Difference between revisions of "Single Sign-On"
From SmartWiki
m |
|||
| Line 6: | Line 6: | ||
This page provides technical details of each solution. | This page provides technical details of each solution. | ||
| − | Implementation of Single Sign On using either method requires configuration by both SmartSimple and the administrator of the system that will provide the authentication. SmartSimple's implementation of Single Sign On acts as the | + | Implementation of Single Sign On using either method requires configuration by both SmartSimple and the administrator of the system that will provide the authentication. SmartSimple's implementation of Single Sign On acts as the Service Provider and assumes the client has the infrastructure and resources to host, configure, and manage the Identity Provider service. Please contact your account manager or [[How the SmartSimple Support Desk Works|SmartSimple Support]] for further information. |
==SAML 2.0== | ==SAML 2.0== | ||
| − | SmartSimple supports SAML ('''Security Assertion Markup Language''') 2.0 | + | SmartSimple supports SAML ('''Security Assertion Markup Language''') 2.0 as the Service Provider through our own proprietary implementation of this standard. As the Service Provider, the user will first authenticate on the client side system/infrastructure and then be directed into SmartSimple. |
| − | The client | + | The client Identity Provider service will construct a base64-encoded SAML assertion and send this to the user’s browser. The user’s browser will then relay this assertion to the SmartSimple server for SSO authentication. |
===Prerequisites=== | ===Prerequisites=== | ||
| − | * You must provision your own | + | * You must provision your own Identity Provider service, third-party or otherwise, for use with this feature. Enabling and maintaining the Identity Provider is your responsibility. |
* You must provide SmartSimple with a public key in base64-encoded X.509 Certificate format for digital signature validation. | * You must provide SmartSimple with a public key in base64-encoded X.509 Certificate format for digital signature validation. | ||
| + | |||
===Attributes=== | ===Attributes=== | ||
The following ''Assertion'' attributes are used: | The following ''Assertion'' attributes are used: | ||
| − | <ul><li>UID (client system’s unique user id) | + | <ul><li>NameID (or optionally UID (client system’s unique user id)</li> |
| − | <li>Email (optional) | + | <li>Email (optional)</li> |
| − | <li>First name (optional) | + | <li>First name (optional)</li> |
| − | <li>Last name (optional) | + | <li>Last name (optional)</li> |
| − | <li>Department (optional) | + | <li>Department (optional)</li> |
| − | <li> | + | <li>Roles (optional, comma delimited list of SmartSimple user roles (by name) to be assigned to the user)</li> |
| − | <li>Language (optional) | + | <li>Language (optional)</li> |
| − | <li>RedirectURL (optional) | + | <li>RedirectURL (optional)</li></ul> |
===SAML Response Sample XML=== | ===SAML Response Sample XML=== | ||
The following is an example of a valid SAML Response: | The following is an example of a valid SAML Response: | ||
| − | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><?xmlversion="1.0" encoding="UTF-8"?> | + | <pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"> |
| − | <samlp: | + | <?xmlversion="1.0" encoding="UTF-8"?> |
| − | <saml: | + | <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://alias.smartsimple.com/SAML2/" IssueInstant="2014-07-12T14:17:03.063Z" ID="BYavZkuNtRHC5rEPhIAEQrys1Wb" Version="2.0"> |
| − | <ds: | + | |
| + | <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sso:saml2:alias:stage:SmartSimple:idp</saml:Issuer> | ||
| + | |||
| + | <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | ||
<ds:SignedInfo> | <ds:SignedInfo> | ||
| − | <ds: | + | <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> |
| − | <ds: | + | <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/> |
| − | <ds: | + | <ds:Reference URI="#BYavZkuNtRHC5rEPhIAEQrys1Wb"> |
<ds:Transforms> | <ds:Transforms> | ||
| − | <ds: | + | <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> |
| − | <ds: | + | <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/> |
</ds:Transforms> | </ds:Transforms> | ||
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> | <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/> | ||
| − | + | <ds:DigestValue>+2uvXQh+d65mNWs0G6FBf4igIxU=</ds:DigestValue> | |
</ds:Reference> | </ds:Reference> | ||
</ds:SignedInfo> | </ds:SignedInfo> | ||
| − | + | <ds:SignatureValue>LEOCPec/eNBMqBV7A99...</ds:SignatureValue> | |
</ds:Signature> | </ds:Signature> | ||
| + | |||
<samlp:Status> | <samlp:Status> | ||
<samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success" /> | <samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success" /> | ||
</samlp:Status> | </samlp:Status> | ||
| − | <saml: | + | |
| + | <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" IssueInstant="2014-07-12T14:17:03.246Z" ID="X14MvZtPaqyUjfFCbehto32uDTG"> | ||
<saml:Issuer>sso:saml2:alias:stage:SmartSimple:idp</saml:Issuer> | <saml:Issuer>sso:saml2:alias:stage:SmartSimple:idp</saml:Issuer> | ||
<saml:Subject> | <saml:Subject> | ||
| − | <saml: | + | <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">T5014CD</saml:NameID> |
| − | <saml: | + | <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> |
| − | <saml: | + | <saml:SubjectConfirmationData NotOnOrAfter="2014-07-12T14:22:03.246Z" Recipient="https://alias.smartsimple.com/SAML2/"/> |
</saml:SubjectConfirmation> | </saml:SubjectConfirmation> | ||
</saml:Subject> | </saml:Subject> | ||
| − | <saml:Conditions NotOnOrAfter="2014-07-12T14:22:03.246Z"NotBefore="2014-07-12T14:12:03.246Z"> | + | <saml:Conditions NotOnOrAfter="2014-07-12T14:22:03.246Z" NotBefore="2014-07-12T14:12:03.246Z"> |
<saml:AudienceRestriction> | <saml:AudienceRestriction> | ||
<saml:Audience>sso:saml2:alias:stage:SmartSimple:sp</saml:Audience> | <saml:Audience>sso:saml2:alias:stage:SmartSimple:sp</saml:Audience> | ||
</saml:AudienceRestriction> | </saml:AudienceRestriction> | ||
</saml:Conditions> | </saml:Conditions> | ||
| − | <saml: | + | <saml:AuthnStatement AuthnInstant="2014-07-12T14:17:03.246Z" SessionIndex="X14MvZtPaqyUjfFCbehto32uDTG"> |
<saml:AuthnContext> | <saml:AuthnContext> | ||
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> | <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> | ||
</saml:AuthnContext> | </saml:AuthnContext> | ||
</saml:AuthnStatement> | </saml:AuthnStatement> | ||
| − | <saml: | + | <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema"> |
| − | <saml: | + | <saml:AttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="UID"> |
| − | <saml: | + | <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">T5014CD</saml:AttributeValue> |
</saml:Attribute> | </saml:Attribute> | ||
| − | <saml: | + | <saml:AttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email"> |
| − | <saml: | + | <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">david@alias.com</saml:AttributeValue> |
</saml:Attribute> | </saml:Attribute> | ||
| − | <saml: | + | <saml:AttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="First name"> |
| − | <saml: | + | <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">David</saml:AttributeValue> |
</saml:Attribute> | </saml:Attribute> | ||
| − | <saml: | + | <saml:AttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Last name"> |
| − | <saml: | + | <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Smith</saml:AttributeValue> |
</saml:Attribute> | </saml:Attribute> | ||
| − | <saml: | + | <saml:AttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Department"> |
| − | <saml: | + | <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Shipping</saml:AttributeValue> |
</saml:Attribute> | </saml:Attribute> | ||
| − | <saml: | + | <saml:AttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Roles"> |
| − | <saml: | + | <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Clerk</saml:AttributeValue> |
</saml:Attribute> | </saml:Attribute> | ||
</saml:AttributeStatement> | </saml:AttributeStatement> | ||
</saml:Assertion> | </saml:Assertion> | ||
| − | </samlp:Response></pre> | + | |
| + | </samlp:Response> | ||
| + | </pre> | ||
==Cipher encrypted reference== | ==Cipher encrypted reference== | ||
Revision as of 08:21, 10 May 2016
General Information
SmartSimple offers one method of implementing Single Sign-On (SSO) integration:
- SAML 2.0
- Deprecated: Cipher encrypted reference
This page provides technical details of each solution.
Implementation of Single Sign On using either method requires configuration by both SmartSimple and the administrator of the system that will provide the authentication. SmartSimple's implementation of Single Sign On acts as the Service Provider and assumes the client has the infrastructure and resources to host, configure, and manage the Identity Provider service. Please contact your account manager or SmartSimple Support for further information.
SAML 2.0
SmartSimple supports SAML (Security Assertion Markup Language) 2.0 as the Service Provider through our own proprietary implementation of this standard. As the Service Provider, the user will first authenticate on the client side system/infrastructure and then be directed into SmartSimple.
The client Identity Provider service will construct a base64-encoded SAML assertion and send this to the user’s browser. The user’s browser will then relay this assertion to the SmartSimple server for SSO authentication.
Prerequisites
- You must provision your own Identity Provider service, third-party or otherwise, for use with this feature. Enabling and maintaining the Identity Provider is your responsibility.
- You must provide SmartSimple with a public key in base64-encoded X.509 Certificate format for digital signature validation.
Attributes
The following Assertion attributes are used:
- NameID (or optionally UID (client system’s unique user id)
- Email (optional)
- First name (optional)
- Last name (optional)
- Department (optional)
- Roles (optional, comma delimited list of SmartSimple user roles (by name) to be assigned to the user)
- Language (optional)
- RedirectURL (optional)
SAML Response Sample XML
The following is an example of a valid SAML Response:
<?xmlversion="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://alias.smartsimple.com/SAML2/" IssueInstant="2014-07-12T14:17:03.063Z" ID="BYavZkuNtRHC5rEPhIAEQrys1Wb" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sso:saml2:alias:stage:SmartSimple:idp</saml:Issuer>
<ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#BYavZkuNtRHC5rEPhIAEQrys1Wb">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>+2uvXQh+d65mNWs0G6FBf4igIxU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>LEOCPec/eNBMqBV7A99...</ds:SignatureValue>
</ds:Signature>
<samlp:Status>
<samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" IssueInstant="2014-07-12T14:17:03.246Z" ID="X14MvZtPaqyUjfFCbehto32uDTG">
<saml:Issuer>sso:saml2:alias:stage:SmartSimple:idp</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">T5014CD</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="2014-07-12T14:22:03.246Z" Recipient="https://alias.smartsimple.com/SAML2/"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotOnOrAfter="2014-07-12T14:22:03.246Z" NotBefore="2014-07-12T14:12:03.246Z">
<saml:AudienceRestriction>
<saml:Audience>sso:saml2:alias:stage:SmartSimple:sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2014-07-12T14:17:03.246Z" SessionIndex="X14MvZtPaqyUjfFCbehto32uDTG">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema">
<saml:AttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="UID">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">T5014CD</saml:AttributeValue>
</saml:Attribute>
<saml:AttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">david@alias.com</saml:AttributeValue>
</saml:Attribute>
<saml:AttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="First name">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">David</saml:AttributeValue>
</saml:Attribute>
<saml:AttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Last name">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Smith</saml:AttributeValue>
</saml:Attribute>
<saml:AttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Department">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Shipping</saml:AttributeValue>
</saml:Attribute>
<saml:AttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Roles">
<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Clerk</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Cipher encrypted reference
Please note that this feature has been deprecated.
The SmartSimple cipher-encrypted reference SSO is accessed by passing parameters in the URL, including an encrypted token, for authentication.
Example:
- http://myalias.smartsimple.com/QryAuth/?em=2&alias=myalias&message=dnnOBh9xvqPSC9uXZFAz10Tc
URL Request Parameters
| Parameter Name | Description | Sample |
| em | Encryption method | 1 or 2 |
| alias | SSO alias | ssoalias |
| message | Encrypted String, encryption method is indicated by em parameter | cm90YXJ5Oztjcm1 …… |
em (1 or 2) 1 – Message is encoded by base64 only (for systems that do not support DES encryption). 2 – Message is first encrypted by "DES" using a provided key and then encoded by base64.
alias Identifies which SSO settings should be used. SmartSimple supports multiple SSO entries.
message A string composed of 11 elements delimited by two semi-colons (;;). For example, 88;;Id12345;;John;;Smith;;Contact,Internal Staff;;Toronto branch;;Canada Office;;abc@gmail.com;;Canada;;2011-11-08 12:30:00;;English
There must be no spaces between elements.
Key used: AD789034 (example only)
Encrypted Message will be: I%2BA%2B/Qb73aUmJZyP5f3/9Lm90fIguwkAgKovK0626HxbeT7cGfdZfSGyDdAybGstBwHBZgDYqc3uhgS7YTQIxzQXIfAovKCzbHLhc/Nh/AizHemadQL1SNRQeNwKz9%2B37IR%2BrwQyvR2Qlh0On8zy7cDSZYm/QKL5EmGV3g9Z%2B10=
Note: When base64 encoding results include a '+' character, please replace '+' with '%2B'
Element Position
| Element Position |
Description | Sample | Options |
| 1 | Reserved Constant | Always 88 | Mandatory |
| 2 | Unique identifier of user. If this ID is not found in SmartSimple, either a new user will be created or the request will be rejected. This is controlled by the SSO settings within SmartSimple. | Id12345 | Mandatory |
| 3 | First Name | John | *Optional |
| 4 | Last Name | Smith | *Optional |
| 5 | Comma delimited list of roles (by name) to be assigned to the user. | Contact, Internal Staff | *Optional |
| 6 | Parent Company (one level above the user's company) | Canada Office | Optional |
| 7 | Company | Toronto Branch | *Optional |
| 8 | E-mail address | abc@gmail.com | *Optional |
| 9 | Country | Canada | *Optional |
| 10 | Date Time Stamp (GMT). Login will only succeed if the server time is within +- 10 minutes of this timestamp. This is to prevent bookmarking the SSO URL and token. If the SSO settings within SmartSimple have “debug=on”, then the timestamp is ignored. | 2011-11-08 12:30:00 | Mandatory |
| 11 | Language | English | Optional |
- NOTE: Optional items listed with an asterisk are mandatory if this will result in creation of a new user (only relevant if the Single Sign-On setting “Create User” is enabled).
The 6th parameter (Parent Company) can result in changes to the organizational hierarchy. The Company (parameter 7) will be moved under the Parent Company, so this should be used with caution if this effect is not desired.
Cipher Encrypted Reference Sample Code
The following are examples of code for Cipher Encrypted Reference SSO configuration:
PHP
Sample and library: http://nl3.php.net/manual/en/mcrypt.ciphers.php
Java
No extra library required.
Sample code:
import java.security.spec.KeySpec;
import javax.crypto.Cipher;
import javax.crypto.SecretKey;
import javax.crypto.SecretKeyFactory;
importjavax.crypto.spec.DESKeySpec;
import sun.misc.BASE64Decoder;
import sun.misc.BASE64Encoder;
/**
*
*@author User
*/
public class DESEncrypt {
/**Creates a new instance of DESEncrypt */
public DESEncrypt() {
}
public static String encrypt(String keystr,String msg)
{try{byte[] keyAsBytes = keystr.getBytes();
KeySpec myKeySpec = new DESKeySpec(keyAsBytes);
SecretKeyFactory mySecretKeyFactory =SecretKeyFactory.getInstance("DES");
Cipher cipher Cipher.getInstance("DES/ECB/ PKCS5Padding");
SecretKey key =mySecretKeyFactory.generateSecret(myKeySpec);
cipher.init(Cipher.ENCRYPT_MODE, key);
byte[] plainText = msg.getBytes();
byte[] encryptedText = cipher.doFinal(plainText);
BASE64Encoder base64encoder = new BASE64Encoder();
return base64encoder.encode(encryptedText);
}catch (Exception e){return null;}
}
public static String decrypt(String keystr,String msg)
{try{byte[] keyAsBytes = keystr.getBytes();
KeySpec myKeySpec = new DESKeySpec(keyAsBytes);
SecretKeyFactory mySecretKeyFactory =SecretKeyFactory.getInstance("DES");
Cipher cipher = Cipher.getInstance("DES/ECB/ PKCS5Padding");
SecretKey key =mySecretKeyFactory.generateSecret(myKeySpec);
cipher.init(Cipher.DECRYPT_MODE, key);
BASE64Decoder base64decoder = new BASE64Decoder();
byte[] encryptedText = base64decoder.decodeBuffer(msg);
return new String(cipher.doFinal(encryptedText));
}catch (Exception e){return null;}
}
}
Vb.Net Sample
Imports System.Security.Cryptography
Public Function SSOEncrypt(ByValstrkey As String,ByVal strMessage AsString)
Dim inputByteArray() AsByte = StrToByteArray(strMessage)
Dim key As Byte()
key =StrToByteArray(strkey)
Dim des As New DESCryptoServiceProvider
des.Mode = CipherMode.ECB
des.Key = key
Dim ms As New MemoryStream
Dim cs As New CryptoStream(ms,des.CreateEncryptor(), CryptoStreamMode.Write)
cs.Write(inputByteArray, 0, inputByteArray.Length)
cs.FlushFinalBlock()
Return Convert.ToBase64String(ms.ToArray())
End Function
Public Shared FunctionStrToByteArray(ByVal str As String) As Byte()
Dim encoding As New System.Text.UTF8Encoding
Return encoding.GetBytes(str)
End Function
