idp Connect for OutSystems applications THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Single Sign-On with Outsystems and Identity Providers (IdP While the general overview of the Single Sign On configuration is the same for all Identity Providers (IdP), Abstract As resources move to the cloud, users experience a proliferation of credentials - the usernames, passwords and, sometimes, devices they use to log in (or authenticate) to cloud-based services. Single sign-on technologies come to the rescue, allowing users to authenticate at a single location and access a range of services without re-authenticating. Since its release in 2005, the Security Assertion Markup Language (better known as SAML) version 2.0 has established itself as the dominant standard for cross-domain web single sign-on in the enterprise space.
Architecture SAML 2.0 defines several roles for parties involved in single sign-on idp Initiated 1. The user opens the idp dashboard 2. The user authenticates 3. A dashboard is presented with all the SSO applications configured in idp 4. The user selects an application 5. idp sends a SAML response to the OutSystems application 6. OutSystems application verifies the SAML response 7. User is logged in OutSystems
Application Initiated 1. User navigates to OutSystems application 2. User is redirected to idp link for application 3. idp redirects user back to OutSystems with a SAML response 4. OutSystems verifies SAML response 5. User is logged in OutSystems 6. idp redirects user back to OutSystems starting location The Anatomy of the Authentication in OutSystems The first thing which happens when you first try to open a page not flagged as anonymous is a security exception.
This security exception is handled inside the preparation of the NoPermission web page: The first section will verify if you are already logged in. If you are and there was a security exception then you are not supposed to be there at all and you re redirected to the Invalid Permissions generic screen. If you are NOT then the system will check how to log you in. On the second section the system will verify if you have Active Directory or LDAP configured in your environment. If so it will redirect to the AD or LDAP authentication. If not it will redirect you to the login screen in the third section.
As you can see this is the ideal place to include a custom login mechanism. For our idp connector it could be something like: Setting up the Identity Provider (IDP) Configure the settings as follows: SAML Version 2.0 is only supported Identity Provider Certificate: Load the token-signing certificate into the OutSystems idp module resources Open service center and configure the setting as follow; o idp_sso_issuer: Identity Provider Single Sign-On Issuer. Paste your entityid in here. (In the example, it is http://fs.outsystems.fi/adfs/services/trust) o idp_sso_url: Identity Provider Login URL: This is the URL of your AD FS SAML endpoint, to which OutSystems will send SAML requests for SP-initiated login. This can be found in the AD FS MMC at Endpoints Token Issuance Type:SAML 2.0/WS- Federation (In the example, it is https://fs.outsystems.fi/adfs/ls/ - note, you must include the slash at the end of the URL!) o idp_attributegroupname: Group attribute of SAML message. If attribute in the response match, then the user groups will be updated. (In the example, it is http://schemas.xmlsoap.org/claims/group) o idp_attributename: Name attribute of SAML message (In the example, it is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name) Parameter is optional. o idp_attributefirstname: Name attribute of SAML message (In the example, it is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname) Parameter is optional. 2001-2014 OutSystems Finland - All rights reserved Page 5 www.outsystems.fi
o o o idp_attributesurname: Name attribute of SAML message (In the example, it is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname) Parameter is optional. idp_attributeusername: Username attribute of SAML message. If value is empty, then saml:subject/saml:nameid value will be used. Parameter is optional. idp_attributeemail: Email attribute of SAML message. (In the example, it is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress) Parameter is optional. SAML User ID Type: To log a user in we can match against OutSystems username. SAML User ID Location: To log the user in we can use either the NameID in the SAML assertion or another attribute (attrbute name should be assigened in the idp_attributeusername parameter). We can use NameID, since AD FS will populate NameID in the SAML Assertion. Setup an Application You will need the provide espace name to the idp. By default it uses caller URL-address for the final redirection. If caller address is empty, then espace default page will be called. On your application create a redirect to the unique URL provided by your idp (see the Anatomy of authentication in OutSystems). In either case, the browser should follow a chain of redirects, ultimately logging you in to your application. If you get a login error use the SAML assertion validator tool. Summary Applications running on the OutSystems platform have access to SAML 2.0 cross-domain Web single sign-on, as does Microsoft Active Directory Federation Services 2.0. This article demonstrates how to configure the two systems to enable seamless SSO from the Windows desktop to OutSystems application without the need for any additional third-party products. 2001-2014 OutSystems Finland - All rights reserved Page 6 www.outsystems.fi