Changes

Single Sign-On

5,727 bytes removed, 16:22, 5 January 2023
SAML 2.0
SmartSimple supports SAML ('''Security Assertion Markup Language''') 2.0 as the Service Provider through our own proprietary implementation of this standard.
Only Identity Provider-initiated authentication is supported, meaning the end user will first authenticate on the client-side system/infrastructure and then be forwarded to SmartSimple. The client Identity Provider service will construct a base64-encoded SAML assertion and send this to the user's browser. The user's browser will then relay this assertion to the SmartSimple server for SSO authentication. After the November 2022 upgrade, Service Provider-initiated authentication is now supported. The Service Provider sends the SAML Authorization Request message and forwarding the user to the client Identity Provider service for authentication. The end user will login from the client-side Identity Provider. After the end user has been authenticated, the client Identity Provider service will redirect them back to the SmartSimple instance along with a base64-encoded SAML assertion response. The user's browser will then relay this assertion to the SmartSimple server for SSO authentication. 
===Prerequisites===
* You must provide SmartSimple with a public key in base64-encoded X.509 Certificate format for digital signature validation.
=== ===
===Service Provider Configuration - SmartSimple===
Within SmartSimple, SSO settings are accessed through the Global Setting -> Integration tab.
The elements required for setup of the client-side identity provider connection are listed below.
* Unique user identifier - within the SAML assertion, this value can be sent in the standard <NameID> element, or optionally within an <Attribute> element named 'UID'.
* Assertion Consumer Service URL - this will be equal to '/SAML2/' appended to your SmartSimple instance URL, e.g. '''https://alias.smartsimple.com/SAML2/'''.
* Service Provider's Entity ID - this can be the URL to your SmartSimple system, e.g. '''https://alias.smartsimple.com/'''.
* Service Provider metadata XML - the following is an example service provider metadata that can be used, however you must first replace every instance of 'alias.smartsimple.com' instead with the URL to your SmartSimple system.
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://alias.smartsimple.com/">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:EmailAddress>support@smartsimple.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor></pre>
====Active Directory Federation Services====
The following is an example of a SAML Assertion :
<pre stylediv id="whitemw-space: precontent-wrap; whitetext" lang="en-space: -moz-pre-wrap; white-space: GB" dir="ltr" class="mw-precontent-wrap; white-space: -o-pre-wrap; word-wrap: break-word;ltr"><pre><?xmlversion="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://alias.smartsimple.com/SAML2/" IssueInstant="2014-07-12T14:17:03.063Z" ID="BYavZkuNtRHC5rEPhIAEQrys1Wb" Version="2.0">
</samlp:Response>
</pre>  <!--==Cipher encrypted reference=={{Template:Deprecated-sm}} The SmartSimple cipher-encrypted reference SSO is accessed by passing parameters in the URL, including an encrypted token, for authentication.<br /><br /div>''Example''::<nowiki>http://myalias.smartsimple.com/QryAuth/?em=2&alias=myalias&message=dnnOBh9xvqPSC9uXZFAz10Tc</nowiki> ===URL Request Parameters=== {|classdiv id="wikitablecatlinks"|'''Parameter Name'''|'''Description'''|'''Sample'''|-|em|Encryption method|1 or 2|-|alias|SSO alias|ssoalias|-|message|Encrypted String, encryption method is indicated by em parameter|cm90YXJ5Oztjcm1 ……|} '''em (1 or 2)'''1 – Message is encoded by base64 only (for systems that do not support DES encryption).2 – Message is first encrypted by "DES" using a provided key and then encoded by base64. '''alias'''Identifies which SSO settings should be used. SmartSimple supports multiple SSO entries. '''message'''A string composed of 11 elements delimited by two semi-colons (;;). For example,88;;Id12345;;John;;Smith;;Contact,Internal Staff;;Toronto branch;;Canada Office;;abc@gmail.com;;Canada;;2011-11-08 12:30:00;;English There must be no spaces between elements. Key used: AD789034 (example only) Encrypted Message will be: I%2BA%2B/Qb73aUmJZyP5f3/9Lm90fIguwkAgKovK0626HxbeT7cGfdZfSGyDdAybGstBwHBZgDYqc3uhgS7YTQIxzQXIfAovKCzbHLhc/Nh/AizHemadQL1SNRQeNwKz9%2B37IR%2BrwQyvR2Qlh0On8zy7cDSZYm/QKL5EmGV3g9Z%2B10= Note: When base64 encoding results include a '+' character, please replace '+' with '%2B' ===Element Position=== {|class="wikitablecatlinks"|'''Element<br />Position'''|'''Description'''|'''Sample'''|'''Options'''|data-|1|Reserved Constant|Always 88|Mandatory|-|2|Unique identifier of user. If this ID is not found in SmartSimple, either a new user will be created or the request will be rejected. This is controlled by the SSO settings within SmartSimple.|Id12345|Mandatory|-|3|First Name|John|*Optional|-|4|Last Name|Smith|*Optional|-|5|Comma delimited list of roles (by name) to be assigned to the user.|Contact, Internal Staff|*Optional|-|6|Parent Company (one level above the user's company)|Canada Office|Optional|-|7|Company|Toronto Branch|*Optional|-|8|E-mail address|abc@gmail.com|*Optional|-|9|Country|Canada|*Optional |-|10|Date Time Stamp (GMT). Login will only succeed if the server time is within +- 10 minutes of this timestamp. This is to prevent bookmarking the SSO URL and token. If the SSO settings within SmartSimple have “debug=on”, then the timestamp is ignored.|2011-11-08 12:30:00|Mandatory|-|11|Language|English|Optional|}  * NOTE: Optional items listed with an asterisk are mandatory if this will result in creation of a new user (only relevant if the Single Sign-On setting “Create User” is enabled). The 6th parameter (Parent Company) can result in changes to the organizational hierarchy. The Company (parameter 7) will be moved under the Parent Company, so this should be used with caution if this effect is not desired. ===Cipher Encrypted Reference Sample Code===The following are examples of code for Cipher Encrypted Reference SSO configuration: ====PHP==== Sample and library: http://nl3.php.net/manual/en/mcrypt.ciphers.php====Java====No extra library required. Sample code:<pre stylemw="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;interface"> import java.security.spec.KeySpec; import javax.crypto.Cipher;import javax.crypto.SecretKey;import javax.crypto.SecretKeyFactory;importjavax.crypto.spec.DESKeySpec;import sun.misc.BASE64Decoder;import sun.misc.BASE64Encoder; /** * *@author User */public class DESEncrypt { /**Creates a new instance of DESEncrypt */ public DESEncrypt() { } public static String encrypt(String keystr,String msg) {try{byte[] keyAsBytes = keystr.getBytes(); KeySpec myKeySpec = new DESKeySpec(keyAsBytes); SecretKeyFactory mySecretKeyFactory =SecretKeyFactory.getInstance("DES"); Cipher cipher Cipher.getInstance("DES/ECB/ PKCS5Padding"); SecretKey key =mySecretKeyFactory.generateSecret(myKeySpec); cipher.init(Cipher.ENCRYPT_MODE, key); byte[] plainText = msg.getBytes(); byte[] encryptedText = cipher.doFinal(plainText); BASE64Encoder base64encoder = new BASE64Encoder(); return base64encoder.encode(encryptedText); }catch (Exception e){return null;} } public static String decrypt(String keystr,String msg) {try{byte[] keyAsBytes = keystr.getBytes(); KeySpec myKeySpec = new DESKeySpec(keyAsBytes); SecretKeyFactory mySecretKeyFactory =SecretKeyFactory.getInstance("DES"); Cipher cipher = Cipher.getInstance("DES/ECB/ PKCS5Padding"); SecretKey key =mySecretKeyFactory.generateSecret(myKeySpec); cipher.init(Cipher.DECRYPT_MODE, key); BASE64Decoder base64decoder = new BASE64Decoder(); byte[] encryptedText = base64decoder.decodeBuffer(msg); return new String(cipher.doFinal(encryptedText)); }catch (Exception e){return null;} }}</pre> ====Vb.Net Sample====<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">Imports System.Security.Cryptography Public Function SSOEncrypt(ByValstrkey As String,ByVal strMessage AsString) Dim inputByteArray() AsByte = StrToByteArray(strMessage) Dim key As Byte() key =StrToByteArray(strkey) Dim des As New DESCryptoServiceProvider des.Mode = CipherMode.ECB des.Key = key Dim ms As New MemoryStream Dim cs As New CryptoStream(ms,des.CreateEncryptor(), CryptoStreamMode.Write) cs.Write(inputByteArray, 0, inputByteArray.Length) cs.FlushFinalBlock() Return Convert.ToBase64String(ms.ToArray()) End Function Public Shared FunctionStrToByteArray(ByVal str As String) As Byte() Dim encoding As New System.Text.UTF8Encoding Return encoding.GetBytes(str) End Function </pre>--div>
[[Category:Integration]]
Smartstaff
1,385
edits