Difference between revisions of "Single Sign-On"

From SmartWiki
Jump to: navigation, search
Line 298: Line 298:
 
* [[Password Policy]]
 
* [[Password Policy]]
  
[[Category:Security]]
+
[[Category:Security]][[Category:Sign-Up Features]]

Revision as of 12:46, 5 August 2014

General Information

SmartSimple offers two methods of implementing Single Sign-On (SSO) integration:

  1. SAML 2.0
  2. Cipher encrypted reference

This page provides technical details of each solution.

Implementation of Single Sign On using either method requires configuration by both SmartSimple and the administrator of the system that will provide the authentication. Please contact your account manager or SmartSimple Support for further information.

SAML 2.0

SmartSimple supports SAML (Security Assertion Markup Language) 2.0 at the recipient end of an authenticated login. For example, the user will log into the client side system/infrastructure and then SSO into SmartSimple, not vice versa.

The client system will construct a base64-encoded SAML response object and send this to the user’s browser. The user’s browser will then be forwarded to the SmartSimple server.

The following Assertion attributes are used:

  • UID (client system’s unique user id)
  • Email (optional)
  • First name (optional)
  • Last name (optional)
  • Department (optional)
  • Comma delimited list of roles (by name) to be assigned to the user (optional)
  • Language (optional)
  • RedirectURL (optional)

Note: Client must provide SmartSimple with a public key in base64-encoded X509Certificate format for digital signature validation.

SAML Response Sample XML

The following is an example of a valid SAML Response:

<?xmlversion="1.0" encoding="UTF-8"?>
<samlp:Responsexmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"Destination="https://alias.smartsimple.com/SAML2/"IssueInstant="2014-07-12T14:17:03.063Z"ID="BYavZkuNtRHC5rEPhIAEQrys1Wb" Version="2.0">
   <saml:Issuerxmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sso:saml2:alias:stage:SmartSimple:idp</saml:Issuer>
   <ds:Signaturexmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:SignedInfo>
         <ds:CanonicalizationMethodAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
         <ds:SignatureMethodAlgorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
         <ds:ReferenceURI="#BYavZkuNtRHC5rEPhIAEQrys1Wb">
            <ds:Transforms>
               <ds:TransformAlgorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
               <ds:TransformAlgorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            </ds:Transforms>
            <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
           <ds:DigestValue>+2uvXQh+d65mNWs0G6FBf4igIxU=</ds:DigestValue>
         </ds:Reference>
      </ds:SignedInfo>
     <ds:SignatureValue>LEOCPec/eNBMqBV7A99...</ds:SignatureValue>
   </ds:Signature>
   <samlp:Status>
      <samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <saml:Assertionxmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"Version="2.0" IssueInstant="2014-07-12T14:17:03.246Z"ID="X14MvZtPaqyUjfFCbehto32uDTG">
     <saml:Issuer>sso:saml2:alias:stage:SmartSimple:idp</saml:Issuer>
      <saml:Subject>
         <saml:NameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">123456</saml:NameID>
         <saml:SubjectConfirmationMethod="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationDataNotOnOrAfter="2014-07-12T14:22:03.246Z" Recipient="https://alias.smartsimple.com/SAML2/"/>
         </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions NotOnOrAfter="2014-07-12T14:22:03.246Z"NotBefore="2014-07-12T14:12:03.246Z">
         <saml:AudienceRestriction>
           <saml:Audience>sso:saml2:alias:stage:SmartSimple:sp</saml:Audience>
         </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatementAuthnInstant="2014-07-12T14:17:03.246Z"SessionIndex="X14MvZtPaqyUjfFCbehto32uDTG">
         <saml:AuthnContext>
           <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
         </saml:AuthnContext>
      </saml:AuthnStatement>
      <saml:AttributeStatementxmlns:xs="http://www.w3.org/2001/XMLSchema">
         <saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"Name="Email">
            <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">david@alias.com</saml:AttributeValue>
         </saml:Attribute>
         <saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="UID">
            <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">T5014CD</saml:AttributeValue>
         </saml:Attribute>
         <saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"Name="First name">
            <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">David</saml:AttributeValue>
         </saml:Attribute>
         <saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"Name="Last name">
            <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">Smith</saml:AttributeValue>
         </saml:Attribute>
         <saml:AttributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"Name="Department">
            <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">Shipping</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"Name="Roles">
            <saml:AttributeValuexmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">Clerk</saml:AttributeValue>
         </saml:Attribute>
      </saml:AttributeStatement>
   </saml:Assertion>
</samlp:Response>

Cipher encrypted reference

The SmartSimple cipher-encrypted reference SSO is accessed by passing parameters in the URL, including an encrypted token, for authentication.

Example:

http://myalias.smartsimple.com/QryAuth/?em=2&alias=myalias&message=dnnOBh9xvqPSC9uXZFAz10Tc

URL Request Parameters

Parameter Name Description Sample
em Encryption method 1 or 2
alias SSO alias ssoalias
message Encrypted String, encryption method is indicated by em parameter cm90YXJ5Oztjcm1 ……

em (1 or 2) 1 – Message is encoded by base64 only (for systems that do not support DES encryption). 2 – Message is first encrypted by "DES" using a provided key and then encoded by base64.

alias Identifies which SSO settings should be used. SmartSimple supports multiple SSO entries.

message A string composed of 11 elements delimited by two semi-colons (;;). For example, 88;;Id12345;;John;;Smith;;Contact,Internal Staff;;Toronto branch;;Canada Office;;abc@gmail.com;;Canada;;2011-11-08 12:30:00;;English

There must be no spaces between elements.

Key used: AD789034 (example only)

Encrypted Message will be: I%2BA%2B/Qb73aUmJZyP5f3/9Lm90fIguwkAgKovK0626HxbeT7cGfdZfSGyDdAybGstBwHBZgDYqc3uhgS7YTQIxzQXIfAovKCzbHLhc/Nh/AizHemadQL1SNRQeNwKz9%2B37IR%2BrwQyvR2Qlh0On8zy7cDSZYm/QKL5EmGV3g9Z%2B10=

Note: When base64 encoding results include a '+' character, please replace '+' with '%2B'

Element Position

Element
Position
Description Sample Options
1 Reserved Constant Always 88 Mandatory
2 Unique identifier of user. If this ID is not found in SmartSimple, either a new user will be created or the request will be rejected. This is controlled by the SSO settings within SmartSimple. Id12345 Mandatory
3 First Name John *Optional
4 Last Name Smith *Optional
5 Comma delimited list of roles (by name) to be assigned to the user. Contact, Internal Staff *Optional
6 Parent Company (one level above the user's company) Canada Office Optional
7 Company Toronto Branch *Optional
8 E-mail address abc@gmail.com *Optional
9 Country Canada *Optional
10 Date Time Stamp (GMT). Login will only succeed if the server time is within +- 10 minutes of this timestamp. This is to prevent bookmarking the SSO URL and token. If the SSO settings within SmartSimple have “debug=on”, then the timestamp is ignored. 2011-11-08 12:30:00 Mandatory
11 Language English Optional


  • NOTE: Optional items listed with an asterisk are mandatory if this will result in creation of a new user (only relevant if the Single Sign-On setting “Create User” is enabled).

The 6th parameter (Parent Company) can result in changes to the organizational hierarchy. The Company (parameter 7) will be moved under the Parent Company, so this should be used with caution if this effect is not desired.

Cipher Encrypted Reference Sample Code

The following are examples of code for Cipher Encrypted Reference SSO configuration:

PHP

Sample and library: http://nl3.php.net/manual/en/mcrypt.ciphers.php

Java

No extra library required.

Sample code:


import java.security.spec.KeySpec; 
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
importjavax.crypto.spec.DESKeySpec;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
 
/**
 *
 *@author  User
 */
public class DESEncrypt {
    
    /**Creates a new instance of DESEncrypt */
   public DESEncrypt() {
    }
    
   public static String encrypt(String keystr,String msg)
    {try{byte[] keyAsBytes = keystr.getBytes();
       KeySpec myKeySpec = new DESKeySpec(keyAsBytes);
       SecretKeyFactory mySecretKeyFactory =SecretKeyFactory.getInstance("DES");
       Cipher cipher Cipher.getInstance("DES/ECB/ PKCS5Padding");
      SecretKey  key =mySecretKeyFactory.generateSecret(myKeySpec);
       cipher.init(Cipher.ENCRYPT_MODE, key);
       byte[] plainText = msg.getBytes();
           byte[] encryptedText = cipher.doFinal(plainText);
           BASE64Encoder base64encoder = new BASE64Encoder();
           return base64encoder.encode(encryptedText);
     }catch (Exception e){return null;}
    }
    
   public static String decrypt(String keystr,String msg)
   {try{byte[] keyAsBytes = keystr.getBytes();
       KeySpec myKeySpec = new DESKeySpec(keyAsBytes);
       SecretKeyFactory mySecretKeyFactory =SecretKeyFactory.getInstance("DES");
       Cipher cipher = Cipher.getInstance("DES/ECB/ PKCS5Padding");
      SecretKey  key =mySecretKeyFactory.generateSecret(myKeySpec);
       cipher.init(Cipher.DECRYPT_MODE, key);
       BASE64Decoder base64decoder = new BASE64Decoder();
           byte[] encryptedText = base64decoder.decodeBuffer(msg);
          return new String(cipher.doFinal(encryptedText));
   }catch (Exception e){return null;}
    }
}

Vb.Net Sample

Imports System.Security.Cryptography
 
Public Function SSOEncrypt(ByValstrkey As String,ByVal strMessage AsString)
 
        Dim inputByteArray() AsByte = StrToByteArray(strMessage)
 
        Dim key As Byte()
        key =StrToByteArray(strkey)
 
        Dim des As New DESCryptoServiceProvider
       des.Mode = CipherMode.ECB
       des.Key = key
        Dim ms As New MemoryStream
        Dim cs As New CryptoStream(ms,des.CreateEncryptor(), CryptoStreamMode.Write)
       cs.Write(inputByteArray, 0, inputByteArray.Length)
       cs.FlushFinalBlock()
 
        Return Convert.ToBase64String(ms.ToArray())
 
End Function
 
Public Shared FunctionStrToByteArray(ByVal str As String) As Byte()
 
        Dim encoding As New System.Text.UTF8Encoding
        Return encoding.GetBytes(str)
 
End Function
 

See Also