1 hour each engagement. Single Sign-On (SSO) Technical Specification 6

SAML SSO WORK FLOW Upon user s request to access BirdDogHR, the IdP Server at Client s end exchanges Authentication Data with Authentication Server at BirdDogHR s end. The process flow is as illustrated below: 1. User initiates the request to login to BDHR 2. BDHR generates a SAML request 3. BDHR redirects the user s browser to the Single Sign On (SSO) URL 4. Client s IdP parses the SAML request to authenticate the user 5. Client s IdP generates the SAML response Yes they are user or No they are not a user 6. Client s IdP returns to the browser an encoded SAML response that is passed to BDHR 7. BDHR verifies the SAML response 8. BDHR allows or denies access to the user based on response Single Sign-On (SSO) Technical Specification 7

SAML Requests: With SAML 2.0, the Client is able to send Login requests to BDHR. The below table describes the parameters of the SAML 2.0 response message BirdDogHR expects to receive from the Client to request User log-in and the validation steps performed by BDHR: Element Definition BDHR validation steps NameID This element contains the User's identifier information to log-in to BDHR. Verify the User information in BDHR s database. The User must be an existing, Active User in both the Client's User Provisioning AND BDHR s platform. Otherwise, access is denied to the User. Single Sign-On (SSO) Technical Specification 8

Appendix Appendix A Frequently Asked Questions (FAQ) 1. When deploying SSO, can it be rolled out on a user by user basis, or is it only applied to all users at once? a. Either really, it depends on how you want to roll this out to your team. 2. Is the UserID used to authenticate a user in Windows (or Active Directory) the same as the UserID in BirdDogHR for that user? a. Not necessarily. SSO solution needs a unique Identifier value to authenticate a user which is the NameId in the claim. This usually is mapped back to the Windows UserId but not always. Different LDAP Attributes could be used instead of the Windows (Active Directory) UserId. For Example: i. Email Addresses: Email Addresses ii. SAM A CCOUNT Name: kenos iii. User Principle: kenos@industrypeople.local 3. How can I find the Metadata URL? a. One reference can be found here to help get you started: https://knowledgecenter.zuora.com/cf_users_and_administrators/administrator _Settings/Configure_Single_Sign- On_for_Zuora/Configure_Active_Directory_Federation_Services_for_SSO_SAM L b. In AD FS Management Console, browse to Service > Endpoints > Metadata > Type: Federation Metadata to find your federation metadata URL. Browse to that location or Copy and paste that location and send via email. Depending on which version of server you are in - https://server/federationmetadata/2007-06/federationmetadata.xml (this is an example of what it might look like). 4. Will setting up SAML authentication with BirdDogHR interfere with any other authentications we have set up in our organization? a. Set up of your AD FS server to work with SAML SSO login should not affect any other authentication you already have in place. You will be adding a new entry not changing any existing entries. HOWEVER, our best practice recommendation is to make changes of this nature after hours. Single Sign-On (SSO) Technical Specification 9

5. I m having trouble connecting, are there specific things I should look at to troubleshoot? a. It could be a lot of things but start by making sure the following settings are configured correctly. Single Sign-On (SSO) Technical Specification 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback