UMANTIS
C
LOUD
SSO
C
ONFIGURATION
G
UIDE
W
ITHM
ICROSOFTA
CTIVED
IRECTORYF
EDERATIONS
ERVERTH I S D O C U M E N T D E S C R I B E S T H E R E Q U I R E M E N T S T O S E T U P A
SI N G L E SI G N ON ( S S O ) C O N F I G U R A T I O N O N U M A N T I S’ C L O U D B A S E D S O L U T I O N S A G A I N S T A C U S T O M E R’S P R I V A T E AC T I V E
DI R E C T O R Y FE D E R A T I O N SE R V E R ( A D F S )
Author: Mallku Caballero, Marc Elser Document Version: 1.08
A
UDIE NC EThis document is intended primarily for umantis Technical Consultants and customers’ IT departments.
P
RE-
REQ UISITESThe customer is responsible for installing Microsoft Active Directory Federation Server version 2.0 (with Update Rollup 3 or newer) on top of his existing Active Directory infrastructure. The details for this installation and general configuration are not covered in this document.
An understanding of the SAML SSO protocol is useful but not absolutely required. Some basic elements are presented in this document but the reader is encouraged to seek relevant resources (e.g.
SAML
P
ROTOCOLE
LEMENTSumantis’ Single Sign On architecture is based on the SAML 2 standard and more specifically on the SAML Web Browser SSO Profile that is widely used on the Internet and specifically supported by Microsoft’s ADFS technology.
The SAML infrastructure defines two key components: the Service Provider (SP), for all practical purposes: the umantis cloud application, and the Identity Provider (IDP) which is responsible for checking credentials and authorizing access to protected resources.
1. A user interacting via a web browser, attempts to access a resource on the SP
2. The SP determines that a session has not yet been initiated and redirects the user to the IDP for authentication.
3. The IDP request an authentication (e.g. login page) from the user 4. The user provides authentication (e.g. user & password)
5. The IDP authorizes the user and allows the SP to establish a session 1. Access Resource
2. Not signed in - redirect to SSO
2’. Request SSO Service
5. Success - redirect to Resource 4. Authentication Response
3. Authenticate
5’. Success - redirect to Resource
umantis provides a default IDP for “conventional” logins where requested user and password credentials are checked against a database managed within its internal infrastructure.
Some customers request a tighter integration into their internal working environment so that their existing domain credentials may be used to authorize access to their umantis solution without having to manage a separate set of user and passwords.
C
LOUDADFS-
BASEDSSO
Cloud SSO is rather straightforward as long as the customer can provide his own SAML2-capable Identity Provider.
C
U STO ME R-
PRO VI D EDIDP:
ADFS
Where customers already have an Active Directory backed windows domain, the most common configuration involves the usage of
Microsoft’s ADFS component which is basically a lightweight service that extends Active Directory to make it SAML2-capable.
NO T E: ADFS versions older than 2.0 are not supported
U M A N TI S
S
ER VI CEP
RO V I D ERumantis applications are already SAML2-enabled by default, i.e. they are standard SAML Service Providers.
C
I R CLE O FT
R U S TA secure SSO configuration requires the SP and the IDP to know of each other, in such a way that they can ascertain that the counterparty is legitimate. In SAML, this is achieved by configuring a CI R C L E O F TR U S T
that involves exchanging metadata, signing and encryption certificates that ensure mutual authentication as well as the confidentiality of exchanged data.
ADFS
SSO
C
O NF IGURATIO NI
NSTRUCTIO NS This section describes the precise elements that umantis and thecustomer must exchange as well as the configuration the customer must perform on their Active Directory Federation Server in order to establish the Circle of Trust required for Cloud SSO:
S
ENDADFS
M
ET AD A T A TO U M A N TI SOption 1) send the ADFS metadata url to your ADFS metadata to umantis, typically:
https://your_adfs_host_name/federationmetadata/2007-06/Federationmetadata.xml
Option 2) if the ADFS metadata url is not accessible from the Internet, load it in a browser by yourself, save it to a local file named idp.xml
and send that file to umantis.
A
D DADFS
R
EL YI N GP
AR TY1. Wait for umantis confirmation that your metadata has been activated. You will receive the umantisSPEntityId and umantisSPMetaAlias
parameters that are required in the following steps in the confirmation email.
2. Use the ADFS 2.0 Management tool.
3. Navigate to Trust Relationships / Relying Party
4. Use the Add Relying Party Trust function to import the umantis service provider using the online url:
For customers hosted in Switzerland:
https://sso.umantis.com/multitenant-sp/saml2/metadata?metaAlias=umantisSPMetaAlias
For customers hosted in Germany:
https://sso.de.umantis.com/multitenant-sp/saml2/metadata?metaAlias=umantisSPMetaAlias
Note: if no access from the ADFS server to the umantis server is possible, you may save the XML returned from the above url in any workstation and manually import it in ADFS. The following steps remain unchanged.
5. Ignore the warning that not all data could be imported
7. Add a generic LDAP rule where you map the internal Active Directory LDAP attribute SAMAccountName (or any other attribute containing an existing umantis login such as E-Mail-Addresses) to the outgoing claim type UPN
a. On the Issuance Transform Rules tab, click Add Rule.
b. On the Select Rule Template page, select Send LDAP Attributes as Claims. Click Next.
c. On the Configure Rule page, type the name of the claim rule in the Claim rule name field.
d. From the Attribute Store drop-down list, select Active Directory.
e. In the Mapping of LDAP attributes to outgoing claim types section, under LDAP Attribute, select SAMAccount or E-Mail-Addresses or any other suitable unique identifier that maps to existing umantis Talent Management account names.
f. Under Outgoing Claim Type, select UPN. g. Click Finish, and then click OK.
8. Create an additional Custom Rule with the following definition: c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:2.0:nameid-format:transient", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier"] = "yourADFSEntityId", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "umantisSPEntityId"); Where:
- yourADFSEntityId is usually of the form:
http://your_adfs_host_name/adfs/services/trust
- umantisSPEntityId is provided to you in Step 1
9. After importing the metadata, open the Settings dialog and: a. On the Encryption Tab, check that the umantis_te
Certificate is selected.
b. On the Signature Tab, check that the umantis_ts Certificate is selected.
V
A L I D A T EC
ON FI G U R A TI O NWait for umantis activation confirmation and point your browser to: For customers hosted in Switzerland:
https://sso.umantis.com/multitenant-sp/saml2/SPInitiatedSSO? metaAlias=umantisSPMetaAlias&redirect_uri=http://www.umantis.com
For customers hosted in Germany:
https://sso.de.umantis.com/multitenant-sp/saml2/SPInitiatedSSO? metaAlias=umantisSPMetaAlias&redirect_uri=http://www.umantis.com
If you were previously logged in as a Windows domain user you should be automatically redirected to the umantis web site; otherwise this will only happen after successfully supplying your credentials in the Domain Login window that should appear. The address bar should have a url of the following form:
A
DDITIO NALC
O NFIGURATIO NBeyond the core Cloud SSO configuration described above, more
advanced parameters may also be configured by umantis staff to satisfy customer requirements.
IP-selective Cloud SSO, for instance, can be configured to precisely determine which IP address ranges (subnets) should participate in Cloud SSO.
Advanced SAML2 parameters may also be tweaked to satisfy customer-specific requirements. However, this type of configuration requires a deep understanding of SAML2 and is beyond the scope of this document. Should the need arise; requirements of this nature will be reviewed by a technical expert.
F
INALLYOnce the configuration has been validated, SSO must be activated by umantis on the customer solution.
Note: once activated, all logins will be handled by SSO by default (unless IP-Selective SSO has been configured). However, it is possible to force an non-SSO login appending the following parameter to a umantis URL: https://some_umantis_url&v4login=1