Jump to: navigation, search

Difference between revisions of "HowTo:Integrate UBIK in an SSO Environment"

(Authorization)
(Client)
Line 40: Line 40:
 
<!-- DO NOT MODIFY THE NAME OF THIS SECTION, BUT REMOVE IT IF NOT REQUIRED -->
 
<!-- DO NOT MODIFY THE NAME OF THIS SECTION, BUT REMOVE IT IF NOT REQUIRED -->
  
* '''Set up an SSO mediator backend server to relay SSO responses to the client'''
+
== OIDC ==
  
----
+
* Set up an identity provider if necessary
 +
* Assemble a client configuration JSON string, .e.g.:
 +
<syntaxhighlight lang="json">
 +
      {'AuthorityURL' : 'https://xamarinoidc-app.azurewebsites.net',
 +
      'ClientID' : 'gnabbermobileclient',
 +
      'ClientSecret' : null,
 +
      'RedirectURL' : 'oidcxamarin101:/authenticated',
 +
      'Scope' : 'openid profile',
 +
      'IsPivotEnabled' : 'false'}
 +
</syntaxhighlight>
 +
* Integrate client configuration in profile:
 +
<syntaxhighlight lang="xml">
 +
  <InternalSSOSettings>
 +
    <EnableSSO>true</EnableSSO> 
 +
    <SSOConfiguration>
 +
      ...
 +
    </SSOConfiguration>
 +
    <SSOProtocol>OIDC</SSOProtocol>
 +
  </InternalSSOSettings>
 +
</syntaxhighlight>
  
To set up an Authentication Server first go to http://release.augmensys.com/ and download the provided Zip File.
+
== SAML ==
 +
 
 +
 
 +
* Set up an identity provider if necessary
 +
* Set up an SSO mediator backend server to relay SSO responses to the client
 +
 
 +
<blockquote>
 +
To set up an Authentication Mediator Server first go to http://release.augmensys.com/ and download the provided Zip File.
 
After you downloaded the Zip create a new IIS applicatio (https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/application/).
 
After you downloaded the Zip create a new IIS applicatio (https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/application/).
 
Open the just created app in your file explorer, unpack the downloaded ZIP file and copy all files of that ZIP into the app-folder.
 
Open the just created app in your file explorer, unpack the downloaded ZIP file and copy all files of that ZIP into the app-folder.
 
If IIS prohibites you to copy files you need to first stop the server. After successfully copying the Files you need to Restart/Start the IIS server again.
 
If IIS prohibites you to copy files you need to first stop the server. After successfully copying the Files you need to Restart/Start the IIS server again.
 
Now you have set up the Authentication-Backend and it is ready to use.
 
Now you have set up the Authentication-Backend and it is ready to use.
 +
</blockquote>
  
 +
* Assemble a client configuration JSON string, .e.g.:
 +
<syntaxhighlight lang="json">
 +
{"AuthUser": "user", "AuthUserPw": "test", "BackendURL": "https://ubik.test.com/UBIK/DEV/AUTH_SERVICE/", "IdpURL": "https://idp.com/idpssoinit?metaAlias=ubik;spEntityID=ubik", "IdpLogoutURL": "", "IsPivotEnabled": false, "Env_Broadcast" : null, "Env_Data": null}
 +
</syntaxhighlight>
 +
* Integrate client configuration in profile:
 +
<syntaxhighlight lang="xml">
 +
  <InternalSSOSettings>
 +
    <EnableSSO>true</EnableSSO> 
 +
    <SSOConfiguration>
 +
      ...
 +
    </SSOConfiguration>
 +
    <SSOProtocol>SAML</SSOProtocol>
 +
  </InternalSSOSettings>
 +
</syntaxhighlight>
  
* '''Configure the SSO profile settings respectively'''
 
 
----
 
The Single-Sign-On implementation introduces three new Profile Settings needed to setup SSO in your environment, namely:
 
* <EnableSSO>true/false</EnableSSO> This setting, if set to "true" enables the SSO workflow and disable the possibility to authenticate against the UBIK backend.
 
* <BackendURL>https://www.backendurl.com/*/AuthenticationServer/</BackendURL> This setting is for defining the main url of the Authentication Backend.
 
* <IdpURL>https://www.IDP.com/</IdpURL> The IdpURL setting is neccessary for the Client to know where you want to authenticate against.
 
 
<!-- DO NOT REMOVE THIS -->{{Template:HowTo/End}}<!-- DO NOT REMOVE THIS -->
 
<!-- DO NOT REMOVE THIS -->{{Template:HowTo/End}}<!-- DO NOT REMOVE THIS -->
  

Revision as of 13:34, 13 February 2023

Single Sign On (SSO) allows an end-user to interact with multiple services without logging in more than once.

This page shows how to integrate UBIK® into such an SSO environment.


[edit]

Instructions

The customer's Identity Provider must know UBIK® as a Service Provider. We need to provide an SSO mediator server in order to relay SSO responses for the client; this is our ACS (Assertion Consumer Service).

There are two major use-cases for SSO:

  • Authentication: Establishing or re-using an SSO session (logging in)
  • Authorization: Interaction with external systems (interfacing)

In order to configure UBIK® for SSO integration, we need to address both.

Authentication

  • In the UBIK® client profile, adjust the SSO relevant settings (enabling SSO and specifying the Identity Provider Endpoint URL for an IdP-initiated flow).
  • On the server side, make sure that an SSO Processor is configured able to process the responses from the Identity Provider.

Authorization

When a UBIK® object is synchronized between client and server, the UBIK® customizing can interact with external systems. There, we might require authorization, and we need to make sure the client provides a respective token. In order to do so, we have to identify the specific authorization use-cases:

  • For which types of objects (meta classes) do I need to interact with external systems, requiring SSO authorization?
  • For which synchronization operations (e.g., update, commit, create, etc.) do I need authorization?
  • Which SSO client configurations (identity provider base URL, scopes, etc.) are used in this case?

For each resulting combination we have to create an External Auth Config object and give it to the client in the infrastructure list.

Further, we have to make sure the authorization tokens can be transported to the server. Therefore, add the External Entity Classification to all meta classes of objects that need external authorization.

Studio

Client

OIDC

  • Set up an identity provider if necessary
  • Assemble a client configuration JSON string, .e.g.:

Invalid language.

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic


      {'AuthorityURL' : 'https://xamarinoidc-app.azurewebsites.net', 
      'ClientID' : 'gnabbermobileclient', 
      'ClientSecret' : null, 
      'RedirectURL' : 'oidcxamarin101:/authenticated', 
      'Scope' : 'openid profile',
      'IsPivotEnabled' : 'false'}
  • Integrate client configuration in profile:
  <InternalSSOSettings>
    <EnableSSO>true</EnableSSO>  
    <SSOConfiguration>
      ...
    </SSOConfiguration>
    <SSOProtocol>OIDC</SSOProtocol>
  </InternalSSOSettings>

SAML

  • Set up an identity provider if necessary
  • Set up an SSO mediator backend server to relay SSO responses to the client

To set up an Authentication Mediator Server first go to http://release.augmensys.com/ and download the provided Zip File. After you downloaded the Zip create a new IIS applicatio (https://docs.microsoft.com/en-us/iis/configuration/system.applicationhost/sites/site/application/). Open the just created app in your file explorer, unpack the downloaded ZIP file and copy all files of that ZIP into the app-folder. If IIS prohibites you to copy files you need to first stop the server. After successfully copying the Files you need to Restart/Start the IIS server again. Now you have set up the Authentication-Backend and it is ready to use.

  • Assemble a client configuration JSON string, .e.g.:

Invalid language.

You need to specify a language like this: <source lang="html4strict">...</source>

Supported languages for syntax highlighting:

4cs, 6502acme, 6502kickass, 6502tasm, 68000devpac, abap, actionscript, actionscript3, ada, algol68, apache, applescript, apt_sources, arm, asm, asp, asymptote, autoconf, autohotkey, autoit, avisynth, awk, bascomavr, bash, basic4gl, bf, bibtex, blitzbasic, bnf, boo, c, c_loadrunner, c_mac, caddcl, cadlisp, cfdg, cfm, chaiscript, cil, clojure, cmake, cobol, coffeescript, cpp, cpp-qt, csharp, css, cuesheet, d, dcl, dcpu16, dcs, delphi, diff, div, dos, dot, e, ecmascript, eiffel, email, epc, erlang, euphoria, f1, falcon, fo, fortran, freebasic, freeswitch, fsharp, gambas, gdb, genero, genie, gettext, glsl, gml, gnuplot, go, groovy, gwbasic, haskell, haxe, hicest, hq9plus, html4strict, html5, icon, idl, ini, inno, intercal, io, j, java, java5, javascript, jquery, kixtart, klonec, klonecpp, latex, lb, ldif, lisp, llvm, locobasic, logtalk, lolcode, lotusformulas, lotusscript, lscript, lsl2, lua, m68k, magiksf, make, mapbasic, matlab, mirc, mmix, modula2, modula3, mpasm, mxml, mysql, nagios, netrexx, newlisp, nsis, oberon2, objc, objeck, ocaml, ocaml-brief, octave, oobas, oorexx, oracle11, oracle8, oxygene, oz, parasail, parigp, pascal, pcre, per, perl, perl6, pf, php, php-brief, pic16, pike, pixelbender, pli, plsql, postgresql, povray, powerbuilder, powershell, proftpd, progress, prolog, properties, providex, purebasic, pycon, pys60, python, q, qbasic, rails, rebol, reg, rexx, robots, rpmspec, rsplus, ruby, sas, scala, scheme, scilab, sdlbasic, smalltalk, smarty, spark, sparql, sql, stonescript, systemverilog, tcl, teraterm, text, thinbasic, tsql, typoscript, unicon, upc, urbi, uscript, vala, vb, vbnet, vedit, verilog, vhdl, vim, visualfoxpro, visualprolog, whitespace, whois, winbatch, xbasic, xml, xorg_conf, xpp, yaml, z80, zxbasic


{"AuthUser": "user", "AuthUserPw": "test", "BackendURL": "https://ubik.test.com/UBIK/DEV/AUTH_SERVICE/", "IdpURL": "https://idp.com/idpssoinit?metaAlias=ubik;spEntityID=ubik", "IdpLogoutURL": "", "IsPivotEnabled": false, "Env_Broadcast" : null, "Env_Data": null}
  • Integrate client configuration in profile:
  <InternalSSOSettings>
    <EnableSSO>true</EnableSSO>  
    <SSOConfiguration>
      ...
    </SSOConfiguration>
    <SSOProtocol>SAML</SSOProtocol>
  </InternalSSOSettings>


See also

Retrieved from "https://wiki.augmensys.com/index.php?title=HowTo:Integrate_UBIK_in_an_SSO_Environment&oldid=24171"