Getting Started with Single Sign-On



Similar documents
Getting Started with Single Sign-On

Using SAML for Single Sign-On in the SOA Software Platform

SAML-Based SSO Solution

Ameritas Single Sign-On (SSO) and Enterprise SAML Standard. Architectural Implementation, Patterns and Usage Guidelines

HP Software as a Service

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

How To Use Saml 2.0 Single Sign On With Qualysguard

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Perceptive Experience Single Sign-On Solutions

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

HP Software as a Service. Federated SSO Guide

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Flexible Identity Federation

SAML Authentication Quick Start Guide

PARTNER INTEGRATION GUIDE. Edition 1.0

Connected Data. Connected Data requirements for SSO

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

SAML single sign-on configuration overview

Moodle and Office 365 Step-by-Step Guide: Federation using Active Directory Federation Services

Federated Identity: Leveraging Shibboleth to Access On and Off Campus Resources

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

Shibboleth Authentication. Information Systems & Computing Identity and Access Management May 23, 2014

Configuring Salesforce

Increase the Security of Your Box Account With Single Sign-On

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

SAML Security Option White Paper

Single Sign On at Colorado State. Ron Splittgerber

SAML AS AN SSO STANDARD FOR CUSTOMER IDENTITY MANAGEMENT. How to Create a Frictionless, Secure Customer Identity Management Strategy

Introduction to SAML

IMPLEMENTING SINGLE SIGN- ON USING SAML 2.0 ON JUNIPER NETWORKS MAG SERIES JUNOS PULSE GATEWAYS

Leveraging SAML for Federated Single Sign-on:

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Security Assertion Markup Language (SAML) Site Manager Setup

Configuring. Moodle. Chapter 82

Configuring Parature Self-Service Portal

Adding Single Sign-On to CloudPassage Halo

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

Configuring EPM System for SAML2-based Federation Services SSO

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

TIB 2.0 Administration Functions Overview

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

Federation At Fermilab. Al Lilianstrom National Laboratories Information Technology Summit May 2015

An Overview of Samsung KNOX Active Directory-based Single Sign-On

Improving Security and Productivity through Federation and Single Sign-on

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

EXTENDING SINGLE SIGN-ON TO AMAZON WEB SERVICES

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Qualtrics Single Sign-On Specification

SAP NetWeaver AS Java

Google Apps Deployment Guide

SAML-Based SSO Solution

Shibboleth User Verification Customer Implementation Guide Version 3.5

Enabling Single Sign- On for Common Identity using F5

Getting Started with AD/LDAP SSO

SAML SSO Configuration

SAP Cloud Identity Service Document Version: SAP Cloud Identity Service

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

The increasing popularity of mobile devices is rapidly changing how and where we

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Microsoft Office 365 Using SAML Integration Guide

PingFederate. Integration Overview

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

VMware Identity Manager Administration

T his feature is add-on service available to Enterprise accounts.

SAML Authentication with BlackShield Cloud

Copyright: WhosOnLocation Limited

The Top 5 Federated Single Sign-On Scenarios

Identity Management in Liferay Overview and Best Practices. Liferay Portal 6.0 EE

OpenLogin: PTA, SAML, and OAuth/OpenID

Lets get a federated identity. Intro to Federated Identity. Feide OpenIdP. Enter your address. Do you have access to your ?

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Agenda. How to configure

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Identity. Provide. ...to Office 365 & Beyond

Section 1, Configuring Access Manager, on page 1 Section 2, Configuring Office 365, on page 4 Section 3, Verifying Single Sign-On Access, on page 5

idp Connect for OutSystems applications

Egnyte Single Sign-On (SSO) Installation for OneLogin

SalesForce SSO with Active Directory Federated Services (ADFS) v2.0 Authenticating Users Using SecurAccess Server by SecurEnvoy

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Single Sign-On for the UQ Web

Masdar Institute Single Sign-On: Standards-based Identity Federation. John Mikhael ICT Department

365 Services. 1.1 Configuring Access Manager Prerequisite Adding the Office 365 Metadata. docsys (en) 2 August 2012

USING FEDERATED AUTHENTICATION WITH M-FILES

Authentication Methods

DEPLOYMENT GUIDE. SAML 2.0 Single Sign-on (SSO) Deployment Guide with Ping Identity

Federated Identity Management. Willem Elbers (MPI-TLA) EUDAT training

Federated Identity in the Enterprise

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

IAM, Enterprise Directories and Shibboleth (oh my!)

Remote Authentication and Single Sign-on Support in Tk20

Connecting Web and Kerberos Single Sign On

Get Success in Passing Your Certification Exam at first attempt!

Security Services. Benefits. The CA Advantage. Overview

Transcription:

Getting Started with Single Sign-On I. Introduction Your institution is considering or has already purchased Collaboratory from Treetop Commons, LLC. One benefit provided to member institutions is Single Sign-On Integration (SSO), an access control method that eliminates the need for creating and managing a separate account in Collaboratory. This document provides Information Technology administrators with the procedures necessary to implement the SSO process for your institution s network. What is Collaboratory? Collaboratory connects and enhances campus-wide information about and support for community engagement relationships, resources, activities, and outcomes. Faculty, staff and invited students can document and display their engagement and public service activities in a web-based, centralized hub, whether providing direct services at a nonprofit organization, teaching professionals and residents of a community, or conducting research collaboratively with community partners. II. SSO/SAML Overview The Benefits of Single Sign-On (SSO) Users benefit from a simple and unified access method across multiple or disparate networks. This means interoperability, automation, and the seamless use of an SSO policy to reduce the burden of multiple account authentication processes. With SSO, only the existing credentials of an institution will be necessary for users while eliminating the need for creating and managing a separate Collaboratory account. In order to offer SSO within your institution, Collaboratory embraces Security Assertion Markup Language (SAML 2.0). SAML is an XML-based format for exchanging authorization data between systems. It s widely adopted in private enterprises worldwide and considered the first choice for managing SSO authentication, due to its flexible configuration, multiple platform support, and ability to interoperate with widely used core protocols and authentication methods. Regardless of SAML s rapid adoption, every system is different. There is always customization involved depending on the architecture, protocol, and mechanisms used by your institution. Our team is dedicated to working within your parameters, laying the groundwork for a seamless SSO implementation. For this process, we ve setup two SAML components: a SAML-based registration and a SAML-based login. You can learn more about SAML by viewing the official Security Assertion Markup Language website. This provides a complete overview of SAML s requirements, specifications, and deployment profile.

III. Next Steps for Implementation Before implementing SSO, we require information about your organization s current system. This consists of two steps: 1. Complete the SSO Initial Assessment Help which you can access here. In IV: SSO Initial Assessment Help, we ll walk you through this questionnaire and clarify what s required. 2. Email develop@cecollaboratory.com with information specified in V: SAML2 Identity Provider Setup. To assist in the information collection process, we ve included two additional sections: VI: Collaboratory SSO Flowchart - Provides a graphical representation of the SSO authentication process for previously established and newly linked accounts. VII: Reference - Includes helpful definitions, links, and metadata for the SSO/SAML2 implementation. IV. SSO Initial Assessment Help This section provides an overview of each question asked within the SSO Initial Assessment Questionnaire. As you enter data into the online form, please use this document as a reference. It will help frame any relevant information required and help expedite your SSO implementation. Basic Information Q.1: Enter the name of your institution. Q.2-Q.4: Provide us with the contact information for your IT Manager or SSO Project Team Leader. System Information Q.5: Provide the IdP (Identity Provider) solution currently in use by your institution. Q.6: Help us determine if your system is capable of federation with external systems. This information is typically provided by your software partner or vendor.

Q.7: List all supported federations, solutions, protocols used by your institution. Please include all current versions as well as future versions, upgrades, or platform changes planned within the next 90 days. In order for TreeTop to implement SAML, we will need to understand protocol information such as authentication context, attributes, and bindings. Collaboratory supports a variety of solutions for the SAML protocol such as LDAP, Shibboleth, ADFS, and PingFederate. Q.8: Help us identify your preferred protocol. We understand that our clients use different technologies. We have designed Collaboratory to pass an array of attributes during the authentication process. Q.9: Provide us with all necessary account information used during the federation process. By default, Collaboratory receives basic account information such as first name, last name, and email and can be customized to accommodate additional data when necessary such as date of birth, gender, and ethnicity. An API is required to dissociate federated logons. This is typically provided by your current software partner or vendor. Regardless, our team will be on hand to understand and plan API specifics with you. Q.10: Inform us of the steps your institution requires us to complete to become an official service provider. Q.11: We require a test environment used as a staging area for dummy accounts that will simulate and verify authentication flow. We can work with simple test accounts or full production environments. Additional Information Q.12: Briefly explain the primary security concerns shared within your institution. Security is always an important component to us, especially the authentication process. At TreeTop Commons, we take all security concerns seriously and will adhere to any institutional standards required during the entire project cycle. Q.13: Provide us with any internal support documentation that can help us work more effectively to implement SSO or that will clarify any potential incompatibilities. Q.14: Include example data fields or headers that we can use for reference, especially within the test environment. Q.15-Q.16: To help streamline the SSO implementation process, please define your role, as well as that of participating team members, along with their contact information. Q.17: Help us define your preferred timeline for rolling out Collaboratory at your institution. When complete, please select Submit questionnaire at the end of the online form and proceed to IV: SAML2 Identity Provider Setup

V. SAML2 Identity Provider Setup Now that you ve completed the SSO Initial Assessment Questionnaire, the next step is to send an email to us at develop@cecollaboratory.com to begin our four step process for your SAML2 setup and configuration. For the implementation of SSO, we assume that your institution will already have an Identity Provider (IdP) and that users have an existing account (Principal Identity) with that specific IdP. SAML2 SSO Timeline Synopsis In order to set your institution up as a SAML2 Identity Provider, our team will perform the following: 1 Exchange metadata & endpoint information 2 Configure account information & field names 3 Test integration in Collaboratory staging environment 4 Rollout production environment 1. Exchange metadata and endpoint information with your team. Send an email to develop@cecollaboratory.com providing us with: The IdP metadata, certificate or fingerprint information Single logon endpoint credentials Entity ID Please inform us if messages are digitally signed 2. Configure the account information & field names you're able to provide. When a user authenticates with IdP, a federated identity must be created in the Collaboratory system. This entails a process within Collaboratory that establishes the account using the Principle Identity provided by the IdP. While Collaboratory s SSO requires several basic attributes from the assertion within the authentication response, additional attributes can be used to establish a more detailed user profile. The table titled Attribute Table on the next page identifies and defines the expected attributes, mapping them to two common Identity Providers for your reference.

Attribute Table Attribute Required Shibboleth PingFederate uuid FALSE edupersontargetedid <varies> email TRUE edupersonprincipalname, mail email firstname TRUE givenname firstname lastname TRUE sn lastname over13 TRUE <n/a> over13 affiliation FALSE edupersonaffiliation <n/a> birthdate FALSE <n/a> birthdate Note: The requirement on the birthdate and over13 attributes are mutually exclusive. If birthdate is provided, then the over13 attribute does not need to be provided, and vice-versa. Continue to next page

Below is an example set of acceptable attributes: <saml:attributestatement xmlns:xs="http://www.w3.org/2001/xmlschema">! <saml:attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrnameformat: basic" Name="over13">! <saml:attributevalue xmlns:xsi="http://www.w3.org/2001/xmlschemainstance" xsi:type="xs:string">y</saml:attributevalue>! </saml:attribute>! <saml:attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrnameformat: basic" Name="email">! <saml:attributevalue xmlns:xsi="http://www.w3.org/2001/xmlschemainstance" xsi:type="xs:string">user@institution.edu</saml:attributevalue>! </saml:attribute>! <saml:attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrnameformat: basic" Name="lastname">! <saml:attributevalue xmlns:xsi="http://www.w3.org/2001/xmlschemainstance" xsi:type="xs:string">smith</saml:attributevalue>! </saml:attribute>! <saml:attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrnameformat: basic" Name="firstname">! <saml:attributevalue xmlns:xsi="http://www.w3.org/2001/xmlschemainstance" xsi:type="xs:string">john</saml:attributevalue>! </saml:attribute>! </saml:attributestatement>! 3. Deploy and test integration in Collaboratory staging environment. A. Test SP-initiated logins and account claiming. B. Test IdP-initiated logins and account claiming. We will communicate with your team during this phase to ascertain what s necessary and/or available for using as a test environment and credentials within your institution. A security analysis and deployment schedule will also be discussed, helping us understand when we can begin. 4. Rollout our production environment. We will configure your Identity Provider (IdP) with your portal. SSO Implementation Complete! Once everything has been provided to us, we ll get started with the implementation. Upon completion, we ll inform your portal administrator. The portal administrator can then invite users to log-in to Collaboratory with your institution's credentials.

VI. Collaboratory SSO Flow Chart Provides graphic illustration of the SSO authentication process for both existing and newly linked accounts.

VII. Reference This section details important definitions you should become familiar with, along with links to help configure your Identity Provider. SSO Primary Definitions These definitions lay the groundwork for understanding Collaboratory s SSO implementation. Single Sign-On (SSO) - A process enabling a user to log in once and gain access to related systems without being prompted to log in again at each of them. Security Assertion Markup Language (SAML) - XML-based data format for exchanging authentication and authorization data between systems. Identity Provider (IdP) - This is a module that creates, maintains, and manages identity information. IdP will also provide authentication to their service providers within a federation. Service Provider (SP) - System entity providing services to users or other system entities. Federation - An association composed of any number of service providers and identity providers. System Entity - An active element of the system with a distinct set of functionality. Identity - An entity described by attributes and unique data objects. Principal - A system entity whose identity can be authenticated. Principal Identity - A representation of a principal's identity as a unique data object (i.e., User Account). Metadata Links 1. Our staging environment metadata can be found here. 2. Our production environment metadata can be found here. Links to help you in the configuration of popular identity providers. SAML: http://saml2int.org/profile/current LDAP: http://msdn.microsoft.com/en-us/library/aa367008%28v=vs.85%29.aspx

PingFederate: https://www.pingidentity.com/en/products/pingfederate.html Shibboleth: http://shibboleth.net/ ADFS: http://technet.microsoft.com/en-us/library/cc736690%28v=ws.10%29.aspx

Revision History 11.4.2015 Document approved for circulation.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information