[Index]
The VOSS-4-UC system supports Single Sign On so that authentication credentials configured at an Identity Provider (IDP) can be related to a VOSS-4-UC user and can then be used to log in on the system.
The VOSS-4-UC system uses the SAML 2.0 standard for authentication and authorization data exchange.
The scenario supported by VOSS-4-UC is as follows:
The overall procedure to enable SSO is the following (the VOSS-4-UC models are indicated where required):
The following list provides troubleshooting solutions to common SSO problems.
Browser error when moving a user in VOSS-4-UC to a sub-hierarchy.
"Logout error". Your Identity Provider asks this system to do a global logout, but your federated session is lost. Even if your local session in this system has been closed, you may have probably open sessions in other systems. In order to prevent illicit use of your personal information, please close your browser window and/or remove your cookies from your browser.
Error when attempting a logout while another browser window is still logged into the Identity Provider (IDP).
The message that will be displayed is of the format:
{ message: "An internal system error occurred.", code: -1, http_code: 400, traceback: "Traceback (most recent call last): File "/opt/voss-deviceapi/eggs/Django-1 .4.5-py2.7.egg/django/core/handlers/base.py", line 111, ...
Access Rights Violated - Permission denied
When logging in, you are re-directed to http://mydomain/sso/acs/ and the browser returns "Permission denied" while the heading in the browser tab shows "Access rights violated". The reason for this is that your browser is already logged into the IDP while you are trying an SSO login into VOSS-4-UC.
Incorrect URL for ACS in the IDP leads to HTTP 301 and HTTP 405.
If the assertion consumer service in the IDP's SP attributes is set incorrectly, the SAML trace is expected to provide a HTTP 301 and then a HTTP 405 error.
The example trace illustrates that the URL in the IDP was set to
http://mydomain/sso/acs
and in VOSS-4-UC it was set to
http://mydomain/sso/acs/
The difference between the two items is shown below.
Request URL:http://mydomain/sso/acs Request Method:POST Status Code:301 MOVED PERMANENTLY ... Response Headers view source Connection:keep-alive Content-Language:en-us Content-Type:text/html; charset=utf-8 Date:Mon, 21 Oct 2013 14:35:00 GMT Location:http://mydomain/sso/acs/ Server:nginx/1.2.1 Transfer-Encoding:chunked Vary:Accept-Language Request URL:http://mydomain/sso/acs/ Request Method:GET Status Code:405 METHOD NOT ALLOWED Request Headersview source
Basic logging of SSO requests takes place in the app.log file. View the logs via the platform Command Line Interface (CLI) using either of the commands (as for all other logs):
log view voss-deviceapi/app.log
or
log follow voss-deviceapi/app.log
An example of the kind of SSO logging text is:
Dec 20 10:02:45 localhost deviceapi.lib.auth.backends.sso_saml2 INFO Processing SAML2 SSO authentication request; Parsed SAMLResponse: {'authn_info': [('urn:oasis:names:tc:SAML:2.0: ac:classes:PasswordProtectedTransport', [])], 'name_id': 'zUo+FcTbIKUW2UTwgG4hHVJUFoY+', 'not_on_or_after': 1387534388, 'came_from': '/', 'ava': {'givenname': ['ssoadmin'], 'userid': ['ssoadmin']}, 'issuer': 'http://openamqa.visionoss.int:8080/openam'} Dec 20 10:02:45 localhost deviceapi.lib.auth.backends.sso_saml2 DEBUG uid not found in SAML AttributeStatement, falling back to name-id
Note that:
When creating a system user that uses the standard authorization method, the password is stored in the internal system database. VOSS-4-UC uses the PBKDF2 algorithm with a SHA256 hash, a key stretching mechanism recommended by the National Institute of Standards Technology (NIST), Computer Security Resource Centre (CSRC).
When logging in as a standard VOSS-4-UC user, go to the URL:
http://{host name}/login
A Login page theme can be applied to the Login page during the log in process. Do this by adding the suffix '?theme=default' to the login request url. For example: http://{host name}/login/?theme=default, where 'default' is one of the themes available in VOSS-4-UC.
When logging in with VOSS-4-UC credentials, the username can be entered in either of the following formats:
{username}@hierarchy or {email address}
The hierarchy is in dot notation and corresponds with the hierarchy to which the user belongs, in other words the hierarchy level at which the user is created.
The hierarchy on the log in form is prefixed with sys.
For example: johndoe@sys.VS-OPS.VS-Corp.Chicago
See the following topics for more information relating to standard login:
Stores details of an SSO Identity Provider.
Title | Description | Details | |||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Entity Id * | The unique identifier of the Identity Provider. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Login URI | This is a URI that will be embedded in the base SSO login URL in order to authenticate specifically with this IDP. This field must only contain alphanumeric characters and forward slashes, and should match the following regular expression ^\w+(/\w+)*$ Eg. Given a login URI of provider1/customer1, end users wishing to authenticate against this IDP will login via the following URL: http://hostname/sso/provider1/customer1/login/. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Service Provider Domain Name | This is a FQDN that will be embedded in the SP metadata for this IDP for URLs that refer back to the Service Provider (eg ACS). It should match the customer-specific FQDN used for the VOSS-4-UC server. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
User lookup field | User field used to bind SSO user with VOSS user. Default: username |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Metadata | Indicates where metadata can be found. This can be either a file accessible locally on the system or somewhere on the network. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Local Metadata File |
|
||||||||||||||||||||||||||||||||||||||||||||||||
Remote Metadata URL |
|
||||||||||||||||||||||||||||||||||||||||||||||||
URL | Location where metadata is to be downloaded from. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Certificate | To verify the authenticity of the file downloaded from the net the local copy of the public key should be used. This public key must be acquired by some out-of-band method. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Authentication settings | Authentication settings. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Authentication Scope | Hierarchical scope this server applies to Default: Down |
|
|||||||||||||||||||||||||||||||||||||||||||||||
User Sync Type | Type of users that can authenticate against this server. Default: All |
|