This article will provide an overview of how single sign-on (SSO) works for Field iD.
Terminology
- IdP - Identity Provider - a service that handles user authentication. You will log onto this with their credentials. This is a remote service running on the client's systems. An example of IdP software is ADFS. In Field iD each organization account using SSO needs a separate IdP.
- SP - Service Provider - the application that you wish to use. You don’t log onto this - rather it defers this activity to the IdP. Each organization account in Field iD using SSO has its own Service Provider.
- Entity ID - an identifier that uniquely identifies an IdP or SP. These ids are unique across both IdP's and SP's.
- IdP Initiated SSO - when you wish to access an application (Service Provider) using SSO they first log on into the IdP. The IdP will have a link to the application which You click to take them into the application.
SSO Requirements
- We offer single sign-on (SSO) implementation that allows your users to be signed in to Field iD web app automatically when they are using your company network or intranet.
- We provide an IdP-Initiated approach for SSO specifically for our web application product. This does not include SSO on the mobile app.
- All communication between the IdP and the SP is done using SAML 2.0 protocol over HTTPS.
IdP Initiated SSO Process Overview
- Log onto the IdP and click the link to go to their desired SP. This will send a request to the SP.
- Our Spring SAML framework in Field iD receives the request. It then validates this request by checking host names and assertion signing. If validation fails at this step, you will encounter the Field iD login screen. An error message is logged and the process stops.
- If the request was validated by the framework, we get the organization account matching this SP using the SP's entity ID (since this id is unique no other organization account will be using it).
- If the organization account doesn’t have SSO enabled, the request fails. You’ll encounter the login screen and the process stops.
- Your ID and/or email address is extracted from the request. We search within the organization account to find a matching Field iD user. If no user is found or if one is found but is not active, the request fails. The login process will stop and the following error message is will appear.
- Once we have a valid Field iD user. You'll be logged in and transferred to the Field iD dashboard page.
FID Customer SSO Setup
- Please contact your Customer Success Manager or your sales executive in order to have this feature enabled for your organization.
- Once approved, SSO will be enabled for your organization's account.
Setup (Customer User Pages)
- Workflow (high level)
- Create a Identify Provider definition by either importing a file or copying and pasting.
- Create a Service Provider definition updating the defaults as necessary.
- Provide our Service Provider metadata to the client's IDP team to complete their configuration
- Select the 'Enable SSO' checkbox.
- The initial SSO settings page for a tenant is shown below. The 'Enable SSO' button controls whether incoming SSO requests for this tenant will be processed or ignored. To setup SSO we'll need to define an Identify Provider and a Service Provider
- Clicking 'Create new' under 'Identifier Providers' will give you the 'Provide IDP Information' screen. In this screen you need to add the IDP metadata and its entity ID. Both of these values are obtainable from the client. There are two ways to enter this data. One way is to enter the URL for the metadata file (many IDP's make their metadata available on a URL) and click 'Get Metadata from IDP' which will fill in the 'Entity Id' and 'Metadata' fields below it. Alternatively you can obtain the metadata and paste it into the 'Metadata' field. Be sure to also obtain the entity ID and paste it in the 'Entity Id' field. Then clicking 'Save' will save the IDP definition and associate it with the current tenant.
- Clicking 'Create new' under 'Service Providers' will give you the 'Service Provider Definition' screen. Unlike the IDP screen this one is populated with defaults that normally you don't need to change except for the 'User Id' and 'Email Address' fields.
- Entity ID and Entity Base URL - should have https protocol and start with tenant name - in this example 'n4'
- Match on User ID - set to true if the user in the IDP is to be matched to a user in FIeldID using the user id attribute. The IDP attribute name in this case is the attribute name that identifies the user id value in the incoming request. This value needs to be obtained from the client since it is specified by their IDP setup. If this value is incorrect logon won't work since we won't be able to get the userid from the incoming request. In ADFS it might be http://schemas.xmlsoap.org/claims/UPN. In Azure it might be http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name.
- Match on Email Address - set to true if the user in the IDP is to be matched to a user in FIeldID using the email address attribute. The IDP attribute name in this case is the attribute name that identifies the email address value in the incoming request. This value needs to be obtained from the client since it is specified by their IDP setup. If this value is incorrect logon won't work since we won't be able to get the userid from the incoming request. In ADFS it might be http://schemas.xmlsoap.org/claims/EmailAddress. In Azure it might be http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
- Entity Alias - should be the tenant name value
- Security Profile - see https://docs.spring.io/spring-security-saml/docs/1.0.0.RC2/reference/html/chapter-configuration.html
- SSL/TLS hostname verification - verifies that incoming request's url matches that of the receiver
- Require signed authentication Assertion - should be Yes
Update client's IDP
- The client's IDP configuration needs to be updated to include our Service Provider. To accomplish this we need to send the metadata defining our SP to the client team responsible for IDP configuration so they can update their configuration accordingly. To get the metadata click 'Display' under 'Service Providers' in the SSO Settings panel.
- This will present a panel displaying the settings for the Service Provider. You can copy the Metadata section contents or click the 'Download Metadata' button to download a file containing the metadata. This metadata can then be used by the client to setup their IDP.
Comments
0 comments
Article is closed for comments.