Difference between revisions of "Federated Authentication in QPR UI"
| Line 51: | Line 51: | ||
|SAML_REDIRECT_URL | |SAML_REDIRECT_URL | ||
|Federated authentication provider's redirect URL | |Federated authentication provider's redirect URL | ||
| − | | | + | |The redirect URL of the identity provider. QPR MobileDashdoard redirects user to this url when user needs to be authenticated, e.g. '''<nowiki>https://your.federated.identity.provider.com/saml/http-post/sso</nowiki>'''. |
|- | |- | ||
|SAML_SIGNING_CERTIFICATE | |SAML_SIGNING_CERTIFICATE | ||
|Federated authentication provider's signing certificate | |Federated authentication provider's signing certificate | ||
| − | | | + | |X.509 Certificate. |
|} | |} | ||
| Line 66: | Line 66: | ||
|SAML_CONSUMER_URL | |SAML_CONSUMER_URL | ||
|SAML consumer URL | |SAML consumer URL | ||
| − | | | + | |Url that the identity provider uses when redirecting back to QPR MobileDashboard. Use url with following form: '''<Location of your QPR MobileDashboard installation>/EnticeServices/rest/authenticate/saml''', e.g. '''<nowiki>http://SERVERNAME:8080/EnticeServices/rest/authenticate/saml</nowiki>'''. |
|- | |- | ||
|SAML_USER_ID_ATTRIBUTE | |SAML_USER_ID_ATTRIBUTE | ||
Revision as of 09:06, 4 April 2017
QPR MobileDashboard can be configured to use federated authentication by SAML 2.0 protocol. When using federated authentication, QPR MobileDashboard works as a service provider (SP), and enables to use compatible external identity providers (IdP), such as Microsoft Active Directory Federation Services (ADFS) or Shibboleth. See more information from the links in the bottom of the page.
QPR MobileDashboard as SAML 2.0 Service Provider
When QPR MobileDashboard is configured as SAML 2.0 service provider, users can authenticate to QPR MobileDashboard via the configured SAML 2.0 identity provider by clicking "LOG IN USING SSO" button in the login screen. This redirects users to the identity provider for authentication. When the autentication is done, users are redirected back to QPR MobileDashboard and where user is then logged in. Alternatively, QPR MobileDashboard can be configured automatically to redirect to the identity provider, so that users don't need to see QPR MobileDashboard's login screen.
When using federated authentication, QPR MobileDashboard can also be used to provide authentication to QPR Suite. This requires to configure common authentication. After the federated authentication to QPR MobileDashboard, users can open QPR Suite portal by clicking a link in a QPR MobileDashboard view (the link contains the xsession parameter for the common QPR authentication).
QPR MobileDashboard creates new users automatically, when a user first time logins to QPR MobileDashboard using SAML 2.0. Unlike federated authentication, common QPR authentication doesn't support creating new users, so QPR Suite users need to be created beforehand with QPR User Management Client. Note that user accounts are always matched between the systems using the username.
When working as a SAML 2.0 service provider, QPR MobileDashboard doesn't currently support passing user metadata, such as full name, email or groups.
When QPR MobileDashboard has been configured to an identity provider, QPR MobileDashboard will fully trust information coming from the identity provider.
Configuring QPR MobileDashboard as SAML 2.0 Service Provider
User id attribute field can be left blank in most scenarios where the login names used in the organization are your local domain email addresses. In these scenarios, the NameID of the SAML subject is used as User ID. In other scenarios, please enter the name of the SAML attribute in the assertion. The related values will be used as user's login names. Select Automatic federated authentication check box if users must be automatically redirected to the identity provider's login page as they enter the QPR MobileDashboard login page.
There are two Federated Authentication Configuration scenarios available. Select an option that’s available in your organization:
- Using metadata: Enter the metadata URL to the Federation metadata URL field, e.g. "https://<your_federated_identity_provider_servername>/<path>/<metadata_file_name>.xml". If it’s known that the metadata contains multiple server entries, the Server entity identifier field must also be filled. The input is a server entity identifier URL, e.g. "http://<your_federated_identity_provider_servername>/services/trust".
- Using a public key: Enter the redirect URL to the Federated authentication provider's redirect URL field, e.g. "https://<your_federated_identity_provider_servername>/saml/http-post/sso". Fill in the Federated authentication provider's signing certificate field with <X.509 Certificate> contents. The input item is the actual encoded public key contents.
For both SSO configuration scenarios, the SAML consumer URL should be defined, e.g. "http(s)://<your_QPR_MobileDashboard_servername>:8080/EnticeServices/rest/authenticate/saml"
Using metadata
The following entries can be defined either
- using the QPR MobileDashboard installer during the installation
- after the installation adding to the CONFIGURATIONENTITY table in the QPR MobileDashboard database.
| KEY_FIELD | Installer field | VALUE_FIELD |
|---|---|---|
| SAML_METADATA_URL | Federation metadata URL | "<The metadata URL of the identity provider>", e.g. https://your.federated.identity.provider.com/saml/metadata. |
| SAML_SERVER_ENTITY_IDENTIFIER | Server entity identifier | "<The server entity identifier URL>", e.g. "http://your.federated.identity.provider.com/services/trust". |
Using a public key
An alternative way is to define the following entries.
| KEY_FIELD | Installer field | VALUE_FIELD |
|---|---|---|
| SAML_REDIRECT_URL | Federated authentication provider's redirect URL | The redirect URL of the identity provider. QPR MobileDashdoard redirects user to this url when user needs to be authenticated, e.g. https://your.federated.identity.provider.com/saml/http-post/sso. |
| SAML_SIGNING_CERTIFICATE | Federated authentication provider's signing certificate | X.509 Certificate. |
There is also the following optional setting available:
| KEY_FIELD | Installer field | VALUE_FIELD |
|---|---|---|
| SAML_CONSUMER_URL | SAML consumer URL | Url that the identity provider uses when redirecting back to QPR MobileDashboard. Use url with following form: <Location of your QPR MobileDashboard installation>/EnticeServices/rest/authenticate/saml, e.g. http://SERVERNAME:8080/EnticeServices/rest/authenticate/saml. |
| SAML_USER_ID_ATTRIBUTE | User id attribute | The name of the SAML attribute in the assertion that will be used as the user's login name, e.g. "loginname". If the attribute is not given, the NameID of the SAML subject is used. If the user login name in your QPR Suite is the user's email address, the attribute definition is usually not needed. |
| SAML_AUTOMATIC_LOGIN | Automatic federated authentication | When set to "1", user is automatically redirected from the QPR MobileDashboard login page to the SAML 2.0 identity provider without the need to click the LOG IN USING SSO button. When enabled, users might not even see the QPR MobileDashboard login page during authentication. |
References
- General information about federated authentication: https://en.wikipedia.org/wiki/Federated_identity
- General information about SAML 2.0: https://en.wikipedia.org/wiki/SAML_2.0
- General information about Shibboleth: https://en.wikipedia.org/wiki/Shibboleth_(Internet2)
- Shibboleth documentation: https://wiki.shibboleth.net/confluence/display/SHIB2/Home
- General information about ADFS: https://msdn.microsoft.com/en-us/library/bb897402.aspx
- ADFS documentation: https://en.wikipedia.org/wiki/Active_Directory_Federation_Services