Leave Policy. SAML Support for PPO

Similar documents
Configure ISE 2.3 Guest Portal with OKTA SAML SSO

Single Sign-On (SSO) Using SAML

Session 2.1: Federations: Foundation. Scott Koranda Support provided by the National Institute of Allergy and Infectious Diseases

Directories Services and Single Sign-On for Collaboration

Implement SAML 2.0 SSO in WLS using IDM Federation Services

Kaltura MediaSpace SAML Integration Guide. Version: 5.0

Suomi.fi e-identification Technical interface description

AAI Login Demo. SWITCHaai Introduction Course Bern, 1. March Daniel Lutz

Integration Guide. SafeNet Authentication Service. Protecting Syncplicity with SAS

Security Assertion Markup Language (SAML) applied to AppGate XDP

Single Sign-On User Guide. Cvent, Inc 1765 Greensboro Station Place McLean, VA

Introducing Shibboleth. Sebastian Rieger

FAS SAML Integration Guide

Web Based Single Sign-On and Access Control

SAML 2.0 Single Sign On with Citrix NetScaler

Research Collaboration IAM Needs

Media Shuttle SAML Configuration. October 2017 Revision 2.0

eidas SAML Message Format

SAML-Based SSO Solution

i-ready Support for Single Sign-On (SSO)

Network Security. Chapter 10. XML and Web Services. Part II: II: Securing Web Services Part III: Identity Federation

Higgins SAML2 IdP Tutorial

Using VMware Horizon Workspace to Enable SSO in VMware vcloud Director 5.1

SAML-Based SSO Solution

AdminCamp Christian Henseler, Christian Henseler,

Single Sign-On Implementation Guide

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

Identity Provider for SAP Single Sign-On and SAP Identity Management

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Security Analysis of eidas The Cross-Country Authentication Scheme in Europe

SAML V2.0 EAP GSS SSO Profile Version 1.0

Integrating YuJa Active Learning into ADFS via SAML

SAML 2.0 SSO Extension for Dynamically Choosing Attribute Values

Configuring Alfresco Cloud with ADFS 3.0

OIO Bootstrap Token Profile

Advanced Configuration for SAML Authentication

Building a Well Managed Cloud Application. Okta Inc. 301 Brannan Street San Francisco, CA

SAML Authentication with Pulse Connect Secure and Pulse Secure Virtual Traffic Manager

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

eidas Technical Specifications

eidas-node and SAML Version 2.0

Integrating YuJa Active Learning into Google Apps via SAML

Integrating YuJa Active Learning with ADFS (SAML)

ComponentSpace SAML v2.0 Okta Integration Guide

RSA SecurID Access SAML Configuration for Brainshark

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

SAML V2.0 Deployment Profiles for X.509 Subjects

All about SAML End-to-end Tableau and OKTA integration

Single Sign-On Implementation Guide

McAfee Cloud Identity Manager

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

Oracle Utilities Opower Solution Extension Partner SSO

Integrating PingFederate with Citrix NetScaler Unified Gateway as SAML IDP

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

GFIPM Web Browser User-to-System Profile Version 1.2

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Unified Contact Center Enterprise (UCCE) Single Sign On (SSO) Certificates and Configuration

Oracle Access Manager Configuration Guide

Enterprise Adoption Best Practices

Generic Structure of the Treatment Relationship Assertion

edugain Policy Framework SAML Profile

Formatted: Font: Century Gothic, 12 pt

MyWorkDrive SAML v2.0 Azure AD Integration Guide

Morningstar ByAllAccounts SAML Connectivity Guide

CA SiteMinder Federation

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

SAML Profile for Privacy-enhanced Federated Identity Management

Cyber Authentication Technology Solutions Interface Architecture and Specification Version 2.0: Deployment Profile

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

Configure Unsanctioned Device Access Control

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

TECHNICAL GUIDE SSO SAML Azure AD

SAML 2.0 Profile. Trusted Digital Identity Framework August 2018, version 1.0

Google SAML Integration

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Warm Up to Identity Protocol Soup

IBM Security Access Manager Single Sign-on with Federation

Add OKTA as an Identity Provider in EAA

IBM IBM IBM Tivoli Federated Identity Manager V6.1. Practice Test. Version

ComponentSpace SAML v2.0 Developer Guide

BIG-IP Access Policy Manager : Authentication and Single Sign-On. Version 13.1

Salesforce1 Mobile Security White Paper. Revised: April 2014

1z0-479 oracle. Number: 1z0-479 Passing Score: 800 Time Limit: 120 min.

Quick Connection Guide

CA SiteMinder Federation

Identity management. Tuomas Aura CSE-C3400 Information security. Aalto University, autumn 2014

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

ComponentSpace SAML v2.0 Configuration Guide

Introduction to application management

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Authentication. Katarina

RealMe. SAML v2.0 Messaging Introduction. Richard Bergquist Datacom Systems (Wellington) Ltd. Date: 15 November 2012

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

CA CloudMinder. SSO Partnership Federation Guide 1.51

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

Single Sign-On Administrator Guide

Major SAML 2.0 Changes. Nate Klingenstein Internet2 EuroCAMP 2007 Helsinki April 17, 2007

Single Sign-On Administrator Guide

RSA SecurID Ready Implementation Guide. Last Modified: December 13, 2013

Transcription:

Leave Policy SAML Support for PPO January 2015

Table of Contents Why SAML Support for PPO... 3 Introduction to SAML... 3 PPO Implementation... 6 ComponentSpace SAML v2.0 for.net... 6 SAML Security mode... 6 PPO.Web.Security.Saml... 6 SamlAuth.aspx... 6 How to configure PPO for SAML integration... 7 Setup a trust relationship... 7 PPO Configuration... 8 PPO Cross-site authentication... 8 Troubleshooting... 8 What can a user expect?... 9 Logon... 9 Log Out... 10 No more passwords... 10 SOAP web service integration... 10 Microsoft Project Add-In... 10 References... 12 Page 2 of 12

Why SAML Support for PPO Support in PPO for Security Assertion Mark-up Language (SAML) is important for a number of reasons. SAML support enables us to implement a single sign-on mechanism that will allow our clients users to authenticate against their enterprise systems, instead of using our normal PPO security. This gives their network administrators better control over users access to PPO, as well as the added peace of mind that user identities are maintained from within the enterprise. SAML is an internet standard that has been widely adopted by major software vendors including SAP, Microsoft, IBM and Oracle. These vendor products typically act in the role of identity providers, service providers, middleware and discovery services. Introduction to SAML Security Assertion Mark-up Language (SAML) was introduced as an internet open standard to allow for the implementation of browser based single sign-on (SSO) mechanisms. It is an XML-based protocol used to securely exchange user information between service providers (SP) and identity providers (IdP), typically for log on and log off operations. For PPO s implementation, the service provider initiated log-in pattern was used. The diagram in Fig. 1 below illustrates the flow of information during the process. User Agent (Browser) Service Provider (PPO) Identity Provider 1. Page Request 2. Form containing Authentication Request 3. Authentication Request 4. Identify the User 5. Form containing Authentication Response 6. Authentication Response 7. Page Response Figure 1 Service provider initiated SSO Page 3 of 12

1. A user makes a page request to PPO. PPO discovers that the user is not authenticated and initiates the SSO process. 2. PPO responds to the user s browser with a hidden form containing an authentication request to be forwarded to the IdP. <form method="post" action="https://idp.example.org/saml2/sso/post"> <input type="hidden" name="samlrequest" value="[encoded authentication request]" /> <input type="hidden" name="relaystate" value="[reference to the resource requested]" /> <input type="submit" value="submit" /> </form> Figure 2 Sample hidden form 3. The user s browser then automatically posts the hidden form containing the authentication request to the identity provider s publically available endpoint. <samlp:authnrequest xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" Version="2.0" ID="_17bbce34-e607-4294-a856-a9ba4403abf8" IssueInstant="2014-03-16T12:56:01.49Z" Destination="[Identity provider s endpoint]" ForceAuthn="false" IsPassive="false"> <saml:issuer>www.ppolive.com</saml:issuer> <samlp:nameidpolicy AllowCreate="true" /> </samlp:authnrequest> Figure 3 Sample authentication request 4. The identity provider receives the authentication request and proceeds if it is satisfied that it originates from a trusted source. The mechanism for determining the user s identity could differ from one IdP to the next. Typically the user will receive a logon form as response. 5. Once authenticated, the identity provider replies to the browser with an authentication response. 6. The browser automatically posts the authentication response back to PPO. PPO parses the response received. The identity contained within the assertion in the response is used to identify the user in PPO and establish a session. <samlp:response xmlns:samlp="urn:oasis:names:tc:saml:2.0:protocol" Version="2.0" ID="_4d2f3736-2f27-4398-a35c-3cc41466dfcf" IssueInstant="2014-03-16T12:56:22.143Z" Destination="https://www.ppolive.com/instance/samlauth.aspx" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" > <saml:issuer>[identity provider's endpoint]</saml:issuer> <samlp:status> <samlp:statuscode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /> </samlp:status> <saml:encryptedassertion xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion"> <!-- Encrypted assertion here --> </saml:encryptedassertion> </samlp:response> Figure 4 Sample response Page 4 of 12

<saml:assertion xmlns:saml="urn:oasis:names:tc:saml:2.0:assertion" Version="2.0" ID="_f5da046c-3c39-46e5-953b-3dca125d67b8" IssueInstant="2014-03-16T12:56:22.141Z"> <saml:issuer>[identity provider's endpoint]</saml:issuer> <ds:signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <!-- Signature --> </ds:signature> <saml:subject> <saml:nameid>[user's identity here]</saml:nameid> <saml:subjectconfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:subjectconfirmationdata NotOnOrAfter="2014-03-16T13:01:22.143Z" Recipient="https://www.ppolive.com/instance/samlauth.aspx" /> </saml:subjectconfirmation> </saml:subject> <saml:conditions NotBefore="2014-03-16T12:56:20.495Z" NotOnOrAfter="2014-03- 16T13:56:20.495Z"> <saml:audiencerestriction> <saml:audience>https://www.ppolive.com/instance</saml:audience> </saml:audiencerestriction> </saml:conditions> <saml:authnstatement AuthnInstant="2014-03-16T08:40:37.717Z" SessionIndex="_f5da046c- 3c39-46e5-953b-3dca125d67b8"> <saml:authncontext> <saml:authncontextclassref>urn:federation:authentication:windows</saml:authncontextclassref> </saml:authncontext> </saml:authnstatement> </saml:assertion> Figure 5 Sample decrypted assertion contained in response 7. PPO responds with the page that was originally requested by the user. All traffic is encrypted and communication between the browser and PPO is secure over HTTPS. Page 5 of 12

PPO Implementation ComponentSpace SAML v2.0 for.net To avoid having to code a complete SAML 2.0 API, we have decided to use a wellknown third party.net component instead. ComponentSpace supplies a.net API that supports all the features, protocols and bindings required by PPO. This API composes all messages sent to the identity provider, as well as decomposing responses. It also handles signatures within messages and the encryption and decryption thereof. SAML Security mode In order to seamlessly replace the default authentication mechanism of PPO with that of a single sign-on solution, we had to introduce a new security mode. The security mode dictates PPO s behaviour in certain circumstances. For details, refer to What can a user expect? The default security mode for PPO is configured in our root application configuration. <configuration> <appsettings> <add key="securitymode" value="4"/> </appsettings> </configuration> Figure 6 Web.config configuration In order to change the security mode for an individual instance of PPO to an alternative, the instance s web.config file needs to be changed as stipulated in How to configure PPO for SAML integration. In conjunction with this security mode, two other configuration settings have been added to refer to the login and logout endpoints pre-arranged with the identity provider. Refer to How to configure PPO for SAML integration for details. PPO.Web.Security.Saml Code that we have introduced to utilise the ComponentSpace SAML API can be found in the namespace PPO.Web.Security.Saml. Classes have been added to handle authentication and logout requests, and responses from the identity provider. SamlAuth.aspx SamlAuth.aspx is an active server page that serves as the target endpoint in PPO. The URL to this page is https://www.ppolive.com/[instancename]/samlauth.aspx. Page 6 of 12

PPO Application 1. Page Request PPO Resource 6. Page Response 4. Hidden form containing Authentication Response User Agent 2. Hidden Form containing Authentication Request 3. Authentication Request 5. Authentication Response SamlRequest SamlResponse PPO.Web.Security.Saml SamlAuth.aspx ComponentSpace SAML v2.0 Identity Provider Figure 7 PPO.Web.Security.Saml in context How to configure PPO for SAML integration Setup a trust relationship Before any integration can take place between PPO and an identity provider, a trust relationship is configured between both parties. A public key for PPO s certificate is supplied to the identity provider along with XML metadata that includes some additional information about the service provider. <md:entitydescriptor entityid="https://www.ppolive.com/instance" xmlns:md="urn:oasis:names:tc:saml:2.0:metadata"> <md:spssodescriptor WantAssertionsSigned="true" protocolsupportenumeration="urn:oasis:names:tc:saml:2.0:protocol"> <md:keydescriptor> <ds:keyinfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> <ds:x509data> <ds:x509certificate>[encrypted public key here]</ds:x509certificate> </ds:x509data> </ds:keyinfo> </md:keydescriptor> <md:nameidformat>urn:oasis:names:tc:saml:2.0:nameidformat:unspecified</md:nameidformat> <md:assertionconsumerservice index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://www.ppolive.com/instance/samlauth.aspx"/> </md:spssodescriptor> <md:organization> <md:organizationname xml:lang="en">ppo</md:organizationname> <md:organizationdisplayname xml:lang="en">project Portfolio Office</md:OrganizationDisplayName> <md:organizationurl xml:lang="en">www.projectportfoliooffice.com</md:organizationurl> </md:organization> <md:contactperson contacttype="technical"> <md:givenname>james</md:givenname> <md:surname>hekma</md:surname> <md:emailaddress>jimmy@projectportfoliooffice.com</md:emailaddress> Page 7 of 12

</md:contactperson> </md:entitydescriptor> Figure 8 SAML metadata Important things to point out in the metadata: KeyDescriptor contains the public key of the service provider s certificate NameIDFormat indicates what name identifier format the service supports AssertionConsumerService Location the pre-arranged endpoint of the service provider s service PPO Configuration PPO supports two security modes - Default and SAML. In order to activate the SAML security mode for a PPO instance, the following setting is required in the instance s web.config: <configuration> <appsettings> <add key="securitymode" value="5"/> </appsettings> </configuration> Figure 9 Instance web.config The endpoints to the identity provider are configured in an instance s configuration settings located in its database: SINGLESIGNONSERVICEURL contains the URL to the pre-arranged endpoint of the identity provider s login service SINGLESIGNOUTSERVICEURL contains the URL to the pre-arranged endpoint of the identity provider s logout service PPO Cross-site authentication For the SAML security mode, access is not allowed to the normal PPO login page (login.aspx). For cross-site authentication purposes, an alternative logon page has been created, that excludes the forgot password feature (xsite.aspx). Troubleshooting Setting up SAML integration for a PPO instance requires close cooperation with the identity provider s administrators. The following are some errors that could be expected when the IdP responds back to PPO: Page 8 of 12

Message Cause Action Your identity could not be matched against a user of our system [Identity: joe.bloggs@gmail.com] No user exist in PPO that matches the identity indicated Add a PPO user with a user name that matches the specified identity. User marked as inactive [User name: joebloggs@gmail.com] The SAML assertion doesn't contain an identifier Failed to receive SAML response by HTTP post The SAML assertion signature failed to verify. The user that matches the identity is marked as inactive in PPO. Response was received successfully but it does not contain an identifier Thrown when receiving the response from the IdP fails The signature used for encrypting the response failed the verification process Mark the specified PPO user as active If this is the case for all users, it might indicate a problem with the configuration on the IdP end. Look at the configured NameIDFormat. If this only applies to individual cases, it might indicate that the information for this user is incomplete on the IdP end Re-try. When the problem persists, contact the IdP administrator Indicates that the IdP has incorrectly signed the SAML response message What can a user expect? There are a number of changes that a user can expect when a PPO instance is configured for SAML authentication. Logon When user makes a request to a PPO page via their browser and is unauthenticated, the default login mechanism will be replaced with an alternative mechanism, usually in the form of a logon page similar to that of PPO. Some users belonging to large enterprises and federated systems might use their normal way of authentication like for their other systems they are already accustomed to. Accessing the default login page (login.aspx) is not allowed. Users are rather redirected to their home page. This will also be the case for users that have previously bookmarked this page. Page 9 of 12

Log Out The default behaviour for the Log Out button on the PPO menu bar, is to clear the user s session and to redirect to the login page. With SAML authentication configured, the user s session is still cleared, but the user is directed to the IdP portal as well where further clean-up procedures could be required. No more passwords Seeing that logon credentials are being maintained by the identity provider, there is no need to do so in PPO. Password related functionality that is disabled, includes: The exclusion of temporary passwords from welcome emails The ability to reset user s passwords The ability for a user to change their own password SOAP web service integration Seeing that SAML is browser based, this authentication scheme cannot be used when consuming PPO s SOAP web service as it requires a user to supply credentials through a web browser and integration is usually performed by backend processes. Authentication is however still possible with a PPO s default authentication scheme and a user account specifically configured for this purpose. Assistance is required from the PPO technical team to set this up as it requires switching between authentication schemes with some downtime as a result. This could be disruptive to active users and coordination between the customer and PPO support staff is therefore essential. Please contact PPO support if you require assistance with this. Microsoft Project Add-In SAML is constrained to web browsers accessing web based applications such as PPO since it relies on a mechanism of redirects to allow the user to authenticate against the Identity Provider. The SAML standard also does not enforce any particular authentication mechanism, so the Identity Provider is free to implement any of a variety of mechanisms such as forms based authentication, Windows integrated security or token based authentication. What this means is that it is not possible for a non-web based application such as the MSP Add-In to implement SAML authentication in the normal way and therefore the add-in currently does not work on PPO instances that use Single- Sign-On. The industry has recognised this problem and various efforts are currently under way to allow SAML to work seamlessly on all platforms. Some possible solutions include using a combination of OAuth and SAML as well as using SAML back- Page 10 of 12

channel communication. We are carefully watching progress in this area and will consider implementing a solution for the add-in as soon as we believe that a workable solution is available. The work-around used for calling SOAP web-services is not practical in this case since it would require users to maintain dual identities (a SAML identity as well as a PPO identity) which would defeat the purpose of single-sign-on. Page 11 of 12

References SAML 2.0 Wikipedia - http://en.wikipedia.org/wiki/saml_2.0 ComponentSpace SAML v2.0 - http://www.componentspace.com/samlv20.aspx Page 12 of 12

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback