[Index]

Model: data/SsoSettings

Single Sign On (SSO) Authentication

The VOSS-4-UC system supports Single Sign On so that authentication credentials configured at an Identity Provider (IDP) can be related to a VOSS-4-UC user and can then be used to log in on the system.

The VOSS-4-UC system uses the SAML 2.0 standard for authentication and authorization data exchange.

The scenario supported by VOSS-4-UC is as follows:

  1. A user attempts to access VOSS-4-UC by clicking on a bookmark in a customer's portal.
    1. The bookmark contains an URL to the IDP, with an URL parameter that indicates that the IDP must redirect to the chosen Service Provider (VOSS-4-UC).
  2. The HTTP request is sent to the IDP.
    1. If the user already has a session with the IDP, the request is forwarded to VOSS-4-UC without prompting for a password.
    2. If the user does not have a session with the IDP, the user is prompted to login and redirected to VOSS-4-UC upon successful authentication.
  3. Upon redirection to VOSS-4-UC, the HTTP request from the IDP will contain an assertion that contains attribute information about the user to be authorized by VOSS-4-UC.
  4. VOSS-4-UC validates the assertion and either:
    1. Proceeds to grant the user access, or
    2. Declines the user access

The overall procedure to enable SSO is the following (the VOSS-4-UC models are indicated where required):

Configure the System as a SSO Service Provider

  1. On the Base tab, enter the Entity ID is required and is used to identify VOSS-4-UC as service provider. The URL points to the metadata, for example http://mydomain/sso/metadata/.
  2. Choose the Public key and Private key that were uploaded using the data/File model and that will be used to communicate with identity providers. Alternatively, if you want to use a system generated certificate, check the check box and choose the required certificate from the drop-down list. These certificates were added typically using System Configuration > Certificates or a similar menu that creates data/certificate instances.
  3. Enter the Validity period (in hours) that the metadata is valid for.
  4. Enter the number of seconds of the permitted clock drift between VOSS-4-UC and the Indentity Provider. The number of seconds for tolerance is a customizable and this value must be set in accordance with the deployment's security policy. By default, VOSS-4-UC will use a value of 0 for the clock drift, in other words, assume clocks are exactly in sync.
  5. Enter the details of the Contact Person responsible for the metadata.
  6. If required, select the Block unencrypted assertions check box to raise an error if SAML assertions are not encrypted. If the check box is enabled and there is no encryption in the assertion, then an error message: "Unencrypted assertions are not allowed" is shown.
  7. On the Service Provider Settings tab, enter a friendly name that will be the ServiceName of the AttributeConsumingService in the metadata.
  8. If the Sign Authn Requests check box is enabled, outgoing messages are signed and the specified private key is used. Drop-down lists are also displayed to select the SignatureMethod (default is rsa-sha1) and DigestMethod (default is sha1) corresponding with those used by the Identity Provider.
  9. If an Identity Provider has WantAuthnRequestsSigned set in its metadata, enable the check box. The check box is disabled by default.
  10. The Want Assertions Signed check box determines if assertions should be signed. Do not uncheck this box unless the integrity check of assertions is not needed in your environment.
  11. The End Points section provides an external interface to the service provider in VOSS-4-UC. The binding determines how SAML requests and responses map onto standard messaging or communications protocols. The Assertion Consumer Service (ACS) receives assertions, while the Single Logout Service is used to log out a user when instructed by an Identity Provider.
    1. Choose Binding and URL for the Assertion Consumer Service.
    2. Choose the Binding and URL for the Single Logout Service.

The Saved SSO settings are published by the VOSS-4-UC service provider and are available from metadata URL, for example: http://mydomain/sso/metadata/. SSO service provider configuration requests to this URL automatically trigger an xml file download of the specified SSO service provider configuration.

Defines configuration settings for SAML2 SSO

Model Details: data/SsoSettings

Title Description Details
Entity Id Usually your subdomain plus the url to the metadata
  • Field Name: entity_id
  • Type: String
Service Provider Settings Defines the settings that apply to the system when used as a Service Provider
  • Field Name: sp
  • Type: Object
Name * A friendly identifier for the Service Provider
  • Field Name: sp.name
  • Type: String
Sign Authn Requests Determines whether outgoing authentication messages will be signed. If so, the specified private key will be used. This attribute is false by default. If one of your identity providers has WantAuthnRequestsSigned set in its meta data, this attribute should be set to true.
  • Field Name: sp.authn_requests_signed
  • Type: Boolean
SignatureMethod Set the SignatureMethod of the authentication request. Only used when 'Sign Authn Requests' is enabled. Defaults to rsa-sha1. Default: rsa-sha1
  • Field Name: sp.request_signature_method
  • Type: String
  • Default: rsa-sha1
  • Choices: ["rsa-sha1", "rsa-sha224", "rsa-sha256", "rsa-sha384", "rsa-sha512"]
DigestMethod Set the DigestMethod of the authentication request. Only used when 'Sign Authn Requests' is enabled. Defaults to sha1. Default: sha1
  • Field Name: sp.request_digest_method
  • Type: String
  • Default: sha1
  • Choices: ["sha1", "sha224", "sha256", "sha384", "sha512"]
Want Assertions Signed Determines whether assertions should be signed. Don't set this attribute to false unless you are sure that checking the integrity of the assertions is not needed in your environment.
  • Field Name: sp.want_assertions_signed
  • Type: Boolean
Want Reponse Signed Determines whether responses should be signed. Don't set this to true unless you are sure that all Identity Providers do sign responses.
  • Field Name: sp.want_response_signed
  • Type: Boolean
End Points Specifies the various end points that provide an external interface to the service provider.
  • Field Name: endpoints
  • Type: Object
Assertion Consumer Service
  • Field Name: assertion_consumer_service.[n]
  • Type: Array
Binding * Determines how SAML requests and responses map onto standard messaging or communications protocols.
  • Field Name: sp.endpoints.assertion_consumer_service.[n].binding
  • Type: String
  • Choices: ["HTTP-POST"]
URL *
  • Field Name: sp.endpoints.assertion_consumer_service.[n].url
  • Type: String
Single Logout Service
  • Field Name: single_logout_service.[n]
  • Type: Array
Binding * Determines how SAML requests and responses map onto standard messaging or communications protocols.
  • Field Name: sp.endpoints.single_logout_service.[n].binding
  • Type: String
  • Choices: ["HTTP-REDIRECT"]
URL *
  • Field Name: sp.endpoints.single_logout_service.[n].url
  • Type: String
Required Attributes Additional attributes required to identify a user
  • Field Name: required_attributes.[n]
  • Type: Array
Use Custom Certificate for Signing Indicates if previously uploaded public/private keys must be used for signing. If true, the 'Public Key' and 'Private Key' fields are required. If false, a system-generated Public/Private key pair is used.
  • Field Name: use_custom_cert_for_signing
  • Type: Boolean
System Generated Certificate A reference to the data/Certificate instance that contains the system generated certificate to be used.
  • Field Name: system_cert
  • Type: String
  • Target: data/Certificate
  • Format: uri
Private Key The private key that is used for signing AuthnRequests
  • Field Name: key_file
  • Type: String
  • Target: data/File
  • Format: uri
Public Key The public key that should be used for decrypting signed AuthnRequests
  • Field Name: cert_file
  • Type: String
  • Target: data/File
  • Format: uri
Validity (Hours) The number of hours for which the metadata is valid for
  • Field Name: valid_for
  • Type: Integer
Accepted Time Difference (seconds) The maximum acceptable difference in clock times (in seconds) between this system and any IDP.
  • Field Name: accepted_time_diff
  • Type: Integer
Contact Person Service Provider contact details
  • Field Name: contact_person.[n]
  • Type: Array
First Name Contact's first name
  • Field Name: contact_person.[n].givenname
  • Type: String
Last Name Contact's last name
  • Field Name: contact_person.[n].surname
  • Type: String
Company Contact's company
  • Field Name: contact_person.[n].company
  • Type: String
Email Address Contact's email address
  • Field Name: contact_person.[n].email_address
  • Type: String
Contact Type Type of contact
  • Field Name: contact_person.[n].contact_type
  • Type: String
Block unencrypted assertions Block unencrypted assertions
  • Field Name: block_unencrypted_assertions
  • Type: Boolean