[Index]
The VOSS-4-UC system supports Single Sign On so that authentication credentials configured at an Identity Provider (IDP) can be related to a VOSS-4-UC user and can then be used to log in on the system.
The VOSS-4-UC system uses the SAML 2.0 standard for authentication and authorization data exchange.
The scenario supported by VOSS-4-UC is as follows:
The overall procedure to enable SSO is the following (the VOSS-4-UC models are indicated where required):
The Saved SSO settings are published by the VOSS-4-UC service provider and are available from metadata URL, for example: http://mydomain/sso/metadata/. SSO service provider configuration requests to this URL automatically trigger an xml file download of the specified SSO service provider configuration.
Defines configuration settings for SAML2 SSO
Title | Description | Details | |||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Entity Id | Usually your subdomain plus the url to the metadata |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Service Provider Settings | Defines the settings that apply to the system when used as a Service Provider |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Name * | A friendly identifier for the Service Provider |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Sign Authn Requests | Determines whether outgoing authentication messages will be signed. If so, the specified private key will be used. This attribute is false by default. If one of your identity providers has WantAuthnRequestsSigned set in its meta data, this attribute should be set to true. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
SignatureMethod | Set the SignatureMethod of the authentication request. Only used when 'Sign Authn Requests' is enabled. Defaults to rsa-sha1. Default: rsa-sha1 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
DigestMethod | Set the DigestMethod of the authentication request. Only used when 'Sign Authn Requests' is enabled. Defaults to sha1. Default: sha1 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Want Assertions Signed | Determines whether assertions should be signed. Don't set this attribute to false unless you are sure that checking the integrity of the assertions is not needed in your environment. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Want Reponse Signed | Determines whether responses should be signed. Don't set this to true unless you are sure that all Identity Providers do sign responses. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
End Points | Specifies the various end points that provide an external interface to the service provider. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Assertion Consumer Service |
|
||||||||||||||||||||||||||||||||||||||||||||||||
Binding * | Determines how SAML requests and responses map onto standard messaging or communications protocols. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
URL * |
|
||||||||||||||||||||||||||||||||||||||||||||||||
Single Logout Service |
|
||||||||||||||||||||||||||||||||||||||||||||||||
Binding * | Determines how SAML requests and responses map onto standard messaging or communications protocols. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
URL * |
|
||||||||||||||||||||||||||||||||||||||||||||||||
Required Attributes | Additional attributes required to identify a user |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Use Custom Certificate for Signing | Indicates if previously uploaded public/private keys must be used for signing. If true, the 'Public Key' and 'Private Key' fields are required. If false, a system-generated Public/Private key pair is used. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
System Generated Certificate | A reference to the data/Certificate instance that contains the system generated certificate to be used. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Private Key | The private key that is used for signing AuthnRequests |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Public Key | The public key that should be used for decrypting signed AuthnRequests |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Validity (Hours) | The number of hours for which the metadata is valid for |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Accepted Time Difference (seconds) | The maximum acceptable difference in clock times (in seconds) between this system and any IDP. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Contact Person | Service Provider contact details |
|
|||||||||||||||||||||||||||||||||||||||||||||||
First Name | Contact's first name |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Last Name | Contact's last name |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Company | Contact's company |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Email Address | Contact's email address |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Contact Type | Type of contact |
|
|||||||||||||||||||||||||||||||||||||||||||||||
Block unencrypted assertions | Block unencrypted assertions |
|