Smartstaff
1,385
edits
Changes
→Service Provider Configuration - SmartSimple
[[File:sso-001.png|thumb|none|600px|Navigating to the SSO configuration.]]
[[File:sso-002.png|thumb|none|400px800px|SSO configuration settings.]]
====Mandatory Settings====* "'''SSO Alias" ''' - used to identify the SSO connection and should be configured by default to be 'SAML2'. If multiple SSO connections are to be configured then you may include an additional element on the client-side assertion named 'SSOModule' to specify the SmartSimple connection by matching a unique "SSO Alias" value.* "'''Unique Identifier Field (UID)" ''' - used to identify the user account and needs to be an attribute that is unique to each user in SmartSimple. This needs to be an attribute common to both the SmartSimple and the client-side system (typically e-mail address or employee ID).* "'''X509Certificate (SAML2 Only)" ''' - the signing certificate to be provided by the client. The formatting of this should be the certificate value without the "begin certificate" and "end certificate" header and footer lines. Also, depending on how the client-side system sends this value within the SAML assertion the certificate value will typically be formatted to just a single line but could also be multiple lines and so must be entered into SmartSimple in the same format.
* It is also recommended to disable the Session Timeout Alert setting within the Global Settings -> Security section as that feature would not be applicable to users logged in through single sign-on.
* By default, SSO acts as an additional method of authentication. If you wish to enforce the use of SSO, and restrict the regular username and password authentication, you can do so with the Global Settings -> Integration -> Enforce SSO setting which allows you to restrict a set of user roles to only be able to login through SSO.
====Additional Settings====To enable adding new users/organizations, the following '''Options''' should be enabled: * '''Create New User on No Match''' - create new user when no matching is found and will allow login for new user upon successful authentication* '''Create New Organization on No Match''' - create new parent organization when no matching organization is found* '''Enable Updates To User Role''' - allow the SSO assertion to change user's system role* '''Enable Updates To User Organization''' - allow the SSO assertion to change user's parent organization These settings are used to add new users and/or new organizations. * '''Default New User Role''' - assigned system role for new users* '''Default New User Status''' - assigned user's status for new users* '''Default Organization''' - assigned user's parent organization* '''Default New Organization Status''' - assigned parent organization's status for new organizations Other settings: * '''Use UID as Unique Identifier''' - use node name UID as unique identifier for users. Default is NameID.* '''Bypass Two Factor Authentication''' - Bypass Two Factor Authentication when logged in with SSO* '''Enable Debug Mode''' - if Ignore the SSO time stamp and output SSO message in the user has a role that has [[Two-Factor AuthenticationConfiguration_Error_Log|Congifuration Error Log]] enabled, this setting will control whether or not the user will have * '''Default Landing Page''' - used to provide their Time Based One Time Password specify an initial landing page in SmartSimple. This should be a relative patch (Twoe.g. /iface/ex/ax_index.jsp).* '''IP Mask''' -* '''Logout Redirect URL''' -Factor) redirect url when accessing the system via SSO, or if users logout <!--Ticket#52854 - SSO logout assertion SLO-->* '''Enable Logout Assertion''' - will bypass send a logout assertion to the TwoIdentity Provider to log out of that sessionAdditional settings for ''Enable Logout Assertion'':*: '''Assertion Target URL''' -Factor requirement.target site url** : '''Assertion Private Key'''This feature - private key to establish connection with the target site ====Optional Attibutes====The following optional attributes can, for example, be used in the assertion. Please note that they are case sensitive and should be labelled exactly. * SSOModule - used to allow users to access specify the SmartSimple using SSO connection when they there are within your office network, but also access multiple connections configured.* UID - can be used instead of NameID as the user identifier.* Email* First name* Last name* Department - used to update the user's organization. This will attempt to match an organization by name and will move the user to that organization if found.* Roles - used to update the user's roles in SmartSimple. This should be a comma delimited list of SmartSimple from other locations using their username & password with user roles (by name) to be assigned to the additional security provided by twouser.* Language -factor authenticationused to specify the initial language displayed to the user. This should be an integer value that corresponds with a language ID value in SmartSimple (e.g. 1=English).''
===Identity Provider Configuration - Client-Side System===
The elements required for setup of the client-side identity provider connection are listed below.
* Unique user identifier - within the SAML assertion, this value can be sent in the standard <NameID> element, or optionally within an <Attribute> element named 'UID'.
* Assertion Consumer Service URL - this will be equal to '/SAML2/' appended to your SmartSimple instance URL, e.g. '''https://alias.smartsimple.com/SAML2/'''.
* Service Provider's Entity ID - this can be the URL to your SmartSimple system, e.g. '''https://alias.smartsimple.com/'''.
* Service Provider metadata XML - the following is an example service provider metadata that can be used, however you must first replace every instance of 'alias.smartsimple.com' instead with the URL to your SmartSimple system.
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><!--?xml version="1.0"?--><md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://alias.smartsimple.com/"> <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat> <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://alias.smartsimple.com/SAML2/" index="1"/> </md:SPSSODescriptor> <md:ContactPerson contactType="technical"> <md:GivenName>SmartSimple Support</md:GivenName> <md:EmailAddress>support@smartsimple.com</md:EmailAddress> </md:ContactPerson> <md:ContactPerson contactType="support"> <md:GivenName>SmartSimple Support</md:GivenName> <md:EmailAddress>support@smartsimple.com</md:EmailAddress> </md:ContactPerson></md:EntityDescriptor>
</pre>
* Finish the setup, and then return to the "Claim Rules" editor, and select the "Issuance Transform Rules" tab and add a new rule. Set the "Rule Type" to use the 'Send LDAP Attributes as Claims' template and configure the mapping to the agreed upon user identifier (e.g. LDAP attribute 'E-Mail-Addresses' to Outgoing Claim Type 'NameID'). Depending on your ADFS version and setup you may instead need to create two rules, one to map the attributes E-mail to E-mail, and then a second rule to transform the E-mail to the outgoing NameID.
* To test or use this connection use your internal ADFS URL and specify the loginToRp parameter as the SmartSimple SAML entity ID, e.g. '''https://adfs.yourlocaldomain.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://alias.smartsimple.com/'''.<br/> If you aren't automatically redirected into SmartSimple you may need to have RelayState enabled in ADFS, and then use a RelayState parameter to achieve this, e.g. '''https://adfs.yourlocaldomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%3A%2F%2Falias.smartsimple.com%2F%26RelayState%3Dhttps%253A%252F%252Falias.smartsimple.com%252F'''.
===SAML Assertion Example===
The following is an example of a SAML Assertion :
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;"><!--?xmlversion="1.0" encoding="UTF-8"?><samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="https://alias.smartsimple.com/SAML2/" IssueInstant="2014-07-12T14:17:03.063Z" ID="BYavZkuNtRHC5rEPhIAEQrys1Wb" Version="2.0">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">sso:saml2:alias:stage:SmartSimple:idp</saml:Issuer>
<samlp:StatusCodeValue="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Version="2.0" IssueInstant="2014-07-12T14:17:03.246Z" ID="X14MvZtPaqyUjfFCbehto32uDTG"> <saml:Issuer>sso:saml2:alias:stage:SmartSimple:idp</saml:Issuer> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">T5014CD</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2014-07-12T14:22:03.246Z" Recipient="https://alias.smartsimple.com/SAML2/"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotOnOrAfter="2014-07-12T14:22:03.246Z" NotBefore="2014-07-12T14:12:03.246Z"> <saml:AudienceRestriction> <saml:Audience>sso:saml2:alias:stage:SmartSimple:sp</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2014-07-12T14:17:03.246Z" SessionIndex="X14MvZtPaqyUjfFCbehto32uDTG"> <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> <saml:AttributeStatement xmlns:xs="http://www.w3.org/2001/XMLSchema"> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="UID"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">T5014CD</saml:AttributeValue> </saml:Attribute> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">david@email.com</saml:AttributeValue> </saml:Attribute> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="First name"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">David</saml:AttributeValue> </saml:Attribute> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Last name"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Smith</saml:AttributeValue> </saml:Attribute> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Department"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Shipping</saml:AttributeValue> </saml:Attribute> <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Roles"> <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Clerk</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement> </saml:Assertion>
</samlp:Response>
</pre>
<!--
==Cipher encrypted reference==
The SmartSimple cipher-encrypted reference SSO is accessed by passing parameters in the URL, including an encrypted token, for authentication.
</pre>
-->
[[Category:Integration]]
[[Category:System Integration]]
[[Category:Identity and Access Management]]
[[Category:Security]]
