Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)
|
|
- Rodney Potter
- 8 years ago
- Views:
Transcription
1 Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only) This document is intended for technical professionals who are familiar with SAML and have access to the Identity Provider that will be configured for use with Smartsheet.com. It will walk you through Configuring your Identity Provider for SAML with Smartsheet, and configuring your Smartsheet account for use with your IdP. Revision Table of contents: Configuring Your Identity Provider for SAML with Smartsheet.com Configuring Smartsheet.com for use with your SAML Identity Provider (IdP) One IdP, one domain (most common scenario) IdP security certificate expiration and rollover SAML configuration states Appendix A: Sample assertion Required Attributes: Optional Attributes 1
2 Configuring Your Identity Provider for SAML with Smartsheet.com 1. Obtain the Smartsheet Metadata: saml2 sp metadata.xml 2. Configure a Relying Party within your Identity Provider using the Metadata provided. Details on how to do this are specific to your Identity Provider. Please consult your documentation for further details. 3. Smartsheet requires the following attributes to be asserted during the SAML exchange process: urn:oasis:names:tc:saml:2.0:nameid format:persistent The first assertion must contain a persistent Id that is the same for each user whenever they log in. The second is the user s address. Please see Appendix A at the end of this document for a sample assertion. Please see Appendix B at the end of this document for a list of our supported claim formats. 4. The following are recommended, but optional attributes: As their names indicate, the first represents a user s given name, and the second the user s surname. 5. Some SAML services may ask for additional information when configuring integration with Smartsheet: Assertion Consumer Service (ACS) URL: Audience Restriction: Note: Smartsheet supports SP initiated SSO only. IdP initiated SSO is not supported. 2
3 Configuring Smartsheet.com for use with your SAML Identity Provider (IdP) You must be a SysAdmin to configure SAML for your organization's Enterprise account. Ensure that your account is an Enterprise account by clicking on Account in the upper left corner and selecting Account Admin. On the Plan and Billing Info (default) page, make sure the Plan is Enterprise. If your plan is not Enterprise, please upgrade your account before proceeding. Accessing SAML configuration From the Account Admin form, select Security Controls. Click the Edit button in the Authentication section to open the Authentication form. 3
4 In the Authentication form, click not configured next to SAML to open the SAML Administration form. 4
5 One IdP, one domain (most common scenario) 1. Add IdP 1. Click Add IdP to open the Add IdP form. 2. Provide a descriptive nickname for your IdP. 3. Obtain the SAML Metadata XML for your IdP and paste it into the Metadata text area, or type in the URL where the metadata for your IdP can be accessed online. Consult your Identity Provider s documentation to determine how to obtain this. 4. Click Save. Smartsheet will validate the metadata. If the validation is successful (valid security certificate, etc.), the Edit IdP form will open. 5
6 2. Add domain 1. In the Edit IdP form, click Add Domain to open the Add Domain form. 6
7 2. Enter the name of the domain you want to be SAML enabled and click Save. 3. Once the domain name is saved, the Edit Domain form will open 3. Validate domain For security reasons, you must confirm that you control the domain in question. In the Edit Domain form, follow the instructions to validate your domain: 1. Create a DNS TXT record in your domain, exactly as instructed. 2. Once the record is created, click the Validate button to proceed. 3. Smartsheet will perform a DNS lookup to verify that the TXT record exists in your domain. The validation may fail if there is a delay in DNS propagation. If that happens, please attempt domain validation again later. 4. If the validation is successful, domain status will change from Not Validated to Inactive. IMPORTANT: The domain validation DNS record must always be present for the SAML configuration to remain valid. For that reason, do not remove the record even after the domain validation step is successfully completed. 4. Add CNAME (optional) Smartsheet provides the default SSO URL for your organization. You can add a shorter, more convenient CNAME instead, which may be easier to remember than the default URL we provide. 1. Create a CNAME DNS record in your domain and point it at sso.smartsheet.com. For example, "smartsheet.example.org IN CNAME sso.smartsheet.com" 2. In the Edit Domain form, enter the CNAME and click Add this field will only be displayed on the Edit Domain form after you ve clicked Validate. 7
8 3. It may take up to one hour for the change to take effect 5. Activate domain The ownership of the domain must be validated prior to activation. In the Edit Domain form, click Activate to activate the domain. The domain status will change from Inactive to Active. 8
9 6. Activate IdP The IdP must have at least one active domain prior to activation. In the Edit IdP form, click Activate to activate the IdP. The IdP status will change from Inactive to Active. 9
10 10 7. Enable SAML There must be at least one active IdP prior to enabling SAML. In the Authentication form, check the SAML box to enable SAML for your organization.
11 11 8. You can add additional IdPs and domains at any time by clicking edit configuration next to the SAML checkbox to open the SAML Administration form.
12 12
13 IdP security certificate expiration and rollover An expired security certificate will cause your Smartsheet SAML configuration to become disabled. To avoid any service disruption to your users, we urge you to make sure that your IdP security certificates are valid and up to date. Smartsheet regularly checks for expiring certificates and will notify organization administrators via 45 days and five days prior to the actual expiration date. If your SAML configuration has an IdP (OLD_IDP) with an expiring certificate, we recommend the following steps to minimize downtime for your users: 1. Create a new IdP (NEW_IDP) using metadata with a new security certificate. 2. Configure NEW_IDP (domains, etc.) so that its configuration is identical to that of OLD_IDP. 3. Deactivate OLD_IDP (if you have only one active IdP, you will need to disable SAML to do that). 4. Activate NEW IdP. It may take up to ten minutes for the activation to complete. 5. Don't forget to enable your SAML configuration if you had to disable it in an earlier step. 13
14 SAML configuration states SAML will be in one of three states: Not configured : No active IdPs Disabled : At least one active IdP, and SAML is not checked on the Authentication form. Enabled : At least one active IdP, and SAML is checked on the Authentication form. IdP will be in one of three states: Not configured : No active domains, or security certificate is expired Inactive : Valid metadata, valid security certificate, and at least one active domain Active : same as Inactive, plus not sharing entity ID with another active IdP, has no active domains in common with another active IdP, and is activated Domain will be in one of three states: Not validated : Not validated via DNS lookup Inactive : Validated via DNS lookup Active : Validated via DNS lookup, and is activated Additional configuration options 1. Adding domains to an IdP: There is no limit to the number of domains you can add. Domains within a given IdP must be unique. 2. Deactivating or deleting domains: open the Edit Domain form. If this is the only active domain within a parent IdP, you must first deactivate the IdP to deactivate or delete the domain. 3. Adding IdPs: There is no limit to the number of IdPs you can add. 4. Deactivating or deleting IdPs: open the Edit IdP form. If this is the only active IdP in your SAML configuration, you must first disable SAML to deactivate or delete the IdP. 5. Activating IdPs: To activate an IdP, make sure that it doesn t have the same entity ID as another active IdP and that it doesn t have any active domains in common with another active IdP. 14
15 Appendix A: Sample assertion 15 <saml2p:response xmlns:saml2p="urn:oasis:names:tc:saml:2.0:protocol" xmlns:xs=" ID="id " IssueInstant=" T20:50:56.659Z" Version="2.0"> <saml2:issuer xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid format:entity"> <ds:signature xmlns:ds=" <ds:signedinfo> <ds:canonicalizationmethod Algorithm=" exc c14n#"/> <ds:signaturemethod Algorithm=" sha1"/> <ds:reference URI="#id "> <ds:transforms> <ds:transform Algorithm=" signature"/> <ds:transform Algorithm=" exc c14n#"> <ec:inclusivenamespaces xmlns:ec=" exc c14n#" PrefixList="xs"/> </ds:transform> </ds:transforms> <ds:digestmethod Algorithm=" <ds:digestvalue>nolry/cb/i62zwgd+twx5y1cbpo=</ds:digestvalue> </ds:reference> </ds:signedinfo> <ds:signaturevalue> Ql0Twt5JoQ8jUeDO5lDGUcOBaq8Ab7jLYvZ0pNx44edC5diDJ5H3O1hPiroK+mdjjsI/ZA05bhOVVFmLmmWy2Dt4kuaS/MAg 3cmwA9mR4nd8AwArlOTorrxkgwqRE/3o4w2NoIF9qvTbmfE89ncpwCIGJ4a4Inn2ZvM4cc9yCIk= </ds:signaturevalue> <ds:keyinfo> <ds:x509data> <ds:x509certificate> MIICmzCCAgSgAwIBAgIGATYsZIyyMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxETAPBgNVBAMMCGhvbWVhd2F5MRwwGgYJKoZIhvcNAQkBFg1p bmzvqg9rdgeuy29tmb4xdteymdmxote5mtyyofoxdtqymdmxote5mtcyofowgzaxczajbgnvbayt AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK DARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjERMA8GA1UEAwwIaG9tZWF3YXkxHDAaBgkqhkiG 9w0BCQEWDWluZm9Ab2t0YS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOpYZr53pn3n RMseh5XQes/vl604M70D32evHIhMy9vYMdhH64LxlnxP0/pp4DtxxiyNSXgxm/OETNf0c17On9II Sq3TMG7jteAQ3Kan5O4O3tlySy2TcVnWTrN7ZSa60H0SmEUE4mU4YllgXdwuY/1hVxbcXSMyVfCq 3XRpnlIxAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEANartWhK+pd9woN2ln2szaZ9Roa4ccaQB8I1Q ipqpqf74/1pc8nixhdboi5tunhmcl7azsixiywtpoh2/gdsvgtbwi7hdjayian3uxrknhudlcqe1 zmz9x1icd/mkok2qelbfjklbn8eyjvtuebqv7csdsjgglqymdxefjodyyp0= </ds:x509certificate> </ds:x509data> </ds:keyinfo> </ds:signature> <saml2p:status xmlns:saml2p="urn:oasis:names:tc:saml:2.0:protocol"> <saml2p:statuscode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </saml2p:status> <saml2:assertion xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" xmlns:xs=" ID="id "IssueInstant=" T20:50:56.659Z" Version="2.0"> <saml2:issuer xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid format:entity"> <ds:signature xmlns:ds=" <ds:signedinfo> <ds:canonicalizationmethod Algorithm=" exc c14n#"/> <ds:signaturemethod Algorithm=" sha1"/> <ds:reference URI="#id "> <ds:transforms> <ds:transform Algorithm=" signature"/> <ds:transform Algorithm=" exc c14n#"> <ec:inclusivenamespaces xmlns:ec=" exc c14n#" PrefixList="xs"/> </ds:transform>
16 16 </ds:transforms> <ds:digestmethod Algorithm=" <ds:digestvalue>luojcqquwzpb2gbsg4lxfdnwy3o=</ds:digestvalue> </ds:reference> </ds:signedinfo> <ds:signaturevalue> cbnqxm/ey/yklqujwizsebz8rcwbs7vxsfazu/ke7b+asqqzob5mcubml5isywtg3+nux+yy8tw4qfbwhmclq3mka4ax 2uAmYzAa8HaL1hDL2rGmv+YOhzN0/l88VmF3sApiSeTeYIwVLhew4nayHktSa4ALMJGDEjK0s3RI4+s= </ds:signaturevalue> <ds:keyinfo> <ds:x509data> <ds:x509certificate> MIICmzCCAgSgAwIBAgIGATYsZIyyMA0GCSqGSIb3DQEBBQUAMIGQMQswCQYDVQQGEwJVUzETMBEG A1UECAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNjbzENMAsGA1UECgwET2t0YTEU MBIGA1UECwwLU1NPUHJvdmlkZXIxETAPBgNVBAMMCGhvbWVhd2F5MRwwGgYJKoZIhvcNAQkBFg1p bmzvqg9rdgeuy29tmb4xdteymdmxote5mtyyofoxdtqymdmxote5mtcyofowgzaxczajbgnvbayt AlVTMRMwEQYDVQQIDApDYWxpZm9ybmlhMRYwFAYDVQQHDA1TYW4gRnJhbmNpc2NvMQ0wCwYDVQQK DARPa3RhMRQwEgYDVQQLDAtTU09Qcm92aWRlcjERMA8GA1UEAwwIaG9tZWF3YXkxHDAaBgkqhkiG 9w0BCQEWDWluZm9Ab2t0YS5jb20wgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAOpYZr53pn3n RMseh5XQes/vl604M70D32evHIhMy9vYMdhH64LxlnxP0/pp4DtxxiyNSXgxm/OETNf0c17On9II Sq3TMG7jteAQ3Kan5O4O3tlySy2TcVnWTrN7ZSa60H0SmEUE4mU4YllgXdwuY/1hVxbcXSMyVfCq 3XRpnlIxAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEANartWhK+pd9woN2ln2szaZ9Roa4ccaQB8I1Q ipqpqf74/1pc8nixhdboi5tunhmcl7azsixiywtpoh2/gdsvgtbwi7hdjayian3uxrknhudlcqe1 zmz9x1icd/mkok2qelbfjklbn8eyjvtuebqv7csdsjgglqymdxefjodyyp0= </ds:x509certificate> </ds:x509data> </ds:keyinfo> </ds:signature> <saml2:subject xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion"> <saml2:nameid Format="urn:oasis:names:tc:SAML:2.0:nameid <saml2:subjectconfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:subjectconfirmationdata NotOnOrAfter=" T20:55:56.659Z" Recipient=" </saml2:subjectconfirmation> </saml2:subject> <saml2:conditions xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" NotBefore=" T20:45:56.659Z" NotOnOrAfter=" T20:55:56.659Z"> <saml2:audiencerestriction> <saml2:audience> </saml2:audiencerestriction> </saml2:conditions> <saml2:authnstatement xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion" AuthnInstant=" T20:50:56.659Z"SessionIndex="id "> <saml2:authncontext> <saml2:authncontextclassref> urn:oasis:names:tc:saml:2.0:ac:classes:passwordprotectedtransport </saml2:authncontextclassref> </saml2:authncontext> </saml2:authnstatement> <saml2:attributestatement xmlns:saml2="urn:oasis:names:tc:saml:2.0:assertion"> <saml2:attribute Name=" Address" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname format:unspecified"> <saml2:attributevalue xmlns:xs=" xmlns:xsi=" e> </saml2:attribute> </saml2:attributestatement> </saml2:assertion> </saml2p:response>
17 Appendix B SAML: Assertion Supported Claims Required Attributes: Persistent ID : This can be described as the attribute that is least likely to change for an identity. Smartsheet accepts six formats (a few of them are not specified in the SAML 2.0 standard) encoded in the NameID element. Here are the formats we support: urn:oasis:names:tc:saml:1.1:nameid format: address urn:oasis:names:tc:saml:2.0:nameid format: urn:oasis:names:tc:saml:2.0:nameid format:persistent urn:oasis:names:tc:saml:2.0:nameid format:unspecified urn:oasis:names:tc:saml:1.1:nameid format:unspecified urn:oid: Smartsheet will also accept assertions without a NameID element and will extract a Persistent ID value from an attribute if there is an attribute that matches the following: name="edupersonprincipalname" nameformat="urn:oasis:names:tc:saml:2.0:attrname format:basic" name=" name="persistent" nameformat="urn:oasis:names:tc:saml:2.0:nameid format:persistent" name="urn:oid: " nameformat="urn:oasis:names:tc:saml:2.0:attrname format:uri" name="edupersonprincipalname" nameformat="urn:oasis:names:tc:saml:2.0:attrname format:uri" address: This is the address associated with the Smartsheet account. This equates to a username in the Smartsheet service. This must be an attribute and will not be extracted from the NameID element. Here are the accepted formats: name=" " name=" name=" address",nameformat="urn:oasis:names:tc:saml:2.0:attrname format:basic" name=" address",nameformat="urn:oasis:names:tc:saml:2.0:attrname format:basic" name=" ",nameformat="urn:oasis:names:tc:saml:2.0:attrname format:basic" name="saml_username",nameformat="urn:oasis:names:tc:saml:2.0:attrname format:basic" name=" address",nameformat="urn:oasis:names:tc:saml:2.0:attrname format:unspecified" 17
18 name=" address",nameformat="urn:oasis:names:tc:saml:2.0:attrname format:unspecified" name=" address",nameformat=" name="urn:oid: ",nameformat="urn:oasis:names:tc:saml:2.0:attrname format:uri" name="mail",nameformat="urn:oasis:names:tc:saml:2.0:attrname format:basic" Optional Attributes Given Name: The given name of the user associated with the account (first name). Here are the formats that Smartsheet supports: name="givenname" name=" name="givenname" nameformat="urn:oasis:names:tc:saml:2.0:attrname format:basic" name="given_name" nameformat="urn:oasis:names:tc:saml:2.0:attrname format:basic" name="givenname" nameformat=" name="givenname" nameformat="urn:oasis:names:tc:saml:2.0:attrname format:unspecified" name="urn:oid: " nameformat="urn:oasis:names:tc:saml:2.0:attrname format:uri" Surname: The surname of the user associated with the account (last name). Here are the formats that Smartsheet supports: name="surname" name=" name="surname" nameformat="urn:oasis:names:tc:saml:2.0:attrname format:basic" name="sur_name" nameformat="urn:oasis:names:tc:saml:2.0:attrname format:basic" name="surname" nameformat=" name="surname" nameformat="urn:oasis:names:tc:saml:2.0:attrname format:unspecified" name="urn:oid: " nameformat="urn:oasis:names:tc:saml:2.0:attrname format:uri" 18
Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only)
Configuring SAML2 for Single Sign-On to Smartsheet (Enterprise Only) This document is intended for technical professionals who are familiar with SAML and have access to the Identity Provider that will
More informationConfiguring SAML2 for Single Sign On to Smartsheet (Enterprise Only)
Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only) This document is intended for technical professionals who are familiar with SAML and have access to the Identity Provider that will
More informationSAML Profile for SSO in Danish Public Sector V2.0 Assertion Examples,
> SAML Profile for SSO in Danish Public Sector V2.0 Assertion Examples, Version 1.1 IT- og Telestyrelsen, Center for Serviceorienteret Infrastruktur August 2007 1 Introduction This non-normative document
More informationOIOIDWS for Healthcare Token Profile for Authentication Tokens
OIOIDWS for Healthcare Token Profile for Authentication Tokens Common Web Service Profile for Healthcare in the Danish Public Sector, version 2.0 Content Document History...3 Introduction...4 Notation...
More informationSingle Sign-On Implementation Guide
Version 27.0: Spring 13 Single Sign-On Implementation Guide Last updated: February 1, 2013 Copyright 2000 2013 salesforce.com, inc. All rights reserved. Salesforce.com is a registered trademark of salesforce.com,
More informationVETUMA SAML SAMPLE MESSAGES
Page 1 Version: 3.5 4.11.2015 VETUMA SAML SAMPLE MESSAGES 1 (7) Page 2 Version: 3.5 4.11.2015 Table of Contents 1. Introduction... 3 2. Authentication... 4 2.1 Single sign-on... 4 2.1.1 Request message...
More informationSAML Single-Sign-On (SSO)
C O L A B O R A T I V E I N N O V A T I O N M A N A G E M E N T Complete Feature Guide SAML Single-Sign-On (SSO) 1. Features This feature allows administrators to setup Single Sign-on (SSO) integration
More informationNational Identity Exchange Federation. Web Browser User-to-System Profile. Version 1.0
National Identity Exchange Federation Web Browser User-to-System Profile Version 1.0 August 18, 2014 Table of Contents TABLE OF CONTENTS 1 1. TARGET AUDIENCE AND PURPOSE 2 2. TERMINOLOGY 2 3. REFERENCES
More informationSingle Sign-On Implementation Guide
Single Sign-On Implementation Guide Salesforce, Winter 16 @salesforcedocs Last updated: November 4, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark
More informationSingle Sign-On Implementation Guide
Single Sign-On Implementation Guide Salesforce, Summer 15 @salesforcedocs Last updated: July 1, 2015 Copyright 2000 2015 salesforce.com, inc. All rights reserved. Salesforce is a registered trademark of
More informationWeb Access Management and Single Sign-On
Web Access Management and Single Sign-On Ronnie Dale Huggins In the old days of computing, a user would sit down at his or her workstation, login to the desktop, login to their email system, perhaps pull
More informationMLSListings Single Sign On Implementation Guide. Compatible with MLSListings Applications
MLSListings Single Sign On Implementation Guide Compatible with MLSListings Applications February 2010 2010 MLSListings Inc. All rights reserved. MLSListings Inc. reserves the right to change details in
More informationShibboleth Architecture
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 Shibboleth Architecture Technical Overview Working Draft 02, 8 June 2005 Document identifier: draft-mace-shibboleth-tech-overview-02 Location: http://shibboleth.internet2.edu/shibboleth-documents.html
More informationStandalone SAML Attribute Authority With Shibboleth
CESNET Technical Report 5/2013 Standalone SAML Attribute Authority With Shibboleth IVAN NOVAKOV Received 10. 12. 2013 Abstract The article defines what a standalone attribute authority is and how it can
More informationFeide Technical Guide. Technical details for integrating a service into Feide
Feide Technical Guide Technical details for integrating a service into Feide May 2015 Document History Version Date Initials Comments 1.0 Nov 2009 TG First issue 1.2 Nov 2009 TG Added SLO description 1.3
More informationTusker IT Department Tusker IT Architecture
Tusker IT Department System Overview Documents Tusker IT Department Tusker IT Architecture Single Sign On Overview Page 1 Document Information and Approvals VERSION HISTORY Version # Date Revised By Reason
More informationIBM WebSphere Application Server
IBM WebSphere Application Server SAML 2.0 web single-sign-on 2012 IBM Corporation This presentation describes support for SAML 2.0 web browser Single Sign On profile included in IBM WebSphere Application
More informationIAM Application Integration Guide
IAM Application Integration Guide Date 03/02/2015 Version 0.1 DOCUMENT INFORMATIE Document Title IAM Application Integration Guide File Name IAM_Application_Integration_Guide_v0.1_SBO.docx Subject Document
More informationSingle Sign-On Implementation Guide
Salesforce.com: Salesforce Winter '09 Single Sign-On Implementation Guide Copyright 2000-2008 salesforce.com, inc. All rights reserved. Salesforce.com and the no software logo are registered trademarks,
More informationGFIPM Web Browser User-to-System Profile Version 1.2
About the Document Justice organizations are looking for ways to provide secured access to multiple agency information systems with a single logon. The Global Federated Identity and Privilege Management
More informationConfiguring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications
Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications VMware Identity Manager AUGUST 2015 V1 Configuring Single Sign-On from VMware Identity Manager to AirWatch Applications
More informationSecurity Assertion Markup Language (SAML)
CS 595G 02/14/06 Security Assertion Markup Language (SAML) Vika Felmetsger 1 SAML as OASIS Standard OASIS Open Standard SAML V2.0 was approved in March, 2005 Blending of two earlier efforts on portable
More informationWeb Single Sign-On Authentication using SAML
IJCSI International Journal of Computer Science Issues, Vol. 2, 2009 ISSN (Online): 1694-0784 ISSN (Print): 1694-0814 41 Web Single Sign-On Authentication using SAML Kelly D. LEWIS, James E. LEWIS, Ph.D.
More informationDesign and Implementaion of a Single Sign-On Library Supporting SAML (Security Assertion Markup Language) for Grid and Web Services Security
Design and Implementaion of a Single Sign-On Library Supporting SAML (Security Assertion Markup Language) for Grid and Web Services Security Dongkyoo Shin, Jongil Jeong, and Dongil Shin Department of Computer
More informationSingle Sign on Using SAML
Single Sign on Using SAML Priyank Rajvanshi, Subhash Chand Gupta Abstract- With the proliferation of SaaS and other web-based applications, identity management is becoming a major concern for businesses.
More informationShibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014
Shibboleth Authentication Information Systems & Computing Identity and Access Management May 23, 2014 For every question an answer: Why should I care about SAML? What is a Shibboleth? What is a Federation?
More informationDocuSign Information Guide. Single Sign On Functionality. Overview. Table of Contents
DocuSign Information Guide Single Sign On Functionality Overview The DocuSign Single Sign On functionality allows your system administrators to maintain user information in one location and your users
More informationOnly LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.
This chapter provides information about the Security Assertion Markup Language (SAML) Single Sign-On feature, which allows administrative users to access certain Cisco Unified Communications Manager and
More informationORACLE TALEO BUSINESS EDITION SINGLE SIGN ON SERVICE PROVIDER REFERENCE GUIDE RELEASE 15.A2
ORACLE TALEO BUSINESS EDITION SINGLE SIGN ON SERVICE PROVIDER REFERENCE GUIDE RELEASE 15.A2 APR. 17 TH., 2015 Part Number: E50271-02 Oracle Corporation World Headquarters 500 Oracle Parkway Redwood Shores,
More informationDocuSign Single Sign On Implementation Guide Published: March 17, 2016
DocuSign Single Sign On Implementation Guide Published: March 17, 2016 Copyright Copyright 2003-2016 DocuSign, Inc. All rights reserved. For information about DocuSign trademarks, copyrights and patents
More informationActive Directory Federation Services
Active Directory Federation Services Installation Instructions for WebEx Messenger and WebEx Centers Single Sign- On for Windows 2008 R2 WBS29 Copyright 1997-2013 Cisco and/or its affiliates. All rights
More informationHow To Use Saml 2.0 Single Sign On With Qualysguard
QualysGuard SAML 2.0 Single Sign-On Technical Brief Introduction Qualys provides its customer the option to use SAML 2.0 Single Sign On (SSO) authentication with their QualysGuard subscription. When implemented,
More informationFederal Identity, Credential, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile
Federal Identity, Credential, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile Version 1.0 September 27, 2010 Document History This is the first
More informationSP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.
Chapter 87 Configuring Smartsheet The following is an overview of the steps required to configure the Smartsheet Web application for single sign-on (SSO) via SAML. Smartsheet offers both IdP-initiated
More informationSecure Services withapache CXF
Karlsruher Entwicklertag 2014 Secure Services withapache CXF Andrei Shakirin, Talend ashakirin@talend.com ashakirin.blogspot.com/ Agenda Introduction in Apache CXF Security Requirements Apply security
More informationConfiguring Single Sign-on from the VMware Identity Manager Service to ServiceNow
Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow VMware Identity Manager AUGUST 2015 V1 Configuring Single Sign-On from VMware Identity Manager to ServiceNow Table of Contents
More information2015-11-30. Web Based Single Sign-On and Access Control
0--0 Web Based Single Sign-On and Access Control Different username and password for each website Typically, passwords will be reused will be weak will be written down Many websites to attack when looking
More informationSecurity Assertion Markup Language (SAML) V2.0 Technical Overview
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 Security Assertion Markup Language (SAML) V2.0 Technical Overview Working Draft 10, 9 October 2006 Document
More informationFederal Identity, Credentialing, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile
Federal Identity, Credentialing, and Access Management Security Assertion Markup Language (SAML) 2.0 Web Browser Single Sign-on (SSO) Profile Version 1.0.2 December 16, 2011 Document History Status Release
More informationEgnyte Single Sign-On (SSO) Installation for OneLogin
Egnyte Single Sign-On (SSO) Installation for OneLogin To set up Egnyte so employees can log in using SSO, follow the steps below to configure OneLogin and Egnyte to work with each other. 1. Set up OneLogin
More informationConfiguring Single Sign-on from the VMware Identity Manager Service to WebEx
Configuring Single Sign-on from the VMware Identity Manager Service to WebEx VMware Identity Manager SEPTEMBER 2015 V 2 Configuring Single Sign-On from VMware Identity Manager to WebEx Table of Contents
More informationThis chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:
CHAPTER 1 SAML Single Sign-On This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections: Junos Pulse Secure Access
More informationEgnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)
w w w. e g n y t e. c o m Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS) To set up ADFS so that your employees can access Egnyte using their ADFS credentials,
More informationBiometric Single Sign-on using SAML Architecture & Design Strategies
Biometric Single Sign-on using SAML Architecture & Design Strategies Ramesh Nagappan Java Technology Architect Sun Microsystems Ramesh.Nagappan@sun.com 1 Setting Expectations What you can take away! Understand
More informationSingle Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites
Single Sign On (SSO) Implementation Manual For Connect 5 & MyConnect Sites Version 6 Release 5.7 September 2013 1 What is Blackboard Connect Single Sign On?... 3 How it Works... 3 Drawbacks to Using Single
More informationTIB 2.0 Administration Functions Overview
TIB 2.0 Administration Functions Overview Table of Contents 1. INTRODUCTION 4 1.1. Purpose/Background 4 1.2. Definitions, Acronyms and Abbreviations 4 2. OVERVIEW 5 2.1. Overall Process Map 5 3. ADMINISTRATOR
More informationTo set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.
w w w. e g n y t e. c o m Egnyte Single Sign-On (SSO) Installation for VMware Horizon To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to
More informationWeb Services Security: SAML Token Profile 1.1
1 2 3 4 5 6 7 8 9 10 11 12 13 Web Services Security: SAML Token Profile 1.1 OASIS Standard, 1 February 2006 Document Identifier: wss-v1.1-spec-os-samltokenprofile OASIS Identifier: {WSS: SOAP Message Security
More informationFederation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough
Agenda Federation architectures for mobile applications OAuth 2.0 Drivers OAuth 2.0 Overview Mobile walkthrough Enter OAuth 2.0 Defines authorization & authentication framework for RESTful APIs An open
More informationUsing SAML for Single Sign-On in the SOA Software Platform
Using SAML for Single Sign-On in the SOA Software Platform SOA Software Community Manager: Using SAML on the Platform 1 Policy Manager / Community Manager Using SAML for Single Sign-On in the SOA Software
More informationConfiguring ADFS 3.0 to Communicate with WhosOnLocation SAML
Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML --------------------------------------------------------------------------------------------------------------------------- Contents Overview...
More informationSecurity Assertion Markup Language (SAML) 2.0 Technical Overview
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 Security Assertion Markup Language (SAML) 2.0 Technical Overview Working Draft 03, 20 February 2005 Document identifier:
More informationPractical Security Evaluation of SAML-based Single Sign-On Solutions
Practical Security Evaluation of SAML-based Single Sign-On Solutions Vladislav Mladenov, Andreas Mayer, Marcus Niemietz, Christian Mainka, Florian Feldmann, Julian Krautwald, Jörg Schwenk 1 Single Sign-On
More informationHOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services
1 HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services Disclaimer Disclaimer of Warranties and Limitation of Liabilities All information contained in this document is provided
More informationTechnik und Informatik. SOAP Security. Prof. Dr. Eric Dubuis Berner Fachhochschule Biel. Version April 11, 2012
SOAP Security Prof. Dr. Eric Dubuis Berner Fachhochschule Biel Version April 11, 2012 Overview Motivation Transport security versus SOAP Security WS-Security stack overview Structure of secured SOAP messages
More informationIntroduction to Directory Services
Introduction to Directory Services Overview This document explains how AirWatch integrates with your organization's existing directory service such as Active Directory, Lotus Domino and Novell e-directory
More informationSetting Up Federated Identity with IBM SmartCloud
White Paper March 2012 Setting Up Federated Identity with IBM SmartCloud 2 Setting Up Federated Identity with IBM SmartCloud Notices Contents International Business Machines Corporation provides this publication
More informationSAML Authentication within Secret Server
SAML Authentication within Secret Server Secret Server allows the use of SAML Identity Provider (IdP) authentication instead of the normal authentication process for single sign-on (SSO). To do this, Secret
More informationStep-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x
Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x Sverview Trust between SharePoint 2010 and ADFS 2.0 Use article Federated Collaboration with Shibboleth 2.0 and SharePoint 2010 Technologies
More informationSAML 2.0 INT SSO Deployment Profile
1 2 3 4 5 6 SAML 2.0 INT 7 8 9 Version: 0.1 Date: 2011-12-2 10 Editor: TBD 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 Contributors: The full list of contributors can be referenced here: URL Status: This
More informationРазработка программного обеспечения промежуточного слоя. TERENA BASNET Workshop, 16-17 November 2009 Joost van Dijk - SURFnet
Разработка программного обеспечения промежуточного слоя TERENA BASNET Workshop, 16-17 November 2009 Joost van Dijk - SURFnet Contents - SURFnet Middleware Services department: - eduroam, SURFfederatie,
More informationT his feature is add-on service available to Enterprise accounts.
SAML Single Sign-On T his feature is add-on service available to Enterprise accounts. Are you already using an Identity Provider (IdP) to manage logins and access to the various systems your users need
More informationConfiguring EPM System 11.1.2.1 for SAML2-based Federation Services SSO
Configuring EPM System 11.1.2.1 for SAML2-based Federation Services SSO Scope... 2 Prerequisites Tasks... 2 Procedure... 2 Step 1: Configure EPM s WebLogic domain for SP Federation Services... 2 Step 2:
More informationGetting Started with Single Sign-On
Getting Started with Single Sign-On I. Introduction NobleHour sets out to incentivize civic engagement by enabling users within companies, educational institutions, and organizations to conduct and coordinate
More informationAdvanced Configuration Administration Guide
Advanced Configuration Administration Guide Active Learning Platform October 2015 Table of Contents Configuring Authentication... 1 PingOne... 1 LMS... 2 Configuring PingOne Authentication... 3 Before
More informationGetting Started with AD/LDAP SSO
Getting Started with AD/LDAP SSO Active Directory and LDAP single sign- on (SSO) with Syncplicity Business Edition accounts allows companies of any size to leverage their existing corporate directories
More informationKantara egov and SAML2int comparison
Kantara egov and SAML2int comparison 17.8.2010/mikael.linden@csc.fi This document compares the egovernment Implementation profile of SAML 2.0, created by the egovernment WG of Kantara Initiative, and the
More informationSingle Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1
Overview, page 1 Using SSO with the Cisco WebEx and Cisco WebEx Meeting Applications, page 1 Requirements, page 2 Configuration of in Cisco WebEx Messenger Administration Tool, page 3 Sample Installation
More informationEgnyte Single Sign-On (SSO) Installation for Okta
w w w. e g n y t e. c o m Egnyte Single Sign-On (SSO) Installation for Okta To set up Egnyte so employees can log in using SSO, follow the steps below to configure Okta and Egnyte to work with each other.
More informationOpen Source Identity Integration with OpenSSO
Open Source Identity Integration with OpenSSO April 19, 2008 Pat Patterson Federation Architect pat.patterson@sun.com blogs.sun.com/superpat Agenda Web Access Management > The Problem > The Solution >
More informationHow to create a SP and a IDP which are visible across tenant space via Config files in IS
How to create a SP and a IDP which are visible across tenant space via Config files in IS This Documentation is explaining the way to create a SP and IDP which works are visible to all the tenant domains.
More informationSAML basics A technical introduction to the Security Assertion Markup Language
SAML basics A technical introduction to the Security Assertion Markup Language WWW2002 Eve Maler, XML Standards Architect XML Technology Center Sun Microsystems, Inc. Agenda The problem space SAML concepts
More informationConfiguring. Moodle. Chapter 82
Chapter 82 Configuring Moodle The following is an overview of the steps required to configure the Moodle Web application for single sign-on (SSO) via SAML. Moodle offers SP-initiated SAML SSO only. 1 Prepare
More informationHP Software as a Service. Federated SSO Guide
HP Software as a Service Federated SSO Guide Document Release Date: July 2014 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty statements accompanying
More informationSAML SSO Configuration
SAML SSO Configuration Overview of Single Sign-, page 1 Benefits of Single Sign-, page 2 Overview of Setting Up SAML 2.0 Single Sign-, page 3 SAML 2.0 Single Sign- Differences Between Cloud-Based Meeting
More informationCopyright: WhosOnLocation Limited
How SSO Works in WhosOnLocation About Single Sign-on By default, your administrators and users are authenticated and logged in using WhosOnLocation s user authentication. You can however bypass this and
More informationMONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY. ASR 2006/2007 Final Project. Supervisers: Maryline Maknavicius-Laurent, Guy Bernard
MONDESIR Eunice WEILL-TESSIER Pierre FEDERATED IDENTITY ASR 2006/2007 Final Project Supervisers: Maryline Maknavicius-Laurent, Guy Bernard Federated Identity Project topic Superviser: Maryline Maknavicius
More informationShibboleth User Verification Customer Implementation Guide 2015-03-13 Version 3.5
Shibboleth User Verification Customer Implementation Guide 2015-03-13 Version 3.5 TABLE OF CONTENTS Introduction... 1 Purpose and Target Audience... 1 Commonly Used Terms... 1 Overview of Shibboleth User
More informationConfiguring Sponsor Authentication
CHAPTER 4 Sponsors are the people who use Cisco NAC Guest Server to create guest accounts. Sponsor authentication authenticates sponsor users to the Sponsor interface of the Guest Server. There are five
More informationPingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1
PingFederate Salesforce Connector Version 4.1 Quick Connection Guide 2011 Ping Identity Corporation. All rights reserved. PingFederate Salesforce Quick Connection Guide Version 4.1 June, 2011 Ping Identity
More informationINUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE
INUVIKA OPEN VIRTUAL DESKTOP ENTERPRISE SAML 2.0 CONFIGURATION GUIDE Roy Heaton David Pham-Van Version 1.1 Published March 23, 2015 This document describes how to configure OVD to use SAML 2.0 for user
More informationComputer Services Documentation
Computer Services Documentation Shibboleth Documentation {Shibboleth & Google Apps Integration} John Paul Szkudlapski June 2010 Note: These case studies, prepared by member organisations of the UK federation,
More informationAn overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)
Chapter 190 WebEx This chapter includes the following sections: "An overview of configuring WebEx for single sign-on" on page 190-1600 "Configuring WebEx for SSO" on page 190-1601 "Configuring WebEx in
More informationOneLogin Integration User Guide
OneLogin Integration User Guide Table of Contents OneLogin Account Setup... 2 Create Account with OneLogin... 2 Setup Application with OneLogin... 2 Setup Required in OneLogin: SSO and AD Connector...
More informationSAML Authentication Quick Start Guide
SAML Authentication Quick Start Guide Powerful Authentication Management for Service Providers and Enterprises Authentication Service Delivery Made EASY Copyright 2013 SafeNet, Inc. All rights reserved.
More informationThis section includes troubleshooting topics about single sign-on (SSO) issues.
This section includes troubleshooting topics about single sign-on (SSO) issues. SSO Fails After Completing Disaster Recovery Operation, page 1 SSO Protocol Error, page 1 SSO Redirection Has Failed, page
More informationIt is I, SAML. Ana Mandić Development Lead @ Five Minutes Ltd
It is I, SAML Ana Mandić Development Lead @ Five Minutes Ltd About Five Minutes We design and develop top notch mobile apps for leading mobile platforms 50 full-time employees Offices in Zagreb, Osijek
More informationOIOSAML 2.0 Toolkits Test results May 2009
OIOSAML 2.0 Toolkits Test results May 2009 5. September 2008 - Søren Peter Nielsen: - Lifted and modified from http://docs.google.com/a/nemsso.info/doc?docid=dfxj3xww_7d9xdf7gz&hl=en by Joakim Recht 12.
More informationCA Nimsoft Service Desk
CA Nimsoft Service Desk Single Sign-On Configuration Guide 6.2.6 This Documentation, which includes embedded help systems and electronically distributed materials, (hereinafter referred to as the Documentation
More informationElectronic Bank Account Management - EBAM
Electronic Bank Account Management - EBAM EBAM and Digital Signature This guide provides an overview of how to use a digital signature in the EBAM solution to sign the XML messages and the potential attachments.
More informationOIO SAML Profile for Identity Tokens
> OIO SAML Profile for Identity Tokens Version 1.0 IT- & Telestyrelsen October 2009 Content > Document History 3 Introduction 4 Related profiles 4 Profile Requirements 6 Requirements 6
More informationINTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE
INTEGRATE SALESFORCE.COM SINGLE SIGN-ON WITH THIRD-PARTY SINGLE SIGN-ON USING SENTRY A GUIDE TO SUCCESSFUL USE CASE Legal Marks No portion of this document may be reproduced or copied in any form, or by
More informationSAML Profile for Privacy-enhanced Federated Identity Management
SAML Profile for Privacy-enhanced Federated Identity Management Rainer Hörbe, Identinetics GmbH Abstract This profile for the SAML WebSSO use case specifies an enhancement that allows users to limit their
More informationSAML-Based SSO Solution
About SAML SSO Solution, page 1 SAML-Based SSO Features, page 2 Basic Elements of a SAML SSO Solution, page 2 SAML SSO Web Browsers, page 3 Cisco Unified Communications Applications that Support SAML SSO,
More informationHP Software as a Service
HP Software as a Service Software Version: 6.1 Federated SSO Document Release Date: August 2013 Legal Notices Warranty The only warranties for HP products and services are set forth in the express warranty
More information02267: Software Development of Web Services
02267: Software Development of Web Services Week 11 Hubert Baumeister huba@dtu.dk Department of Applied Mathematics and Computer Science Technical University of Denmark Fall 2015 1 Contents WS-Policy Web
More informationSingle Sign On: Volunteer Connection Support Tree for Administrators Release 2.0
Single Sign On: Volunteer Connection Support Tree for Administrators Release 2.0 Updated 2/24/2016 Page 1 Single Sign On Volunteer Connection Support Tree for Administrators Purpose General Information
More informationConfiguring Parature Self-Service Portal
Configuring Parature Self-Service Portal Chapter 2 The following is an overview of the steps required to configure the Parature Self-Service Portal application for single sign-on (SSO) via SAML. Parature
More informationTalk-101 User Guide. DNSGate
Talk-101 User Guide DNSGate What is DNSGate? DNSGate is a management interface to allow you to make DNS changes to your domain. The interface supports A, CNAME, MX and TXT records. What is DNS? DNS stands
More informationSAML single sign-on configuration overview
Chapter 46 Configurin uring Drupal Configure the Drupal Web-SAML application profile in Cloud Manager to set up single sign-on via SAML with a Drupal-based web application. Configuration also specifies
More information