Difference between revisions of "Federated Authentication in QPR UI"

From Mea Wiki
Jump to navigation Jump to search
Line 1: Line 1:
It's possible to authenticate to QPR MobileDashboard using federated authentication by SAML 2.0 protocol (more information: https://en.wikipedia.org/wiki/SAML_2.0). SAML 2.0 enables to use any compatible identity provider, such as Microsoft Active Directory Federation Services (ADFS). QPR MobileDashboard works as an service provider role (SP) in the configuration.
+
QPR MobileDashboard can be configured to use federated authentication by SAML 2.0 protocol (more information: https://en.wikipedia.org/wiki/SAML_2.0). SAML 2.0 enables to use any compatible '''identity providers (IdP)''', such as Microsoft Active Directory Federation Services (ADFS) or Shiibboleth (more information: https://wiki.shibboleth.net/confluence/display/SHIB2/Home, https://en.wikipedia.org/wiki/Shibboleth_(Internet2)). QPR MobileDashboard can be configured to work as a '''service provider (SP)'''.
  
 
==QPR MobileDashboard as SAML 2.0 Service Provider==
 
==QPR MobileDashboard as SAML 2.0 Service Provider==
When QPR MobileDashboard is configured as SAML 2.0 service provider, users can authenticate via the configured SAML 2.0 identity provider by clicking "LOG IN USING SSO" button in the login screen. This redirect user to the identity provider for authentication. When the autentication is done, user is redirected back to QPR MobileDashboard and where user is then logged in. Alternatively, QPR MobileDashboard can be configured to redirect automatically to the identity provider, so that users don't even see QPR MobileDashboards login screen.
+
When QPR MobileDashboard is configured as SAML 2.0 service provider, users can authenticate via the configured SAML 2.0 identity provider by clicking "LOG IN USING SSO" button in the login screen. This redirect users to the identity provider for authentication. When the autentication is done, users are redirected back to QPR MobileDashboard and where user is then logged in. Alternatively, QPR MobileDashboard can be configured to redirect automatically to the identity provider, so that users don't need to see QPR MobileDashboard's login screen.
  
When QPR MobileDashboard is configured to an identity provider, QPR MobileDashboard can be used to provide authentication to QPR Suite. This is done using [[Common QPR Authentication|common authentication]].
+
When QPR MobileDashboard has been configured to an identity provider, QPR MobileDashboard will then fully trust information coming from the identity provider. This means also an existence of any usernames.  
  
QPR MobileDashboard creates new users automatically, when a user first time logins to QPR MobileDashboard using SAML 2.0. Note that common QPR authentication doesn't support creating new users, so to QPR Suite, users need to be created beforehand with QPR User Management Client.
+
When QPR MobileDashboard is configured to a SAML 2.0 identity provider, QPR MobileDashboard can be used to provide authentication to QPR Suite. This is done using [[Common QPR Authentication|common authentication]]. Users can open QPR Suite portal by clicking a link in a QPR MobileDashboard view (the link contains the xsession parameter for the common QPR authentication).
 +
 
 +
QPR MobileDashboard creates new users automatically, when a user first time logins to QPR MobileDashboard using SAML 2.0. Note that common QPR authentication doesn't support creating new users, so to QPR Suite users need to be created beforehand with QPR User Management Client.
  
 
==Configuring QPR MobileDashboard as SAML 2.0 Service Provider==
 
==Configuring QPR MobileDashboard as SAML 2.0 Service Provider==
Line 28: Line 30:
 
|The name of the SAML attribute in the assertion that will be used as the user's login name, e.g. "loginname". If the attribute is not given, the NameID of the SAML subject is used. If the user login name in your QPR Suite is the user's email address, the attribute definition is usually not needed. This is the corresponding field for the "User id attribute" in the Federated Authentication Configuration step of the installation.
 
|The name of the SAML attribute in the assertion that will be used as the user's login name, e.g. "loginname". If the attribute is not given, the NameID of the SAML subject is used. If the user login name in your QPR Suite is the user's email address, the attribute definition is usually not needed. This is the corresponding field for the "User id attribute" in the Federated Authentication Configuration step of the installation.
 
|}
 
|}
An alternative way is to is to define the following entries using the QPR MobileDashboard installer. The entries can also be added to the '''CONFIGURATIONENTITY''' table in the QPR MobileDashboard database after installing QPR MobileDashboard.<br>
+
 
 +
An alternative way is to define the following entries using the QPR MobileDashboard installer. The entries can also be added to the '''CONFIGURATIONENTITY''' table in the QPR MobileDashboard database after installing QPR MobileDashboard.
 +
 
 
{| class="wikitable"
 
{| class="wikitable"
 
! KEY_FIELD
 
! KEY_FIELD
Line 46: Line 50:
 
|}
 
|}
  
There is also a following optional setting available:
+
There is also the following optional setting available:
 
{| class="wikitable"
 
{| class="wikitable"
 
! KEY_FIELD
 
! KEY_FIELD
Line 52: Line 56:
 
|-
 
|-
 
|SAML_AUTOMATIC_LOGIN
 
|SAML_AUTOMATIC_LOGIN
|When set to "1", user is automatically redirected from the QPR MobileDashboard login page to the SAML identity provider without the need to click the "LOG IN USING SSO" button.
+
|When set to "1", user is automatically redirected from the QPR MobileDashboard login page to the SAML 2.0 identity provider without the need to click the "LOG IN USING SSO" button. When enabled, users might not even see the QPR MobileDashboard login page.
 
|}
 
|}
 
[[Category: QPR MobileDashboard]]
 
[[Category: QPR MobileDashboard]]

Revision as of 20:37, 29 March 2017

QPR MobileDashboard can be configured to use federated authentication by SAML 2.0 protocol (more information: https://en.wikipedia.org/wiki/SAML_2.0). SAML 2.0 enables to use any compatible identity providers (IdP), such as Microsoft Active Directory Federation Services (ADFS) or Shiibboleth (more information: https://wiki.shibboleth.net/confluence/display/SHIB2/Home, https://en.wikipedia.org/wiki/Shibboleth_(Internet2)). QPR MobileDashboard can be configured to work as a service provider (SP).

QPR MobileDashboard as SAML 2.0 Service Provider

When QPR MobileDashboard is configured as SAML 2.0 service provider, users can authenticate via the configured SAML 2.0 identity provider by clicking "LOG IN USING SSO" button in the login screen. This redirect users to the identity provider for authentication. When the autentication is done, users are redirected back to QPR MobileDashboard and where user is then logged in. Alternatively, QPR MobileDashboard can be configured to redirect automatically to the identity provider, so that users don't need to see QPR MobileDashboard's login screen.

When QPR MobileDashboard has been configured to an identity provider, QPR MobileDashboard will then fully trust information coming from the identity provider. This means also an existence of any usernames.

When QPR MobileDashboard is configured to a SAML 2.0 identity provider, QPR MobileDashboard can be used to provide authentication to QPR Suite. This is done using common authentication. Users can open QPR Suite portal by clicking a link in a QPR MobileDashboard view (the link contains the xsession parameter for the common QPR authentication).

QPR MobileDashboard creates new users automatically, when a user first time logins to QPR MobileDashboard using SAML 2.0. Note that common QPR authentication doesn't support creating new users, so to QPR Suite users need to be created beforehand with QPR User Management Client.

Configuring QPR MobileDashboard as SAML 2.0 Service Provider

The preferred way to configure QPR MobileDashboard to work as a SAML 2.0 service provider is to define the following entries using the QPR MobileDashboard installer. The entries can also be added to the CONFIGURATIONENTITY table in the QPR MobileDashboard database after installing QPR MobileDashboard.

KEY_FIELD VALUE_FIELD
SAML_CONSUMER_URL "<Location of your QPR MobileDashboard installation>/EnticeServices/rest/authenticate/saml", e.g. "http://localhost:8080/EnticeServices/rest/authenticate/saml". This is the corresponding field for the "SAML consumer URL" in the Federated Authentication Configuration step of the installation.
SAML_METADATA_URL "<The metadata URL of the identity provider>", e.g. "https://your.federated.identity.provider.com/saml/metadata". This is the corresponding field for the "Federation metadata URL" in the Federated Authentication Configuration step of the installation.
SAML_SERVER_ENTITY_IDENTIFIER "<The server entity identifier URL>", e.g. "http://your.federated.identity.provider.com/services/trust". This entry is used if the metadata contains multiple server entries. This is the corresponding field for the "Server entity identifier" in the Federated Authentication Configuration step of the installation.
SAML_USER_ID_ATTRIBUTE The name of the SAML attribute in the assertion that will be used as the user's login name, e.g. "loginname". If the attribute is not given, the NameID of the SAML subject is used. If the user login name in your QPR Suite is the user's email address, the attribute definition is usually not needed. This is the corresponding field for the "User id attribute" in the Federated Authentication Configuration step of the installation.

An alternative way is to define the following entries using the QPR MobileDashboard installer. The entries can also be added to the CONFIGURATIONENTITY table in the QPR MobileDashboard database after installing QPR MobileDashboard.

KEY_FIELD VALUE_FIELD
SAML_CONSUMER_URL "<Location of your QPR MobileDashboard installation>/EnticeServices/rest/authenticate/saml", e.g. "http://localhost:8080/EnticeServices/rest/authenticate/saml". This is the corresponding field for the "SAML consumer URL" in the Federated Authentication Configuration step of the installation.
SAML_REDIRECT_URL "<The redirect URL of the identity provider>", e.g. "https://your.federated.identity.provider.com/saml/http-post/sso". This is the corresponding field for the "Federated authentication provider's redirect URL" in the Federated Authentication Configuration step of the installation.
SAML_SIGNING_CERTIFICATE "<X.509 Certificate>". This is the corresponding field for the "Federated authentication provider's signing certificate" in the Federated Authentication Configuration step of the installation.
SAML_USER_ID_ATTRIBUTE The name of the SAML attribute in the assertion that will be used as the user's login name, e.g. "loginname". If the attribute is not given, the NameID of the SAML subject is used. If the user login name in your QPR Suite is the user's email address, the attribute definition is usually not needed. This is the corresponding field for the "User id attribute" in the Federated Authentication Configuration step of the installation.

There is also the following optional setting available:

KEY_FIELD VALUE_FIELD
SAML_AUTOMATIC_LOGIN When set to "1", user is automatically redirected from the QPR MobileDashboard login page to the SAML 2.0 identity provider without the need to click the "LOG IN USING SSO" button. When enabled, users might not even see the QPR MobileDashboard login page.
Retrieved from "https://wiki.onqpr.com/mea/index.php?title=Federated_Authentication_in_QPR_UI&oldid=4173"