Difference between revisions of "Federated Authentication in QPR UI"

From Mea Wiki
Jump to navigation Jump to search
 
(113 intermediate revisions by 2 users not shown)
Line 1: Line 1:
QPR MobileDashboard can be configured to use federated authentication by SAML 2.0 protocol (more information: https://en.wikipedia.org/wiki/SAML_2.0). SAML 2.0 enables to use any compatible '''identity providers (IdP)''', such as Microsoft Active Directory Federation Services (ADFS) or Shiibboleth (more information: https://wiki.shibboleth.net/confluence/display/SHIB2/Home, https://en.wikipedia.org/wiki/Shibboleth_(Internet2)). QPR MobileDashboard can be configured to work as a '''service provider (SP)'''.
+
QPR UI can be configured to use federated authentication by SAML 2.0 protocol. When using federated authentication, QPR UI works as a '''service provider (SP)''', and enables to use compatible external '''identity providers (IdP)''', such as Microsoft Active Directory Federation Services (ADFS) or Shibboleth. For the federated authentication to work, the [[Common QPR Authentication]] must also be configured. See more information from the links in the bottom of the page.
  
==QPR MobileDashboard as SAML 2.0 Service Provider==
+
==QPR UI as SAML 2.0 Service Provider==
When QPR MobileDashboard is configured as SAML 2.0 service provider, users can authenticate via the configured SAML 2.0 identity provider by clicking "LOG IN USING SSO" button in the login screen. This redirect users to the identity provider for authentication. When the autentication is done, users are redirected back to QPR MobileDashboard and where user is then logged in. Alternatively, QPR MobileDashboard can be configured to redirect automatically to the identity provider, so that users don't need to see QPR MobileDashboard's login screen.
+
When QPR UI is configured as a SAML 2.0 service provider ('''SP'''), users can authenticate to QPR UI via the configured SAML 2.0 identity provider ('''IdP''') by clicking '''Log in Using SSO''' button in the login screen. This redirects users to the identity provider for authentication. When the authentication is done, users are redirected back to QPR UI and where user is then logged in. Alternatively, QPR UI can be configured automatically to redirect to the identity provider, so that users won't see the QPR UI's login screen.
  
When QPR MobileDashboard has been configured to an identity provider, QPR MobileDashboard will then fully trust information coming from the identity provider. This means also an existence of any usernames.  
+
When a user logs in to QPR UI using federated authentication, the user information is updated or a new user is created automatically to QPR UI, QPR Suite, and/or QPR ProcessAnalyzer. In addition, the user's group memberships are updated in QPR Suite and/or QPR ProcessAnalyzer if matching group(s) are found between the SAML 2.0 service and QPR Suite /  QPR ProcessAnalyzer. When a new user is created to QPR Suite, '''Inherit licences from groups''' and '''Inherit permissions from groups''' settings are automatically set, so that user permissions come from the groups. For instructions to define which groups and user information is updated, see the [[#Configuring QPR UI as SAML 2.0 Service Provider|Configuring QPR UI as SAML 2.0 Service Provider]] section below.
  
When QPR MobileDashboard is configured to a SAML 2.0 identity provider, QPR MobileDashboard can be used to provide authentication to QPR Suite. This is done using [[Common QPR Authentication|common authentication]]. Users can open QPR Suite portal by clicking a link in a QPR MobileDashboard view (the link contains the xsession parameter for the common QPR authentication).
+
Further notes regarding the federated authentication:
 +
* User accounts and groups are matched between the systems using usernames and group names.
 +
* For the federated authentication to work, the [[Common QPR Authentication]] must also be configured. This is because the federated authentication authenticates user to QPR UI, and to further authenticate user to QPR Suite or QPR ProcessAnalyzer, the common QPR authentication needs to be functional.
 +
* When QPR UI has been configured to use an identity provider, QPR UI will fully trust information coming from the identity provider.
 +
* Currently the logout request to IdP is not supported by QPR UI.
 +
* SAML AuthnRequests are not signed (by QPR UI), and SAML Assertions must be signed (by the IdP) to be accepted by QPR UI
  
QPR MobileDashboard creates new users automatically, when a user first time logins to QPR MobileDashboard using SAML 2.0. Note that common QPR authentication doesn't support creating new users, so to QPR Suite users need to be created beforehand with QPR User Management Client.
+
When using federated authentication, QPR UI can also be used to provide authentication to QPR Suite. This requires to configure [[Common QPR Authentication|common authentication]]. After the federated authentication to QPR UI, users can open QPR Suite portal by clicking a link in a QPR UI view (the link contains the '''xsession''' parameter for the common QPR authentication).
  
==Configuring QPR MobileDashboard as SAML 2.0 Service Provider==
+
==Configuring QPR UI as SAML 2.0 Service Provider==
  
The preferred way to configure QPR MobileDashboard to work as a SAML 2.0 service provider is to define the following entries using the QPR MobileDashboard installer. The entries can also be added to the '''CONFIGURATIONENTITY''' table in the QPR MobileDashboard database after installing QPR MobileDashboard.
+
There are two configuration scenarios available for the federated authentication: using metadata or a public key. Both scenarios have their own settings defined in the tables below. The last table contains common settings that are valid for the both authentication scenarios.
 +
 
 +
The configuration entries listed in the tables below, can be defined either
 +
* using the QPR UI installer during the QPR UI installation (only part of the settings)
 +
* after the QPR UI installation by adding to the '''CONFIGURATIONENTITY''' table in the QPR UI database.
 +
 
 +
=== Setup When Using Metadata ===
 +
Federated authentication can be configured to use SAML2 metadata if it's available as an XML document through HTTP.
  
 
{| class="wikitable"
 
{| class="wikitable"
! KEY_FIELD
+
! Database field name
! VALUE_FIELD
+
! Installer field name
|-
+
! Description
|SAML_CONSUMER_URL
 
|"<Location of your QPR MobileDashboard installation>/EnticeServices/rest/authenticate/saml", e.g. "http://localhost:8080/EnticeServices/rest/authenticate/saml". This is the corresponding field for the "SAML consumer URL" in the Federated Authentication Configuration step of the installation.
 
 
|-
 
|-
 
|SAML_METADATA_URL
 
|SAML_METADATA_URL
|"<The metadata URL of the identity provider>", e.g. "https://your.federated.identity.provider.com/saml/metadata". This is the corresponding field for the "Federation metadata URL" in the Federated Authentication Configuration step of the installation.
+
|Federation metadata URL
 +
|The metadata URL of the identity provider. Check that the metadata can be opened using the configured link. The metadata is an XML document, so it should start '''<?xml version="1.0" encoding="UTF-8"?>''' followed by an '''EntityDescriptor''' tag. The metadata URL might look something like '''<nowiki>https://your.federated.identity.provider.com/saml/metadata</nowiki>'''.
 
|-
 
|-
 
|SAML_SERVER_ENTITY_IDENTIFIER
 
|SAML_SERVER_ENTITY_IDENTIFIER
|"<The server entity identifier URL>", e.g. "http://your.federated.identity.provider.com/services/trust". This entry is used if the metadata contains multiple server entries. This is the corresponding field for the "Server entity identifier" in the Federated Authentication Configuration step of the installation.
+
|Server entity identifier
|-
+
|Use this field to define the identity provider entity ID, if the federation metadata contains multiple identity providers. This field is not mandatory, if the metadata contains only one identity provider. In the federation metadata, a single '''EntityDescriptor''' tag represents one identity provider, so you can check the number of available identity providers by checking the federation metadata contents ('''entityID''' attribute).
|SAML_USER_ID_ATTRIBUTE
 
|The name of the SAML attribute in the assertion that will be used as the user's login name, e.g. "loginname". If the attribute is not given, the NameID of the SAML subject is used. If the user login name in your QPR Suite is the user's email address, the attribute definition is usually not needed. This is the corresponding field for the "User id attribute" in the Federated Authentication Configuration step of the installation.
 
 
|}
 
|}
  
An alternative way is to define the following entries using the QPR MobileDashboard installer. The entries can also be added to the '''CONFIGURATIONENTITY''' table in the QPR MobileDashboard database after installing QPR MobileDashboard.
+
=== Setup When Using Public Key ===
 +
 
 +
The following settings SAML_REDIRECT_URL and SAML_SIGNING_CERTIFICATE are only used when SAML_METADATA_URL is not configured. This is because if metadata url is provided, QPR UI reads the redirect url and signing sertificate from the metadata.
  
 
{| class="wikitable"
 
{| class="wikitable"
! KEY_FIELD
+
! Database&nbsp;field&nbsp;name
! VALUE_FIELD
+
! Installer&nbsp;field&nbsp;name
|-
+
! Description
|SAML_CONSUMER_URL
 
|"<Location of your QPR MobileDashboard installation>/EnticeServices/rest/authenticate/saml", e.g. "http://localhost:8080/EnticeServices/rest/authenticate/saml". This is the corresponding field for the "SAML consumer URL" in the Federated Authentication Configuration step of the installation.
 
 
|-
 
|-
 
|SAML_REDIRECT_URL
 
|SAML_REDIRECT_URL
|"<The redirect URL of the identity provider>", e.g. "https://your.federated.identity.provider.com/saml/http-post/sso". This is the corresponding field for the "Federated authentication provider's redirect URL" in the Federated Authentication Configuration step of the installation.
+
|Federated authentication provider's redirect URL
 +
|The redirect URL of the identity provider. QPR UI redirects user to this url when user needs to be authenticated, e.g. '''<nowiki>https://your.federated.identity.provider.com/saml/http-post/sso</nowiki>'''. This setting is mandatotory, when using public key method.
 
|-
 
|-
 
|SAML_SIGNING_CERTIFICATE
 
|SAML_SIGNING_CERTIFICATE
|"<X.509 Certificate>". This is the corresponding field for the "Federated authentication provider's signing certificate" in the Federated Authentication Configuration step of the installation.
+
|Federated authentication provider's signing certificate
|-
+
|The Federated authentication provider's signing certificate field with <X.509 Certificate> contents. The input item is the actual encoded public key contents. This setting is mandatotory, when using public key method.
|SAML_USER_ID_ATTRIBUTE
 
|The name of the SAML attribute in the assertion that will be used as the user's login name, e.g. "loginname". If the attribute is not given, the NameID of the SAML subject is used. If the user login name in your QPR Suite is the user's email address, the attribute definition is usually not needed. This is the corresponding field for the "User id attribute" in the Federated Authentication Configuration step of the installation.
 
 
|}
 
|}
  
There is also the following optional setting available:
+
===Common configuration entries===
 +
Following settings are defined in both authentication scenarios:
 +
 
 
{| class="wikitable"
 
{| class="wikitable"
! KEY_FIELD
+
! Database&nbsp;field&nbsp;name
! VALUE_FIELD
+
! Installer&nbsp;field&nbsp;name
 +
! Description
 +
|-
 +
|SAML_CONSUMER_URL
 +
|SAML consumer URL
 +
|Url that the identity provider uses when redirecting back to QPR UI. Use url with following form: '''<Location of your QPR UI installation>/EnticeServices/rest/authenticate/saml''', e.g. '''<nowiki>http://SERVERNAME/EnticeServices/rest/authenticate/saml</nowiki>'''. This setting is mandatory for the federated authentication to work.
 +
|-
 +
|SAML_USER_ID_ATTRIBUTE
 +
|User id attribute
 +
|The name of the SAML attribute in the assertion that will be used as the user's login name. If this field is not given or is empty, the '''saml:Assertion''' > ''' saml:Subject''' > '''saml:NameID''' attribute is used in the assertion. If this field is given, one of the '''saml:Assertion''' > '''saml:AttributeStatement''' > '''saml:Attribute''' elements in the assertion is used (the '''Name''' attribute in the '''saml:Attribute''' element is used for matching). Please note that the first mentioned saml:NameID element is different than the usual SAML attributes that are defined using saml:Attribute elements.
 
|-
 
|-
 
|SAML_AUTOMATIC_LOGIN
 
|SAML_AUTOMATIC_LOGIN
|When set to "1", user is automatically redirected from the QPR MobileDashboard login page to the SAML 2.0 identity provider without the need to click the "LOG IN USING SSO" button. When enabled, users might not even see the QPR MobileDashboard login page.
+
|Automatic federated authentication
 +
|When set to '''1''', user is automatically redirected from the QPR UI login page to the identity provider without the need to click the LOG IN USING SSO button in the login page. When enabled, users might not even see the QPR UI login page during authentication. Set to '''0''', to disable the automatic redirection from the login page. By default, the automatic redirection is disabled.
 +
|-
 +
|FEDERATEDLY_MANAGED_GROUPS   
 +
|
 +
|Contains list of group names that the federated authentication manages (defined using JSON string array). For example: '''["group1", "group 2", "group\"3"]'''. Other groups are managed locally in QPR Suite or QPR ProcessAnalyzer user management, and the federated authentication doesn't change them. If empty value ('''NULL''') is used or the whole FEDERATEDLY_MANAGED_GROUPS setting is not in the database, all groups are managed by the federated authentication. If empty list ('''[]''') is used, no groups are managed by the federated authentication.
 +
|-
 +
|SAML_USER_FULLNAME_ATTRIBUTE 
 +
|
 +
|Attribute name in SAML2 assertion that is mapped to user full name in QPR user management. If this setting doesn't exist in the database, the attribute is not mapped. Note that this setting must not be NULL or an empty string. In the SAML2 assertion, attributes are in the '''saml:Assertion''' > '''saml:AttributeStatement''' > '''saml:Attribute''' elements (the '''Name''' attribute in the '''saml:Attribute''' element is used for matching).
 +
|-
 +
|SAML_USER_EMAIL_ATTRIBUTE   
 +
|
 +
|Attribute name in SAML2 assertion that is mapped to user email address in QPR user management. If this setting doesn't exist in the database, the attribute is not mapped. Note that this setting must not be NULL or an empty string. In the SAML2 assertion, attributes are in the '''saml:Assertion''' > '''saml:AttributeStatement''' > '''saml:Attribute''' elements (the '''Name''' attribute in the '''saml:Attribute''' element is used for matching).
 +
|-
 +
|SAML_USER_GROUPS_ATTRIBUTE 
 +
|
 +
|Attribute name in SAML2 assertion that is mapped to user groups name in QPR user management. If this setting doesn't exist in the database, the attribute is not mapped and users are not added to or removed from any groups. Note that this setting must not be NULL or an empty string. In the SAML2 assertion, attributes are in the '''saml:Assertion''' > '''saml:AttributeStatement''' > '''saml:Attribute''' elements (the '''Name''' attribute in the '''saml:Attribute''' element is used for matching).
 +
|-
 +
|SAML_USER_DESCRIPTION_ATTRIBUTE 
 +
|
 +
|Attribute name in SAML2 assertion that is mapped to user description in QPR user management. If this setting doesn't exist in the database, the attribute is not mapped. Note that this setting must not be NULL or an empty string. In the SAML2 assertion, attributes are in the '''saml:Assertion''' > '''saml:AttributeStatement''' > '''saml:Attribute''' elements (the '''Name''' attribute in the '''saml:Attribute''' element is used for matching).
 +
|-
 +
|SAML_REQUEST_SIGNING_KEY 
 +
|
 +
|When this configuration entry is set QPR UI signs the SAML request with the certificate stored to this entry. Key must be PKCS8 PEM format. Note that the key must also be configured to IdP. This configuration is optional and by default QPR UI does not sign the SAML request.
 +
|-
 
|}
 
|}
[[Category: QPR MobileDashboard]]
+
 
 +
==Using ADFS as Identity Provider==
 +
ADFS (Active Directory Federation Services) can be used as an identity provider to login to QPR UI. For ADFS setup, follow the ADFS configuration guide in https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust with the following notes:
 +
* Step 4: Select option '''Enter data about the relying party manually''' as metadata is not available.
 +
* Step 5: Name can be chosen freely.
 +
* Step 7: Disable option '''Enable support for the WS-Federation Passive protocol'''. Select option '''Enable support for the SAML 2.0 WebSSO protocol''' and define url '''<nowiki>https://SERVERNAME/EnticeServices/rest/authenticate/saml</nowiki>''' where SERVERNAME is the QPR UI server hostname.
 +
* Step 8: Define url '''<nowiki>https://SERVERNAME/EnticeServices/rest/authenticate/saml</nowiki>''' where SERVERNAME is the QPR UI server hostname.
 +
* Step 11: Select option '''Configure claims issuance policy for this application'''.
 +
 
 +
Example:
 +
<pre>
 +
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 +
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/claims/CommonName", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/claims/Group"), query = ";userPrincipalName,displayName,mail,tokenGroups;{0}", param = c.Value);
 +
</pre>
 +
 
 +
==Using Azure AD as Identity Provider==
 +
Azure Active Directory (AD) can be used as an identity provider to login to QPR UI. Configuration scenario (discussed above) for Azure AD is to use metadata. Following configurations are needed:
 +
# Login to https://portal.azure.com, click '''Azure Active Directory''', click '''App registrations''' and click '''New application registration'''.
 +
# Define '''Name''' for the application, such as "QPR UI". Select '''Application type''' to be '''Web app / API'''. Define '''Sign-on URL''' to be '''<nowiki>http://SERVERNAME/EnticeServices/rest/authenticate/saml</nowiki>''' (where SERVERNAME is the name of your QPR UI server, http/https protocol matches and the port is the right one).
 +
# When the Azure application has been created, from the applications settings click '''Properties'''.
 +
# Click '''Azure Active Directory''', click '''App registrations''' and click '''Endpoints'''. Copy the contents of the '''Federation Metadata Document''' field, and configure it to the QPR UI SAML_METADATA_URL setting (discussed above).
 +
 
 +
More information about Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/
 +
 
 +
==References==
 +
* General information about federated authentication: https://en.wikipedia.org/wiki/Federated_identity
 +
* General information about SAML 2.0: https://en.wikipedia.org/wiki/SAML_2.0
 +
* General information about Shibboleth: https://en.wikipedia.org/wiki/Shibboleth_(Internet2)
 +
* Shibboleth documentation: https://wiki.shibboleth.net/confluence/display/SHIB2/Home
 +
* General information about ADFS: https://msdn.microsoft.com/en-us/library/bb897402.aspx
 +
* ADFS documentation: https://en.wikipedia.org/wiki/Active_Directory_Federation_Services
 +
 
 +
[[Category: QPR UI]]

Latest revision as of 14:59, 24 June 2020

QPR UI can be configured to use federated authentication by SAML 2.0 protocol. When using federated authentication, QPR UI works as a service provider (SP), and enables to use compatible external identity providers (IdP), such as Microsoft Active Directory Federation Services (ADFS) or Shibboleth. For the federated authentication to work, the Common QPR Authentication must also be configured. See more information from the links in the bottom of the page.

QPR UI as SAML 2.0 Service Provider

When QPR UI is configured as a SAML 2.0 service provider (SP), users can authenticate to QPR UI via the configured SAML 2.0 identity provider (IdP) by clicking Log in Using SSO button in the login screen. This redirects users to the identity provider for authentication. When the authentication is done, users are redirected back to QPR UI and where user is then logged in. Alternatively, QPR UI can be configured automatically to redirect to the identity provider, so that users won't see the QPR UI's login screen.

When a user logs in to QPR UI using federated authentication, the user information is updated or a new user is created automatically to QPR UI, QPR Suite, and/or QPR ProcessAnalyzer. In addition, the user's group memberships are updated in QPR Suite and/or QPR ProcessAnalyzer if matching group(s) are found between the SAML 2.0 service and QPR Suite / QPR ProcessAnalyzer. When a new user is created to QPR Suite, Inherit licences from groups and Inherit permissions from groups settings are automatically set, so that user permissions come from the groups. For instructions to define which groups and user information is updated, see the Configuring QPR UI as SAML 2.0 Service Provider section below.

Further notes regarding the federated authentication:

  • User accounts and groups are matched between the systems using usernames and group names.
  • For the federated authentication to work, the Common QPR Authentication must also be configured. This is because the federated authentication authenticates user to QPR UI, and to further authenticate user to QPR Suite or QPR ProcessAnalyzer, the common QPR authentication needs to be functional.
  • When QPR UI has been configured to use an identity provider, QPR UI will fully trust information coming from the identity provider.
  • Currently the logout request to IdP is not supported by QPR UI.
  • SAML AuthnRequests are not signed (by QPR UI), and SAML Assertions must be signed (by the IdP) to be accepted by QPR UI

When using federated authentication, QPR UI can also be used to provide authentication to QPR Suite. This requires to configure common authentication. After the federated authentication to QPR UI, users can open QPR Suite portal by clicking a link in a QPR UI view (the link contains the xsession parameter for the common QPR authentication).

Configuring QPR UI as SAML 2.0 Service Provider

There are two configuration scenarios available for the federated authentication: using metadata or a public key. Both scenarios have their own settings defined in the tables below. The last table contains common settings that are valid for the both authentication scenarios.

The configuration entries listed in the tables below, can be defined either

  • using the QPR UI installer during the QPR UI installation (only part of the settings)
  • after the QPR UI installation by adding to the CONFIGURATIONENTITY table in the QPR UI database.

Setup When Using Metadata

Federated authentication can be configured to use SAML2 metadata if it's available as an XML document through HTTP.

Database field name Installer field name Description
SAML_METADATA_URL Federation metadata URL The metadata URL of the identity provider. Check that the metadata can be opened using the configured link. The metadata is an XML document, so it should start <?xml version="1.0" encoding="UTF-8"?> followed by an EntityDescriptor tag. The metadata URL might look something like https://your.federated.identity.provider.com/saml/metadata.
SAML_SERVER_ENTITY_IDENTIFIER Server entity identifier Use this field to define the identity provider entity ID, if the federation metadata contains multiple identity providers. This field is not mandatory, if the metadata contains only one identity provider. In the federation metadata, a single EntityDescriptor tag represents one identity provider, so you can check the number of available identity providers by checking the federation metadata contents (entityID attribute).

Setup When Using Public Key

The following settings SAML_REDIRECT_URL and SAML_SIGNING_CERTIFICATE are only used when SAML_METADATA_URL is not configured. This is because if metadata url is provided, QPR UI reads the redirect url and signing sertificate from the metadata.

Database field name Installer field name Description
SAML_REDIRECT_URL Federated authentication provider's redirect URL The redirect URL of the identity provider. QPR UI redirects user to this url when user needs to be authenticated, e.g. https://your.federated.identity.provider.com/saml/http-post/sso. This setting is mandatotory, when using public key method.
SAML_SIGNING_CERTIFICATE Federated authentication provider's signing certificate The Federated authentication provider's signing certificate field with <X.509 Certificate> contents. The input item is the actual encoded public key contents. This setting is mandatotory, when using public key method.

Common configuration entries

Following settings are defined in both authentication scenarios:

Database field name Installer field name Description
SAML_CONSUMER_URL SAML consumer URL Url that the identity provider uses when redirecting back to QPR UI. Use url with following form: <Location of your QPR UI installation>/EnticeServices/rest/authenticate/saml, e.g. http://SERVERNAME/EnticeServices/rest/authenticate/saml. This setting is mandatory for the federated authentication to work.
SAML_USER_ID_ATTRIBUTE User id attribute The name of the SAML attribute in the assertion that will be used as the user's login name. If this field is not given or is empty, the saml:Assertion > saml:Subject > saml:NameID attribute is used in the assertion. If this field is given, one of the saml:Assertion > saml:AttributeStatement > saml:Attribute elements in the assertion is used (the Name attribute in the saml:Attribute element is used for matching). Please note that the first mentioned saml:NameID element is different than the usual SAML attributes that are defined using saml:Attribute elements.
SAML_AUTOMATIC_LOGIN Automatic federated authentication When set to 1, user is automatically redirected from the QPR UI login page to the identity provider without the need to click the LOG IN USING SSO button in the login page. When enabled, users might not even see the QPR UI login page during authentication. Set to 0, to disable the automatic redirection from the login page. By default, the automatic redirection is disabled.
FEDERATEDLY_MANAGED_GROUPS Contains list of group names that the federated authentication manages (defined using JSON string array). For example: ["group1", "group 2", "group\"3"]. Other groups are managed locally in QPR Suite or QPR ProcessAnalyzer user management, and the federated authentication doesn't change them. If empty value (NULL) is used or the whole FEDERATEDLY_MANAGED_GROUPS setting is not in the database, all groups are managed by the federated authentication. If empty list ([]) is used, no groups are managed by the federated authentication.
SAML_USER_FULLNAME_ATTRIBUTE Attribute name in SAML2 assertion that is mapped to user full name in QPR user management. If this setting doesn't exist in the database, the attribute is not mapped. Note that this setting must not be NULL or an empty string. In the SAML2 assertion, attributes are in the saml:Assertion > saml:AttributeStatement > saml:Attribute elements (the Name attribute in the saml:Attribute element is used for matching).
SAML_USER_EMAIL_ATTRIBUTE Attribute name in SAML2 assertion that is mapped to user email address in QPR user management. If this setting doesn't exist in the database, the attribute is not mapped. Note that this setting must not be NULL or an empty string. In the SAML2 assertion, attributes are in the saml:Assertion > saml:AttributeStatement > saml:Attribute elements (the Name attribute in the saml:Attribute element is used for matching).
SAML_USER_GROUPS_ATTRIBUTE Attribute name in SAML2 assertion that is mapped to user groups name in QPR user management. If this setting doesn't exist in the database, the attribute is not mapped and users are not added to or removed from any groups. Note that this setting must not be NULL or an empty string. In the SAML2 assertion, attributes are in the saml:Assertion > saml:AttributeStatement > saml:Attribute elements (the Name attribute in the saml:Attribute element is used for matching).
SAML_USER_DESCRIPTION_ATTRIBUTE Attribute name in SAML2 assertion that is mapped to user description in QPR user management. If this setting doesn't exist in the database, the attribute is not mapped. Note that this setting must not be NULL or an empty string. In the SAML2 assertion, attributes are in the saml:Assertion > saml:AttributeStatement > saml:Attribute elements (the Name attribute in the saml:Attribute element is used for matching).
SAML_REQUEST_SIGNING_KEY When this configuration entry is set QPR UI signs the SAML request with the certificate stored to this entry. Key must be PKCS8 PEM format. Note that the key must also be configured to IdP. This configuration is optional and by default QPR UI does not sign the SAML request.

Using ADFS as Identity Provider

ADFS (Active Directory Federation Services) can be used as an identity provider to login to QPR UI. For ADFS setup, follow the ADFS configuration guide in https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust with the following notes:

  • Step 4: Select option Enter data about the relying party manually as metadata is not available.
  • Step 5: Name can be chosen freely.
  • Step 7: Disable option Enable support for the WS-Federation Passive protocol. Select option Enable support for the SAML 2.0 WebSSO protocol and define url https://SERVERNAME/EnticeServices/rest/authenticate/saml where SERVERNAME is the QPR UI server hostname.
  • Step 8: Define url https://SERVERNAME/EnticeServices/rest/authenticate/saml where SERVERNAME is the QPR UI server hostname.
  • Step 11: Select option Configure claims issuance policy for this application.

Example:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/claims/CommonName", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/claims/Group"), query = ";userPrincipalName,displayName,mail,tokenGroups;{0}", param = c.Value);

Using Azure AD as Identity Provider

Azure Active Directory (AD) can be used as an identity provider to login to QPR UI. Configuration scenario (discussed above) for Azure AD is to use metadata. Following configurations are needed:

  1. Login to https://portal.azure.com, click Azure Active Directory, click App registrations and click New application registration.
  2. Define Name for the application, such as "QPR UI". Select Application type to be Web app / API. Define Sign-on URL to be http://SERVERNAME/EnticeServices/rest/authenticate/saml (where SERVERNAME is the name of your QPR UI server, http/https protocol matches and the port is the right one).
  3. When the Azure application has been created, from the applications settings click Properties.
  4. Click Azure Active Directory, click App registrations and click Endpoints. Copy the contents of the Federation Metadata Document field, and configure it to the QPR UI SAML_METADATA_URL setting (discussed above).

More information about Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/

References