• No results found

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER"

Copied!
11
0
0

Loading.... (view fulltext now)

Download now ( 11 Page )

Full text

(1)

UMANTIS

C

LOUD

SSO

C

ONFIGURATION

G

UIDE

W

ITH

M

ICROSOFT

A

CTIVE

D

IRECTORY

F

EDERATION

S

ERVER

TH I S D O C U M E N T D E S C R I B E S T H E R E Q U I R E M E N T S T O S E T U P A

SI N G L E SI G N ON ( S S O ) C O N F I G U R A T I O N O N U M A N T I S’ C L O U D B A S E D S O L U T I O N S A G A I N S T A C U S T O M E R’S P R I V A T E AC T I V E

DI R E C T O R Y FE D E R A T I O N SE R V E R ( A D F S )

Author: Mallku Caballero, Marc Elser Document Version: 1.08

(2)

A

UDIE NC E

This document is intended primarily for umantis Technical Consultants and customers’ IT departments.

(3)

P

RE

-

REQ UISITES

The customer is responsible for installing Microsoft Active Directory Federation Server version 2.0 (with Update Rollup 3 or newer) on top of his existing Active Directory infrastructure. The details for this installation and general configuration are not covered in this document.

An understanding of the SAML SSO protocol is useful but not absolutely required. Some basic elements are presented in this document but the reader is encouraged to seek relevant resources (e.g.

(4)

SAML

P

ROTOCOL

E

LEMENTS

umantis’ Single Sign On architecture is based on the SAML 2 standard and more specifically on the SAML Web Browser SSO Profile that is widely used on the Internet and specifically supported by Microsoft’s ADFS technology.

The SAML infrastructure defines two key components: the Service Provider (SP), for all practical purposes: the umantis cloud application, and the Identity Provider (IDP) which is responsible for checking credentials and authorizing access to protected resources.

1. A user interacting via a web browser, attempts to access a resource on the SP

2. The SP determines that a session has not yet been initiated and redirects the user to the IDP for authentication.

3. The IDP request an authentication (e.g. login page) from the user 4. The user provides authentication (e.g. user & password)

5. The IDP authorizes the user and allows the SP to establish a session 1. Access Resource

2. Not signed in - redirect to SSO

2’. Request SSO Service

5. Success - redirect to Resource 4. Authentication Response

3. Authenticate

5’. Success - redirect to Resource

(5)

umantis provides a default IDP for “conventional” logins where requested user and password credentials are checked against a database managed within its internal infrastructure.

Some customers request a tighter integration into their internal working environment so that their existing domain credentials may be used to authorize access to their umantis solution without having to manage a separate set of user and passwords.

(6)

C

LOUD

ADFS-

BASED

SSO

Cloud SSO is rather straightforward as long as the customer can provide his own SAML2-capable Identity Provider.

C

U STO ME R

-

PRO VI D ED

IDP:

ADFS

Where customers already have an Active Directory backed windows domain, the most common configuration involves the usage of

Microsoft’s ADFS component which is basically a lightweight service that extends Active Directory to make it SAML2-capable.

NO T E: ADFS versions older than 2.0 are not supported

U M A N TI S

S

ER VI CE

P

RO V I D ER

umantis applications are already SAML2-enabled by default, i.e. they are standard SAML Service Providers.

C

I R CLE O F

T

R U S T

A secure SSO configuration requires the SP and the IDP to know of each other, in such a way that they can ascertain that the counterparty is legitimate. In SAML, this is achieved by configuring a CI R C L E O F TR U S T

that involves exchanging metadata, signing and encryption certificates that ensure mutual authentication as well as the confidentiality of exchanged data.

(7)

ADFS

SSO

C

O NF IGURATIO N

I

NSTRUCTIO NS This section describes the precise elements that umantis and the

customer must exchange as well as the configuration the customer must perform on their Active Directory Federation Server in order to establish the Circle of Trust required for Cloud SSO:

S

END

ADFS

M

ET AD A T A TO U M A N TI S

Option 1) send the ADFS metadata url to your ADFS metadata to umantis, typically:

https://your_adfs_host_name/federationmetadata/2007-06/Federationmetadata.xml

Option 2) if the ADFS metadata url is not accessible from the Internet, load it in a browser by yourself, save it to a local file named idp.xml

and send that file to umantis.

A

D D

ADFS

R

EL YI N G

P

AR TY

1. Wait for umantis confirmation that your metadata has been activated. You will receive the umantisSPEntityId and umantisSPMetaAlias

parameters that are required in the following steps in the confirmation email.

2. Use the ADFS 2.0 Management tool.

3. Navigate to Trust Relationships / Relying Party

4. Use the Add Relying Party Trust function to import the umantis service provider using the online url:

For customers hosted in Switzerland:

https://sso.umantis.com/multitenant-sp/saml2/metadata?metaAlias=umantisSPMetaAlias

For customers hosted in Germany:

https://sso.de.umantis.com/multitenant-sp/saml2/metadata?metaAlias=umantisSPMetaAlias

Note: if no access from the ADFS server to the umantis server is possible, you may save the XML returned from the above url in any workstation and manually import it in ADFS. The following steps remain unchanged.

5. Ignore the warning that not all data could be imported

(8)

7. Add a generic LDAP rule where you map the internal Active Directory LDAP attribute SAMAccountName (or any other attribute containing an existing umantis login such as E-Mail-Addresses) to the outgoing claim type UPN

a. On the Issuance Transform Rules tab, click Add Rule.

b. On the Select Rule Template page, select Send LDAP Attributes as Claims. Click Next.

c. On the Configure Rule page, type the name of the claim rule in the Claim rule name field.

d. From the Attribute Store drop-down list, select Active Directory.

e. In the Mapping of LDAP attributes to outgoing claim types section, under LDAP Attribute, select SAMAccount or E-Mail-Addresses or any other suitable unique identifier that maps to existing umantis Talent Management account names.

f. Under Outgoing Claim Type, select UPN. g. Click Finish, and then click OK.

8. Create an additional Custom Rule with the following definition: c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]

=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "yourADFSEntityId", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "umantisSPEntityId"); Where:

- yourADFSEntityId is usually of the form:

http://your_adfs_host_name/adfs/services/trust

- umantisSPEntityId is provided to you in Step 1

9. After importing the metadata, open the Settings dialog and: a. On the Encryption Tab, check that the umantis_te

Certificate is selected.

b. On the Signature Tab, check that the umantis_ts Certificate is selected.

(9)

V

A L I D A T E

C

ON FI G U R A TI O N

Wait for umantis activation confirmation and point your browser to: For customers hosted in Switzerland:

https://sso.umantis.com/multitenant-sp/saml2/SPInitiatedSSO? metaAlias=umantisSPMetaAlias&redirect_uri=http://www.umantis.com

For customers hosted in Germany:

https://sso.de.umantis.com/multitenant-sp/saml2/SPInitiatedSSO? metaAlias=umantisSPMetaAlias&redirect_uri=http://www.umantis.com

If you were previously logged in as a Windows domain user you should be automatically redirected to the umantis web site; otherwise this will only happen after successfully supplying your credentials in the Domain Login window that should appear. The address bar should have a url of the following form:

(10)

A

DDITIO NAL

C

O NFIGURATIO N

Beyond the core Cloud SSO configuration described above, more

advanced parameters may also be configured by umantis staff to satisfy customer requirements.

IP-selective Cloud SSO, for instance, can be configured to precisely determine which IP address ranges (subnets) should participate in Cloud SSO.

Advanced SAML2 parameters may also be tweaked to satisfy customer-specific requirements. However, this type of configuration requires a deep understanding of SAML2 and is beyond the scope of this document. Should the need arise; requirements of this nature will be reviewed by a technical expert.

(11)

F

INALLY

Once the configuration has been validated, SSO must be activated by umantis on the customer solution.

Note: once activated, all logins will be handled by SSO by default (unless IP-Selective SSO has been configured). However, it is possible to force an non-SSO login appending the following parameter to a umantis URL: https://some_umantis_url&v4login=1

References

Download now ( PDF - 11 Page - 161.34 KB )

Related documents

Pedagogy of the Consumer: The Politics of Neo-liberal Welfare Reform

In the style of a policy discourse analysis, Gounari and Grollios engage with a number of key policy texts to uncover the rhetorical devices through which the Greek government

Chinese Superstition and Real Estate Prices: Transaction-level Evidence from the US Housing Market

A comparison of the counts in the two tables indicates that the binomial classier is classifying buyers and sellers in the assessor data as Chinese who are classied as Korean

Liberty Specs Tutorial

SP is federated authentication Issuance of assertion User IDP SP Authentication Assertion Issued If user is not already authenticated at IdP then initial authentication

DEPARTMENT OF STATE FISCAL YEAR 2008 PRIVACY IMPACT ASSESSMENT

function of that role within the PCD database. When a user logs on, his or her user name and password are checked against the username within the Oracle database. If the user

CLEAN CNG IN TRANSPORTATION IN BANGKOK

In order to sustain the long term NGV utilization in the transportation sector, PTT has established the target to construct 30 NGV refueling stations along the existing and

The EBM-DPSER conceptual model: integrating ecosystem services into the DPSIR framework

The concept of ecosystem based management (EBM) was developed to improve resource management efficacy by applying a holistic approach that accounts for ecosystem complexity

Foucault, The Green House and the dispositif of poverty: the government of the new social question in Latin American

[r]

Legal and Regulatory Framework of Nuclear Security in Indonesia

Based on commitment to international events and ratification, Indonesia has developed nuclear security infrastructures by strengthening legislation and regulation, enhancing