[Index]

Model: relation/HcsSsoSpREL

SSO SP Metadata

To access the latest documentation, go to Documentation and Resources at: https://voss.portalshape.com

This procedure configures self-service Single Sign-On (SSO) for VOSS-4-UC.

The configuration applies to customers and customer administrators associated with the identify provider (IdP).

Note

Administrators are configured for SSO use via the Users form (default menu User Management > Users).

Prerequisites

SSO Service Provider Configuration

  1. Log in to VOSS-4-UC as system administrator.

  2. Choose Single Sign On > SSO SP Settings.

    Note

    This screen is only available to you if you've logged in as a higher-level administrator.

  3. Click Add.

    Note

    Configure only one instance of SSO SP Settings.

  4. On the Base tab:

    Note

    • Specifying an unsigned third-party-signed certificate results in an error.
    • To renew an expired certificate, see Renew Single Sign-On Certificate for VOSS-4-UC.

  5. On the SAML SP Settings tab:

    Note

    • Only select Want Reponse Signed if you're sure that all IdPs sign responses.
    • If a secure connection is required with the secure attribute set on the cookies, the URL values for bindings of End Points must be specified with https.

  6. Click Save.

  7. To view the location of the VOSS-4-UC SP metadata that you will upload to the IdP:

  8. Upload the SP metadata to the IdP.

    Refer to your IdP documentation for details on adding VOSS-4-UC as a service provider.

    Note

    The IdP must release the UID and map it to an appropriate attribute. For example, an IdP that authenticates with Active Directory can map the uid SAML attribute to sAMAccountName in the Active Directory server.

  9. Download the IdP metadata from the IdP server.

    Refer to your IDP documentation for details on downloading IDP metadata.

    Note

    If an expired SSO certificate is being renewed and the IdP metadata has not changed, the download, configure and upload of the IdP metadata is not required.

Integrating with an SSO Identity Provider

  1. Log in as provider, reseller, or customer administrator (depending on your IdP configuration level).

  2. Choose Administration Tools > File Management and upload the IdP metadata.

  3. Choose Single Sign On > SSO Identity Provider.

  4. Click Add to add the SSO Identity Provider configuration.

    Note

    Only one instance of an SSO Identity Provider can be configured for a hierarchy node.

  5. On the SSO Identity Provider screen, complete at least the mandatory fields (Entity ID, Login URI, Local Metadata File, User lookup fieldat minimum, the mandatory SSO Identity Provider fields (see SSO Identity Provider fields):

    If a customer is using a custom domain, the Service Provider Domain Name is filled in at the hierarchy level and the login and metadata URLs used will be tied to the IdP as follows:

    SSO Login URL:         ``https://<Service Provider Domain Name>/sso/<Login URI>/login``
Admin Portal:          ``https://<Service Provider Domain Name>/admin/sso/<Login URI>/login``
Business Admin Portal: ``https://<Service Provider Domain Name>/business-admin/sso/<Login URI>/login``

    The metadata is obtained from: https://<Service Provider Domain Name>/sso/<Login URI>/metadata

    If the Service Provider Domain Name is specified, the metadata XML file from VOSS-4UC then contains Service.Provider.Domain.Name in the assertion consumer service URL as shown in the example below:

    <md:AssertionConsumerService
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Location="https://Service.Provider.Domain.Name/sso/acs/"
    index="1"/>

    This metadata needs to be uploaded to the IdP (not the generic metadata obtained from SSO Service Provider Configuration).

    Important

    If you have previously uploaded metadata to the IDP and you subsequently complete this Service Provider Domain Name field, you need to remove the previous record from the IDP and re-upload the metadata so that it contains this field.

  6. Click Save to save the SSO Identity Provider Configuration and enable SSO if selected.

  7. Choose User Management > Users and filter on Auth Method equals SSO to display enabled SSO users.

When the Service Provider Domain Name is not specified for a given IDP, these URLs are used for SSO login:

SSO Login URL:         ``https://<FQDN of the Service Provider>/sso/<login_URI>/login``
Admin Portal:          ``https://<FQDN of the Service Provider>/admin/sso/<Login URI>/login``
Business Admin Portal: ``https://<FQDN of the Service Provider>/business-admin/sso/<Login URI>/login``

See SAML SP Settings FQDN in SSO Service Provider Configuration.

The IdP redirects to this FQDN on login.

Note

While an IdP may exist at more than one hierarchy in VOSS-4-UC, a user will only be permitted to log in if the user exists at or below the hierarchy of a single IdP.

SSO Identity Provider: Field Reference

System Message: ERROR/3 (<string>, line 175)

Malformed table.

+----------------------+------------------------------------------------------------------------------+
| Field                | Description                                                                  |
+======================+==============================================================================+
|                      | Mandatory. Entity ID of the IDP. This field must exactly match the           |
| Entity Id            | entity ID in the IdP metadata file.                                          |
|                      |                                                                              |
+----------------------+------------------------------------------------------------------------------+
|                      | Mandatory. Login URI for the IDP. This is the URI that                       |
| Login URI            | will be embedded in SSO Login URL. It can                                    |
|                      | contain only alphanumeric characters and                                     |
|                      | forward slashes.                                                             |
+----------------------+------------------------------------------------------------------------------+
| Service Provider     | The FQDN that will be embedded in the SP metadata for this                   |
| Domain Name          | IdP for URLs that refer back to the Service Provider.                        |
+----------------------+------------------------------------------------------------------------------+
| Local Metadata       | Mandatory. Choose the IdP metadata file. This field                          |
| File                 | must be unique across the system.                                            |
+----------------------+------------------------------------------------------------------------------+
|                      | Select the check box to enable SSO for users synced in or                    |
| SSO Enabled          | created at the current hierarchy level.                                      |
|                      | Clear this check box to disable SSO for                                      |
|                      | the users associated with the defined IDP.                                   |
+----------------------+------------------------------------------------------------------------------+
| Note                 | Reminder to upload the IdP metadata file                                     |
+----------------------+------------------------------------------------------------------------------+
| SSO Login URL        | Read-only field displays the SSO Login URL to use.                           |
+----------------------+------------------------------------------------------------------------------+
| Business Admin       | Read-only. Displays the Business Admin Portal SSO Login URL to use.          |
| Portal Login URL     |                                                                              |
+----------------------+------------------------------------------------------------------------------+
| Admin Portal Login   | Read-only. Displays the new Admin Portal SSO Login URL to use.               |
| URL                  |                                                                              |
+----------------------+------------------------------------------------------------------------------+
| User lookup field    | Mandatory. Select the field to bind the VOSS and SSO user - typically        |
|                      | ``username``.                                                                |
+----------------------+------------------------------------------------------------------------------+
| Authentication Scope | Hierarchical scope this server applies to.                                   |
|                      |                                                                              |
|                      | * Full tree authentication (default):                                        |
|                      |   All nodes at and below this node in its tree can authenticate against      |
|                      |   this server.                                                               |
|                      | * Local authentication:                                                      |
|                      |   Only users at this node can authenticate against this server. See          |
|                      |   User Login Options by Authentication Method and Server Authentication Scope.                              |
+----------------------+------------------------------------------------------------------------------+
| User sync type       | Type of users that can authenticate against this server.                     |
|                      |                                                                              |
|                      | * Synced users only: Only users synced in from LDAP can authenticate against |
|                      |   this server.                                                               |
|                      | * All users                                                                  |
+----------------------+------------------------------------------------------------------------------+

Model Details: relation/HcsSsoSpREL

Title Description Details
Entity Id Usually your subdomain plus the url to the metadata
  • Field Name: entity_id
  • Type: String
Service Provider Settings Defines the settings that apply to the system when used as a Service Provider
  • Field Name: sp
  • Type: Object
Name * A friendly identifier for the Service Provider
  • Field Name: sp.name
  • Type: String
Sign Authn Requests Determines whether outgoing authentication messages will be signed. If so, the specified private key will be used. This attribute is false by default. If one of your identity providers has WantAuthnRequestsSigned set in its meta data, this attribute should be set to true.
  • Field Name: sp.authn_requests_signed
  • Type: Boolean
SignatureMethod Set the SignatureMethod of the authentication request. Only used when 'Sign Authn Requests' is enabled. Defaults to rsa-sha1. Default: rsa-sha1
  • Field Name: sp.request_signature_method
  • Type: String
  • Default: rsa-sha1
  • Choices: ["rsa-sha1", "rsa-sha224", "rsa-sha256", "rsa-sha384", "rsa-sha512"]
DigestMethod Set the DigestMethod of the authentication request. Only used when 'Sign Authn Requests' is enabled. Defaults to sha1. Default: sha1
  • Field Name: sp.request_digest_method
  • Type: String
  • Default: sha1
  • Choices: ["sha1", "sha224", "sha256", "sha384", "sha512"]
Want Assertions Signed Determines whether assertions should be signed. Don't set this attribute to false unless you are sure that checking the integrity of the assertions is not needed in your environment.
  • Field Name: sp.want_assertions_signed
  • Type: Boolean
Want Reponse Signed Determines whether responses should be signed. Don't set this to true unless you are sure that all Identity Providers do sign responses.
  • Field Name: sp.want_response_signed
  • Type: Boolean
End Points Specifies the various end points that provide an external interface to the service provider.
  • Field Name: endpoints
  • Type: Object
Assertion Consumer Service
  • Field Name: assertion_consumer_service.[n]
  • Type: Array
Binding * Determines how SAML requests and responses map onto standard messaging or communications protocols.
  • Field Name: sp.endpoints.assertion_consumer_service.[n].binding
  • Type: String
  • Choices: ["HTTP-POST"]
URL *
  • Field Name: sp.endpoints.assertion_consumer_service.[n].url
  • Type: String
Single Logout Service
  • Field Name: single_logout_service.[n]
  • Type: Array
Binding * Determines how SAML requests and responses map onto standard messaging or communications protocols.
  • Field Name: sp.endpoints.single_logout_service.[n].binding
  • Type: String
  • Choices: ["HTTP-REDIRECT"]
URL *
  • Field Name: sp.endpoints.single_logout_service.[n].url
  • Type: String
Required Attributes Additional attributes required to identify a user
  • Field Name: required_attributes.[n]
  • Type: Array
Use Custom Certificate for Signing Indicates if previously uploaded public/private keys must be used for signing. If true, the 'Public Key' and 'Private Key' fields are required. If false, a system-generated Public/Private key pair is used.
  • Field Name: use_custom_cert_for_signing
  • Type: Boolean
System Generated Certificate A reference to the data/Certificate instance that contains the system generated certificate to be used.
  • Field Name: system_cert
  • Type: String
  • Target: data/Certificate
  • Format: uri
Private Key The private key that is used for signing AuthnRequests
  • Field Name: key_file
  • Type: String
  • Target: data/File
  • Format: uri
Public Key The public key that should be used for decrypting signed AuthnRequests
  • Field Name: cert_file
  • Type: String
  • Target: data/File
  • Format: uri
Validity (Hours) The number of hours for which the metadata is valid for
  • Field Name: valid_for
  • Type: Integer
Accepted Time Difference (seconds) The maximum acceptable difference in clock times (in seconds) between this system and any IDP.
  • Field Name: accepted_time_diff
  • Type: Integer
Contact Person Service Provider contact details
  • Field Name: contact_person.[n]
  • Type: Array
First Name Contact's first name
  • Field Name: contact_person.[n].givenname
  • Type: String
Last Name Contact's last name
  • Field Name: contact_person.[n].surname
  • Type: String
Company Contact's company
  • Field Name: contact_person.[n].company
  • Type: String
Email Address Contact's email address
  • Field Name: contact_person.[n].email_address
  • Type: String
Contact Type Type of contact
  • Field Name: contact_person.[n].contact_type
  • Type: String
Block unencrypted assertions Block unencrypted assertions
  • Field Name: block_unencrypted_assertions
  • Type: Boolean
Sp Md
  • Field Name: spMd
  • Type: Object
Note
  • Field Name: spMd.note
  • Type: String
  • MaxLength: 1024
Metadata URL The URL to SSO SP metadata
  • Field Name: spMd.md_url
  • Type: String
  • MaxLength: 1024