Difference between revisions of "Federated Authentication in QPR UI"

From Mea Wiki
Jump to navigation Jump to search
Line 79: Line 79:
 
Azure Active Directory (AD) can be used as an identity provider to login to QPR MobileDashboard. This requires following configurations:
 
Azure Active Directory (AD) can be used as an identity provider to login to QPR MobileDashboard. This requires following configurations:
 
# Login to https://portal.azure.com, click "Azure Active Directory", click '''App registrations''' and then click '''New application registration'''.
 
# Login to https://portal.azure.com, click "Azure Active Directory", click '''App registrations''' and then click '''New application registration'''.
# Define '''Name''' for the application, such as "QPR MobileDashboard". Select '''Application type''' to be '''Web app/ API'''. Define '''Sign-on URL''' is '''<nowiki>http://SERVERNAME:8080/EnticeServices/rest/authenticate/saml</nowiki>''' where SERVERNAME is then name of your QPR MobileDashboard server and also http/https protocol matches and the port is the right one.
+
# Define '''Name''' for the application, such as "QPR MobileDashboard". Select '''Application type''' to be '''Web app / API'''. Define '''Sign-on URL''' is '''<nowiki>http://SERVERNAME:8080/EnticeServices/rest/authenticate/saml</nowiki>''' where SERVERNAME is then name of your QPR MobileDashboard server and also http/https protocol matches and the port is the right one.
 
# When the Azure application has been created, from the applications settings click '''Properties'''.
 
# When the Azure application has been created, from the applications settings click '''Properties'''.
 
# Click '''Azure Active Directory''', click '''App registrations''', and then click '''Endpoints'''. The url in the '''Federation Metadata Document''' field will be configured to QPR MobileDashboard SAML_METADATA_URL setting.
 
# Click '''Azure Active Directory''', click '''App registrations''', and then click '''Endpoints'''. The url in the '''Federation Metadata Document''' field will be configured to QPR MobileDashboard SAML_METADATA_URL setting.

Revision as of 11:12, 19 April 2017

QPR MobileDashboard can be configured to use federated authentication by SAML 2.0 protocol. When using federated authentication, QPR MobileDashboard works as a service provider (SP), and enables to use compatible external identity providers (IdP), such as Microsoft Active Directory Federation Services (ADFS) or Shibboleth. See more information from the links in the bottom of the page.

QPR MobileDashboard as SAML 2.0 Service Provider

When QPR MobileDashboard is configured as SAML 2.0 service provider, users can authenticate to QPR MobileDashboard via the configured SAML 2.0 identity provider by clicking "LOG IN USING SSO" button in the login screen. This redirects users to the identity provider for authentication. When the autentication is done, users are redirected back to QPR MobileDashboard and where user is then logged in. Alternatively, QPR MobileDashboard can be configured automatically to redirect to the identity provider, so that users don't need to see QPR MobileDashboard's login screen.

When using federated authentication, QPR MobileDashboard can also be used to provide authentication to QPR Suite. This requires to configure common authentication. After the federated authentication to QPR MobileDashboard, users can open QPR Suite portal by clicking a link in a QPR MobileDashboard view (the link contains the xsession parameter for the common QPR authentication).

QPR MobileDashboard creates new users automatically, when a user first time logins to QPR MobileDashboard using SAML 2.0. Unlike federated authentication, common QPR authentication doesn't support creating new users, so QPR Suite users need to be created beforehand with QPR User Management Client. Note that user accounts are always matched between the systems using the username.

When working as a SAML 2.0 service provider, QPR MobileDashboard doesn't currently support passing user metadata, such as full name, email or groups.

When QPR MobileDashboard has been linked to an identity provider, QPR MobileDashboard will fully trust information coming from the identity provider.

Configuring QPR MobileDashboard as SAML 2.0 Service Provider

There are two configuration scenarios available for the federated authentication: using metadata or using a public key. Both scenarios have their own settings defined in below tables. There are also common settings defined in the last table that are used in the both authentication scenarios.

The configuration entries listed in the tables below, can be defined either

  • using the QPR MobileDashboard installer during the QPR MobileDashboard installation
  • after the QPR MobileDashboard installation by adding to the CONFIGURATIONENTITY table in the QPR MobileDashboard database.

Configuration entries when using metadata

Federated authentication can be configured to use SAML2 metadata if it's available as an XML document through HTTP.

Database field name Installer field name Description
SAML_METADATA_URL Federation metadata URL The metadata URL of the identity provider. Check that the metadata can be opened using the configured link. The metadata is an XML document, so it should start <?xml version="1.0" encoding="UTF-8"?> followed by an EntityDescriptor tag. The metadata URL might look something like https://your.federated.identity.provider.com/saml/metadata.
SAML_SERVER_ENTITY_IDENTIFIER Server entity identifier Use this field to define the identity provider entity ID, if the federation metadata contains multiple identity providers. This field is not mandatory, if the metadata contains only one identity provider. In the federation metadata, a single EntityDescriptor tag represents one identity provider, so you can check the number of available identity providers by checking the federation metadata contents.

Configuration entries when using a public key

The following settings SAML_REDIRECT_URL and SAML_SIGNING_CERTIFICATE are only used when SAML_METADATA_URL is not configured. This is because if metadata url is provided, QPR MobileDashboards reads the redirect url and signing sertificate from the metadata.

Database field name Installer field name Description
SAML_REDIRECT_URL Federated authentication provider's redirect URL The redirect URL of the identity provider. QPR MobileDashdoard redirects user to this url when user needs to be authenticated, e.g. https://your.federated.identity.provider.com/saml/http-post/sso. This setting is mandatotory, when using public key method.
SAML_SIGNING_CERTIFICATE Federated authentication provider's signing certificate The Federated authentication provider's signing certificate field with <X.509 Certificate> contents. The input item is the actual encoded public key contents. This setting is mandatotory, when using public key method.

Common configuration entries

Following settings are defined in both authentication scenarios:

Database field name Installer field name Description
SAML_CONSUMER_URL SAML consumer URL Url that the identity provider uses when redirecting back to QPR MobileDashboard. Use url with following form: <Location of your QPR MobileDashboard installation>/EnticeServices/rest/authenticate/saml, e.g. http://SERVERNAME:8080/EnticeServices/rest/authenticate/saml. This setting is mandatory for the federated authentication to work.
SAML_USER_ID_ATTRIBUTE User id attribute The name of the SAML attribute in the assertion that will be used as the user's login name. If this field is not given or is empty, the saml:Assertion > saml:Subject > saml:NameID attribute is used in the assertion. If this field is given, one of the saml:Assertion > saml:AttributeStatement > saml:Attribute tags in the assertion is used (the Name attribute in the saml:Attribute tag is used for matching). Please note that the first mentioned saml:NameID tag is different than the usual SAML attributes that are defined using saml:Attribute tags.
SAML_AUTOMATIC_LOGIN Automatic federated authentication When set to 1, user is automatically redirected from the QPR MobileDashboard login page to the identity provider without the need to click the LOG IN USING SSO button in the login page. When enabled, users might not even see the QPR MobileDashboard login page during authentication. Set to 0, to disable the automatic redirection from the login page. This setting doesn't need to be defined meaning the automatic redirection is disabled.

Using Azure Active Directory as identity provider

Azure Active Directory (AD) can be used as an identity provider to login to QPR MobileDashboard. This requires following configurations:

  1. Login to https://portal.azure.com, click "Azure Active Directory", click App registrations and then click New application registration.
  2. Define Name for the application, such as "QPR MobileDashboard". Select Application type to be Web app / API. Define Sign-on URL is http://SERVERNAME:8080/EnticeServices/rest/authenticate/saml where SERVERNAME is then name of your QPR MobileDashboard server and also http/https protocol matches and the port is the right one.
  3. When the Azure application has been created, from the applications settings click Properties.
  4. Click Azure Active Directory, click App registrations, and then click Endpoints. The url in the Federation Metadata Document field will be configured to QPR MobileDashboard SAML_METADATA_URL setting.

More information about Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/

References