| Back | Main view
Single sign on configuration using generic SAML2 plugin
| Product: | IMiS/ARChive |
| Release: | Since 10.3.2210 |
| Date: | 08/31/2023 |
Case:
Generic SAML2 plugin enables single sign on authentication method, using external identity provider (IDP). In this article we present different configuration examples, how to configure generic SAML2 plugin to establish single sign on.
Description:
Generic SAML2 plugin validates security token end extract information from it to resolve IMiS ARChive user identity. Plugin is configured with xml configuration tags, which are listed in next sections:
Network related xml tags:
- "<ConnectionTimeout>": connection timeout in milliseconds (default 30000 milliseconds).
- "<ReadTimeout>": read response timeout in milliseconds (default 30000 milliseconds).
- "<HttpUserAgent>": "User-Agent" http header value (default is not present).
- "<SSLKSType>": SSL keystore type (supports all keystore types from Java).
- "<SSLKSFile>": SSL keystore full path.
- "<SSLKSPassword>": SSL keystore password.
- "<SSLTSType>": SSL truststore type (supports all truststore types from Java). Use "IAKS" type for using internal certificate store from IMiS ARChive Server.
- "<SSLTSFile>": SSL truststore full path. If "IAKS" type is used, tag is omitted.
- "<SSLTSPassword>": SSL truststore password. If "IAKS" type is used, tag is omitted.
- "<SSLProtocols>": supported SSL protocols. Multiple values must be separated with ",". If multiple values are used, they are processed in the same order as they are defined in tag.
- "<Proxy>": represent root tag for proxy support. Tag must contain "<Address>" tag, which represents proxy URL with port. Optionally, there may be "<Username>" and "<Password>" tags if proxy authentication is required.
Clock skew xml tags:
- "<ClockSkew>": Clock skew (in seconds) which is used when SAML2 token time validity is checked (default 0 seconds).
Audience xml tags:
- "<AudienceBlacklist>": List of audience identifications, which are not allowed to be logged in using SAML2 (default empty).
- "<AudienceWhitelist>": List of audience identifications, which are allowed to be logged in using SAML2 (default empty).
If blacklist is defined, then such audience has denied access to SAML2 authentication on IMiS ARChive server. Whitelist must be defined in order to successfully validates SAML2 valid audience. Evaluation order is next: blacklist, whitelist.
Generic SAML2 plugin xml tags:
- "<OfflineIDPMetadata>": Path to offline IDP metadata file.
- "<OnlineIDPMetadata>": Path to online IDP metadata.
- "<EntityID>": Entity id for metadata searching.
- "<SubjectConformationValidRecipient>": List of valid endpoints, which receives SAML2 assertion.
- "<Debug>": True to write debug messages to server log (default to false).
List of SAML2 supported fields for linked identity resolving:
- "int:saml2:Issuer": Issuer identifier.
- "int:saml2:Subject": Subject identifier.
- "int:saml2:EntityX509PEM": X509 signing certificate from IDP metadata.
Combination of "subject" and "issuer" is globally unique identifier across all IDP, and that combination is also preferred by IMiS ARChive plugin configuration. Supported IMiS ARChive plugin configuration fields are next:
- "sys:dir:lid:Subject": Represents linked identity subject.
- "sys:dir:lid:Issuer": Represents linked identity issuer.
- "sys:dir:lid:EntityX509PEM": Represent X509 signing certificate from IDP metadata. If field is present, then IMiS ARChive server will validate certificate against server certificate store.
Each plugin field can also be additionally manipulated by using embedded translation rules and javascript. For details, check linked articles in "related documents" section. Next few examples demonstrate different SAML2 configurations with Auth0 IDP provider.
Example 1: SAML2 plugin configuration with Auth0
<Arguments>
<Class>com.imis.imisarc.server.aaa.impl.GenericSAML2Validator</Class>
<EntityId>urn:tenant-id.eu.auth0.com</EntityId>
<OnlineIDPMetadata>https://tenant-id.eu.auth0.com/samlp/metadata/tenant-application-id</OnlineIDPMetadata>
<AudienceWhitelist>urn:auth0:tenant-id:SAML-Auth0-IDP</AudienceWhitelist>
<SubjectConformationValidRecipient>https://path-to-saml2-assertion-endpoint</SubjectConformationValidRecipient>
<Field key="sys:dir:lid:Subject" type="string">int:saml2:Subject</Field>
<Field key="sys:dir:lid:Issuer" type="string">sys:dir:lid:Issuer</Field>
</Arguments>
Example 2: SAML2 plugin configuration with Auth0 with signing certificate validation
<Arguments>
<Class>com.imis.imisarc.server.aaa.impl.GenericSAML2Validator</Class>
<EntityId>urn:tenant-id.eu.auth0.com</EntityId>
<OnlineIDPMetadata>https://tenant-id.eu.auth0.com/samlp/metadata/tenant-application-id</OnlineIDPMetadata>
<AudienceWhitelist>urn:auth0:tenant-id:SAML-Auth0-IDP</AudienceWhitelist>
<SubjectConformationValidRecipient>https://path-to-saml2-assertion-endpoint</SubjectConformationValidRecipient>
<Field key="sys:dir:lid:Subject" type="string">int:saml2:Subject</Field>
<Field key="sys:dir:lid:Issuer" type="string">sys:dir:lid:Issuer</Field>
<Field key="sys:dir:lid:EntityX509PEM" type="string">int:saml2:EntityX509PEM</Field>
</Arguments>
Example 3: SAML2 plugin configuration with Auth0, which translates linked identity to Auth0 OIDC format
<Arguments>
<Class>com.imis.imisarc.server.aaa.impl.GenericSAML2Validator</Class>
<EntityId>urn:tenant-id.eu.auth0.com</EntityId>
<OnlineIDPMetadata>https://tenant-id.eu.auth0.com/samlp/metadata/tenant-application-id</OnlineIDPMetadata>
<AudienceWhitelist>urn:auth0:tenant-id:SAML-Auth0-IDP</AudienceWhitelist>
<SubjectConformationValidRecipient>https://path-to-saml2-assertion-endpoint</SubjectConformationValidRecipient>
<Field key="sys:dir:lid:Subject" type="string">int:saml2:Subject</Field>
<Field key="sys:dir:lid:Issuer" type="string" script="var oidc_compliant = sys_dir_lid_Issuer[0]; oidc_compliant = oidc_compliant.replace('urn:', 'https://') + '/'; oidc_compliant;">int:saml2:Issuer</Field>
</Arguments>
This configuration translates SAML2 subject/issuer linked identity to Auth0 OIDC format, so that user does not need to link two identities (SAML2 and OIDC) on IMiS ARChive server. With such configuration, user needs to link identity from OIDC, and then it can use SAML2 authentication method with Auth0 IDP. For details check article "Single sign on configuration using generic OpenID Connection plugin".
Related Documents:
https://www.owasp.org/index.php/SAML_Security_Cheat_Sheet
https://auth0.com/blog/how-saml-authentication-works/
https://www.samltool.com/saml_documentation.php
https://en.wikipedia.org/wiki/SAML_2.0
- Generic connector field evaluation using javascript
- Generic connector field evaluation using embedded translation rules
- Single sign on configuration using generic OpenID Connection plugin
| Back | Main view