SAML Integration

From idenprotect Knowledge Base
Revision as of 13:01, 18 June 2019 by ChrisRussell (talk | contribs) (Created page with "Category:HowTo == Introduction == The iDENprotect Authentication portal allows for the multiple applications to be integrated with iDENprotect and for users to authentic...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search


Introduction

The iDENprotect Authentication portal allows for the multiple applications to be integrated with iDENprotect and for users to authenticate once but then to access all those applications.

The standard integration method is to use SAML. https://en.wikipedia.org/wiki/SAML_2.0

This article explains the concepts behind just an integration


Concepts

There are two roles within a SAML authentication

Service Provider (SP) is a cloud/web service that the user must being authenticated before they can access

Identity Provider (IDP) is responsible for authenticating the user.

SAML uses a Federation Model, whereby the roles of Service Provider and Identity Provider are separate.

For example if a User A has access to corporate data belonging to Company A in a cloud service such as Salesforce.com. Then to access that data User A must authenticate to the IDP belonging to Company A.

Authentication Flow

There are a number of different ways (called bindings) that are supported by the SAML standard, but the most common ones are based around browser-based (https) interactions.

  1. The user goes to the service provider
  2. The service provider has been configured to use federation and redirects the user to the IDP it has been configured to use.
  3. The user authenticates to IDP.
  4. The IDP creates a SAML assertion, which it signs using its private key
  5. The user is redirected back to the Service Provider with the SAML assertion
  6. The Service Provider validates the SAML assertion and allows the user access

Therefore to support these integrations the Service Provider needs to know the details of Identity Provider and the Identity Provider needs to know the details of the Service Provider.

Configuring The Service Provider

The details that need to be entered on the service providers are

  1. The entity-id of the Identity Provider, by convention this is the URL of the Identity Provider
  2. The URL the user needs to be sent to in order to authenticate
  3. The certificate that the Service Provider should use to validate the signature on the SAML assertion

An IDP may publish these details via metatdata.

For example if you go to https://<hostname>/idp/metadata, where <hostname> is the hostname of the iDENprotect Authentication Portal, you can download an xml file that has all the above information in it along wiht other settings that may be required.

Some Services Providers can be automatically configured by providing this metadata url or file.