Trusted Login Connector (Hosted SSO)

Similar documents
Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Qualys SAML & Microsoft Active Directory Federation Services Integration

Udemy for Business SSO. Single Sign-On (SSO) capability for the UFB portal

All about SAML End-to-end Tableau and OKTA integration

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

ArcGIS Server and Portal for ArcGIS An Introduction to Security

ADFS integration with Ibistic Commerce Platform A walkthrough of the feature and basic configuration

O365 Solutions. Three Phase Approach. Page 1 34

CLI users are not listed on the Cisco Prime Collaboration User Management page.

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Integrating the YuJa Enterprise Video Platform with Dell Cloud Access Manager (SAML)

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

Integrating YuJa Active Learning with ADFS (SAML)

Integrating YuJa Active Learning into ADFS via SAML

Configuration Guide - Single-Sign On for OneDesk

CONFIGURING AD FS AS A THIRD-PARTY IDP IN VMWARE IDENTITY MANAGER: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Morningstar ByAllAccounts SAML Connectivity Guide

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Okta Integration Guide for Web Access Management with F5 BIG-IP

CLI users are not listed on the Cisco Prime Collaboration User Management page.

TECHNICAL GUIDE SSO SAML Azure AD

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Microsoft ADFS Configuration

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

User Directories. Overview, Pros and Cons

Using VPN. Provider Staff

How to Use ADFS to Implement Single Sign-On for an ASP.NET MVC Application

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

VMware Identity Manager Administration

Integrating AirWatch and VMware Identity Manager

Setting Up Resources in VMware Identity Manager (On Premises) Modified on 30 AUG 2017 VMware AirWatch 9.1.1

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

DATACENTER MANAGEMENT Goodbye ADFS, Hello Modern Authentication! Osman Akagunduz

Single Sign-On Showdown

Azure MFA Integration with NetScaler

About This Document 3. Overview 3. System Requirements 3. Installation & Setup 4

Colligo Console. Administrator Guide

User guide NotifySCM Installer

Five9 Plus Adapter for Agent Desktop Toolkit

WHITE PAPER AIRWATCH SUPPORT FOR OFFICE 365

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

Introduction. The Safe-T Solution

Using Microsoft Azure Active Directory MFA as SAML IdP with Pulse Connect Secure. Deployment Guide

Workspace ONE Chrome OS Platform Guide. VMware Workspace ONE UEM 1811

VAM. ADFS 2FA Value-Added Module (VAM) Deployment Guide

Hybrid Identity de paraplu in de cloud

April Understanding Federated Single Sign-On (SSO) Process

Liferay Security Features Overview. How Liferay Approaches Security

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: May 2015

DDS Identity Federation Service

App Gateway Deployment Guide

Guide to Deploying VMware Workspace ONE. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager 3.1

Configuring Confluence

SAML-Based SSO Configuration

Google SAML Integration

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Pulse Connect Secure 8.x

VMware AirWatch Chrome OS Platform Guide Managing Chrome OS Devices with AirWatch

Integrating YuJa Active Learning into Google Apps via SAML

Setting Up Resources in VMware Identity Manager 3.1 (On Premises) Modified JUL 2018 VMware Identity Manager 3.1

ArcGIS Enterprise Security: An Introduction. Gregory Ponto & Jeff Smith

Guide to Deploying VMware Workspace ONE. VMware Identity Manager VMware AirWatch 9.1

SAML-Based SSO Solution

DOE Intranet Quick Reference Getting Started

VIEVU Solution AD Sync and ADFS Guide

Import Data Connection from an SAP Universe

Manage SAML Single Sign-On

Object of this document

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. PingIdentity PingFederate 8

Integration of the platform. Technical specifications

SAML-Based SSO Solution

Configuring Claims-based Authentication for Microsoft Dynamics CRM Server. Last updated: June 2014

NETOP PORTAL ADFS & AZURE AD INTEGRATION

How does it look like?

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

Contents Introduction... 5 Configuring Single Sign-On... 7 Configuring Identity Federation Using SAML 2.0 Authentication... 29

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

SAML-Based SSO Configuration

Active Directory Integration. Documentation. v1.00. making your facilities work for you!

Configuring Alfresco Cloud with ADFS 3.0

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

User Guide. Version R94. English

Centrify for Dropbox Deployment Guide

Architecture Assessment Case Study. Single Sign on Approach Document PROBLEM: Technology for a Changing World

Cloud Secure Integration with ADFS. Deployment Guide

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Cloud Access Manager Configuration Guide

Active Directory Synchronisation

Oracle Access Manager Configuration Guide

AppController :21:56 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Today s workforce is Mobile. Cloud and SaaSbased. are being deployed and used faster than ever. Most applications are Web-based apps

Tech Dive: Microsoft Azure Identity Management and Office 365

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Android Mobile Single Sign-On to VMware Workspace ONE. SEP 2018 VMware Workspace ONE VMware Identity Manager VMware Identity Manager 3.

Office 365 and Azure Active Directory Identities In-depth

Amazon AppStream 2.0: SOLIDWORKS Deployment Guide

Windows Authentication for Velocity Web service Client

Setting Up the Server

Entrust GetAccess 7.0 Technical Integration Brief for IBM WebSphere Portal 5.0

Transcription:

Trusted Login Connector (Hosted SSO)

Table of Contents Summary... 3 Frequently Asked Questions... 3 Architecture... 5 Installation/configuration... 5 2

Summary New functionality allows SelectHR users to sign in to hosted systems using their locally authenticated Windows credentials without requiring them to re-enter a user name or password. Optionally they may be required to confirm their password, in which case they will be prompted with their Windows user name and must enter their Windows password to be authenticated against their Active Directory. Frequently Asked Questions Q: How does the SSO authentication application work? A: The SSO component is a web application you would need to host on an internal IIS web server, configured with anonymous authentication DISABLED. This allows the application to determine the logged on user (REMOTE_USER variable). It is this component that verifies the logged on user, and generates an authentication ticket which is then reliably passed to the hosting application via https. Q: Do we need to install this component in a DMZ/perimeter zone? A: No. All communication is via the client s browser on your network and over the internet via https. The SSO component does not need to be in a perimeter zone requiring AD access or similar. It simply generates and returns authentication tickets to the client browsers which are passed to the hosted application. Q: We are implementing an ADFS solution for SSO with another Cloud implementation. Can this standard ADFS solution be used with the HRIS system? A: The SSO application is an on premise authentication solution, and is not an ADFS solution. ADFS is a SAML based technology which would require Access hosted environment to be configured and maintained for ADFS partners. ADFS and SAML integration are high-end/cost hosted authentication technologies which are only just becoming relevant to SMEs. ADFS integration is not currently something we offer, but we continue to monitor demand for technological solutions. Q: What would be the implications of hosting this SSO component on a server outside of the UK/EU? Users have full VPN connectivity to the remote server from all EU offices and we use a flat domain so all EU user accounts are accessible from the remote server. A: The application is a.net web application which needs to be installed on an IIS web server, and have LDAP line-of-sight for users wanting to SSO. As long as this holds, any server on the network could be used. 3

Q: Are any credentials stored and/or synced outside of network boundaries? We have very high security requirements and cannot allow user network credentials (passwords) to exist outside of the local network. A: No all that is passed is an encrypted ticket for that user s session. The on premise app is responsible simply for ensuring the user IS logged on to the network. Only the encrypted user name forms part of the ticket/conversation between on-premise app and hosted app. No passwords are accessed or passed. Q: Can users access the system when outside of the network (e.g. from home and not connected to VPN)? A: You can give your staff a manual user name and password to login if they go directly to the hosted app when not on the VPN (e.g. internet café). The user name and password you give them is a SelectHR application password, and is not reflective of their Windows credentials, although they can maintain similar user names/passwords. E.g. exclude domain\ from their Windows user name to generate a manual alternative in the application. Q: So if we do not generate application manual user names and passwords, does this mean you cannot access SelectHR when outside of the network? In other words, access with Windows credentials is only possible when connected to the network? A: Correct. Manual login credentials would be required when users are not authenticated with your network. Our Single Sign On experience can only be experienced when a user is authenticated i.e. on VPN or local network, as the user s browser needs line-of-sight access to the SSO app (installed on your internal network). It is an application to enable SSO when the local network user is already authenticated. 4

Architecture The user authentication is performed by a new web application using IIS Windows authentication to detect the browser user. This application is installed on the company intranet, accessible by users but not accessible by the hosted SelectHR application. When not authenticated, accessing any page in SelectHR will redirect the user to the single sign-on application, which can verify their Windows identity and redirect back to SelectHR. All communication is encrypted using a unique ticket stored in the user s session for the duration of the authentication process. When SelectHR receives an authenticated user name it can create a user session based on the mapping of Windows user names to system users. Optionally, the name can be displayed in the standard log in page and the user prompted for their password. This initiates a second redirect to the single sign-on application with the entered credentials and an Active Directory LDAP path to search. If the user credentials can be used to access the Active Directory then the user name is authenticated and redirected back to SelectHR to create a user session. Installation/configuration In order to enable single sign-on for hosted systems, a new web application must be installed on the company intranet that users will be accessing SelectHR from. TheSingle Sign On application should be installed in IIS with Windows Authentication enabled (anonymous access disabled). There is no other client side configuration for the Single Sign On application as all parameters are passed by SelectHR from the hosted database. The SelectHR Administrator and web application both have changes that require upgrading to the latest Version 1.7 builds. To enable single sign-on, open the Windows Administrator connected to the hosted system s database and navigate to the global configuration dialog. This is found from the home screen under Configuration - Configuration Options. Then by selecting the Global configuration. 5

On the global configuration dialog, the single sign-on section has 2 new elements at the bottom. Single Sign On URL entering a URL here enables the single sign-on app for hosted systems. If not using single sign-on or for local intranet systems this should be left blank and the traditional authentication methods will be available. If a single sign-on URL is entered, it should be in a format that can be accessed from the end user s web browser, not the hosted system. The hosted SelectHR application does not require access to this URL. Prompt for password when using single sign-on when checked this will require the user to confirm their Windows password before gaining access. If this is enabled, an Active Directory LDAP path (or paths) must be provided that can be used by the single sign-on app to authenticate the user s credentials on their own intranet. This uses the existing LDAP search path section that is used for local intranet single sign-on. This can be used in conjunction with the Disable Manual Sign-On option (under Manual Sign On Settings) to prevent the user from changing the detected Windows user name or to allow them to use an alternative manual user name and password. There is no danger of a user entering a different user s credentials as the single sign-on application matches the entered user name to the IIS authenticated user name. The Windows user name template is still used to generate default user names when users are created but these should be checked in the user manager as single sign-on access can only succeed if the authenticated Windows user name is mapped to an existing system user with a valid role and menu assigned. 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback