Changes

Single Sign-On

38 bytes added, 13:21, 10 May 2016
no edit summary
This page provides technical details of each solution.
Implementation of Single Sign On using either method requires configuration by both SmartSimple and the administrator of the system that will provide the authentication. SmartSimple's implementation of Single Sign On acts as the service provider Service Provider and assumes the client has the infrastructure and resources to host, configure, and manage the identity provider Identity Provider service. Please contact your account manager or [[How the SmartSimple Support Desk Works|SmartSimple Support]] for further information.
==SAML 2.0==
SmartSimple supports SAML ('''Security Assertion Markup Language''') 2.0 at as the recipient end Service Provider through our own proprietary implementation of an authenticated loginthis standard. For exampleAs the Service Provider, the user will log into first authenticate on the client side system/infrastructure and then SSO be directed into SmartSimple, not vice versa.
The client system Identity Provider service will construct a base64-encoded SAML response object assertion and send this to the user’s browser. The user’s browser will then be forwarded relay this assertion to the SmartSimple serverfor SSO authentication.
===Prerequisites===
* You must provision your own identity providerIdentity Provider service, third-party or otherwise, for use with this feature. Enabling and maintaining the identity provider Identity Provider is your responsibility.
* You must provide SmartSimple with a public key in base64-encoded X.509 Certificate format for digital signature validation.
 
===Attributes===
The following ''Assertion'' attributes are used:
<ul><li>NameID (or optionally UID (client system’s unique user id) </li><li>Email (optional) </li><li>First name (optional) </li><li>Last name (optional) </li><li>Department (optional) </li><li>Comma Roles (optional, comma delimited list of SmartSimple user roles (by name) to be assigned to the user (optional) </li><li>Language (optional) </li><li>RedirectURL (optional) </li></ul>
===SAML Response Sample XML===
The following is an example of a valid SAML Response:
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><?xmlversion="1.0" encoding="UTF-8"?><samlp:ResponsexmlnsResponse xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"Destination="https://alias.smartsimple.com/SAML2/"IssueInstant="2014-07-12T14:17:03.063Z"ID="BYavZkuNtRHC5rEPhIAEQrys1Wb" Version="2.0">  <saml:IssuerxmlnsIssuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sso:saml2:alias:stage:SmartSimple:idp</saml:Issuer>  <ds:SignaturexmlnsSignature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethodAlgorithmCanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /> <ds:SignatureMethodAlgorithmSignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" /> <ds:ReferenceURIReference URI="#BYavZkuNtRHC5rEPhIAEQrys1Wb">
<ds:Transforms>
<ds:TransformAlgorithmTransform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/> <ds:TransformAlgorithmTransform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>+2uvXQh+d65mNWs0G6FBf4igIxU=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>LEOCPec/eNBMqBV7A99...</ds:SignatureValue>
</ds:Signature>
 
<samlp:Status>
<samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
  <saml:AssertionxmlnsAssertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"Version="2.0" IssueInstant="2014-07-12T14:17:03.246Z"ID="X14MvZtPaqyUjfFCbehto32uDTG">
<saml:Issuer>sso:saml2:alias:stage:SmartSimple:idp</saml:Issuer>
<saml:Subject>
<saml:NameIDFormatNameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">123456T5014CD</saml:NameID> <saml:SubjectConfirmationMethodSubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationDataNotOnOrAfterSubjectConfirmationData NotOnOrAfter="2014-07-12T14:22:03.246Z" Recipient="https://alias.smartsimple.com/SAML2/"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotOnOrAfter="2014-07-12T14:22:03.246Z"NotBefore="2014-07-12T14:12:03.246Z">
<saml:AudienceRestriction>
<saml:Audience>sso:saml2:alias:stage:SmartSimple:sp</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatementAuthnInstantAuthnStatement AuthnInstant="2014-07-12T14:17:03.246Z"SessionIndex="X14MvZtPaqyUjfFCbehto32uDTG">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatementxmlnsAttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml:AttributeNameFormatAttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"Name="EmailUID"> <saml:AttributeValuexmlnsAttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">david@alias.comT5014CD</saml:AttributeValue>
</saml:Attribute>
<saml:AttributeNameFormatAttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="UIDEmail"> <saml:AttributeValuexmlnsAttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">T5014CDdavid@alias.com</saml:AttributeValue>
</saml:Attribute>
<saml:AttributeNameFormatAttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"Name="First name"> <saml:AttributeValuexmlnsAttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">David</saml:AttributeValue>
</saml:Attribute>
<saml:AttributeNameFormatAttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"Name="Last name"> <saml:AttributeValuexmlnsAttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">Smith</saml:AttributeValue>
</saml:Attribute>
<saml:AttributeNameFormatAttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"Name="Department"> <saml:AttributeValuexmlnsAttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">Shipping</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute NameFormatAttributeName Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"Name="Roles"> <saml:AttributeValuexmlnsAttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"xsi:type="xs:string">Clerk</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
 </samlp:Response></pre>
==Cipher encrypted reference==
Smartstaff, administrator
687
edits