SAML 2.0 Federated Authentication - Revision history

MarHink: Updated SAML related URLs to have the correct casings.

2025-10-03T07:28:15Z

Updated SAML related URLs to have the correct casings.

Ollvihe: /* Introduction */

2025-03-20T21:48:20Z

Introduction

← Older revision		Revision as of 21:48, 20 March 2025
Line 14:		Line 14:
	* The identity provider needs to publish the identity provider metadata, because QPR ProcessAnalyzer reads the identity provider settings from there.		* The identity provider needs to publish the identity provider metadata, because QPR ProcessAnalyzer reads the identity provider settings from there.
	* QPR ProcessAnalyzer only supports SAML POST binding (e.g., SAML redirect binding is not supported).		* QPR ProcessAnalyzer only supports SAML POST binding (e.g., SAML redirect binding is not supported).
	*''SAML AuthnRequests'' are ~~self-~~signed using a certificate ~~that is~~ embedded to QPR ProcessAnalyzer. The certificate public key is available in the service provider metadata published by the [[Web API: saml2\|QPR ProcessAnalyzer Web API]]. The embedded certificate has a maximum validity of one year, so if using the embedded certificate, make sure to update QPR ProcessAnalyzer to the latest releases, to maintain having a valid certificate.		*''SAML AuthnRequests'' are signed using an out-of-the-box certificate embedded to QPR ProcessAnalyzer. This certificate has validity until 1.1.2035. It's also possible to use a custom certificate (see the SAMLSigningCertificate setting). The certificate public key is available in the service provider metadata published by the [[Web API: saml2\|QPR ProcessAnalyzer Web API]].
	*''SAML Assertions'' must be signed (by the identity provider) to be accepted by QPR ProcessAnalyzer.		*''SAML Assertions'' must be signed (by the identity provider) to be accepted by QPR ProcessAnalyzer.
	*SAML Assertions can optionally be encrypted by the identity provider. This requires the SAMLEncryptionCertificate setting to be defined in the [[PA_Configuration_database_table#SAML_2.0_Federated_Authentication_Settings\|QPR ProcessAnalyzer configuration table]].		*SAML Assertions can optionally be encrypted by the identity provider. This requires the SAMLEncryptionCertificate setting to be defined in the [[PA_Configuration_database_table#SAML_2.0_Federated_Authentication_Settings\|QPR ProcessAnalyzer configuration table]].

Ollvihe: /* Introduction */

2025-03-19T10:41:58Z

Introduction

← Older revision		Revision as of 10:41, 19 March 2025
Line 7:		Line 7:

	When a user logs in to QPR ProcessAnalyzer for the first time, user account is created to QPR ProcessAnalyzer user management. This account can only log in using the federated authentication, because the user account doesn't have a password in QPR ProcessAnalyzer. User accounts are matched between QPR ProcessAnalyzer and the identity provider using usernames.		When a user logs in to QPR ProcessAnalyzer for the first time, user account is created to QPR ProcessAnalyzer user management. This account can only log in using the federated authentication, because the user account doesn't have a password in QPR ProcessAnalyzer. User accounts are matched between QPR ProcessAnalyzer and the identity provider using usernames.

			When the ''SAMLGroupsAttribute'' setting has been configured, QPR ProcessAnalyzer user management is kept in synchronization with the identity provider information regarding which groups the users are belonging to. This way, the operative user management will be done outside QPR ProcessAnalyzer. Still, the groups to be used need to be created beforehand and permissions assigned to the groups.

	Additional notes for the SAML authentication:		Additional notes for the SAML authentication:

Ollvihe: /* Configuring SAML to QPR ProcessAnalyzer */

2025-03-19T10:38:15Z

Configuring SAML to QPR ProcessAnalyzer

← Older revision		Revision as of 10:38, 19 March 2025
Line 22:		Line 22:

	To configure the SAML 2.0 authentication, follow these steps:		To configure the SAML 2.0 authentication, follow these steps:
	# Define settings '''SAMLMetadataUrl''', '''ServiceProviderLocation,''' '''~~SAMLUserIdAttribute~~''', '''SAMLEncryptionCertificate''' (optional), and '''SAMLSigningCertificate''' (optional) in the [[PA_Configuration_database_table#SAML_2.0_Federated_Authentication_Settings\|QPR ProcessAnalyzer configuration table]]. QPR ProcessAnalyzer needs to be restarted for the settings to take effect.		# Define settings '''SAMLMetadataUrl''', '''ServiceProviderLocation''', '''SAMLUserIdAttribute''', '''SAMLGroupsAttribute''' (optional), '''SAMLEncryptionCertificate''' (optional), and '''SAMLSigningCertificate''' (optional) in the [[PA_Configuration_database_table#SAML_2.0_Federated_Authentication_Settings\|QPR ProcessAnalyzer configuration table]]. QPR ProcessAnalyzer needs to be restarted for the settings to take effect.
	# Configure a redirection from the root path of the QPR ProcessAnalyzer server to '''/qprpa/saml2''', so that users are automatically redirected to the identity provider for authentication.		# Configure a redirection from the root path of the QPR ProcessAnalyzer server to '''/qprpa/saml2''', so that users are automatically redirected to the identity provider for authentication.
	# The identity provider configuration depends on which identity provide is used. See below for help how to configure [[#Using Azure AD as Identity Provider\|Azure AD]] and [[#Using ADFS as Identity Provider\|ADFS]] as the identity provider.		# The identity provider configuration depends on which identity provide is used. See below for help how to configure [[#Using Azure AD as Identity Provider\|Azure AD]] and [[#Using ADFS as Identity Provider\|ADFS]] as the identity provider.

Ollvihe: /* Configuring SAML to QPR ProcessAnalyzer */

2024-05-26T22:28:09Z

Configuring SAML to QPR ProcessAnalyzer

← Older revision		Revision as of 22:28, 26 May 2024
Line 22:		Line 22:

	To configure the SAML 2.0 authentication, follow these steps:		To configure the SAML 2.0 authentication, follow these steps:
	# Define settings '''SAMLMetadataUrl''', '''ServiceProviderLocation,''' '''SAMLUserIdAttribute''', and '''~~SAMLEncryptionCertificate~~''' (optional) in the [[PA_Configuration_database_table#SAML_2.0_Federated_Authentication_Settings\|QPR ProcessAnalyzer configuration table]]. QPR ProcessAnalyzer needs to be restarted for the settings to take effect.		# Define settings '''SAMLMetadataUrl''', '''ServiceProviderLocation,''' '''SAMLUserIdAttribute''', '''SAMLEncryptionCertificate''' (optional), and '''SAMLSigningCertificate''' (optional) in the [[PA_Configuration_database_table#SAML_2.0_Federated_Authentication_Settings\|QPR ProcessAnalyzer configuration table]]. QPR ProcessAnalyzer needs to be restarted for the settings to take effect.
	# Configure a redirection from the root path of the QPR ProcessAnalyzer server to '''/qprpa/saml2''', so that users are automatically redirected to the identity provider for authentication.		# Configure a redirection from the root path of the QPR ProcessAnalyzer server to '''/qprpa/saml2''', so that users are automatically redirected to the identity provider for authentication.
	# The identity provider configuration depends on which identity provide is used. See below for help how to configure [[#Using Azure AD as Identity Provider\|Azure AD]] and [[#Using ADFS as Identity Provider\|ADFS]] as the identity provider.		# The identity provider configuration depends on which identity provide is used. See below for help how to configure [[#Using Azure AD as Identity Provider\|Azure AD]] and [[#Using ADFS as Identity Provider\|ADFS]] as the identity provider.

Ollvihe at 17:38, 5 March 2023

2023-03-05T17:38:07Z

← Older revision		Revision as of 17:38, 5 March 2023
Line 60:		Line 60:

	== SAML 2.0 Authentication API ==		== SAML 2.0 Authentication API ==
	QPR ProcessAnalyzer has [[Web_API:~~_Samlsignin~~\|/saml2/acs]] endpoint which accepts a SAML assertion from the IdP and returns a HTTP redirection to QPR ProcessAnalyzer Web UI. The url contains a ''sys:samlHash'' parameter which is used by the Web UI to login the user using the [[Web_API:_Token\|/token]] endpoint (to get a session token to use in the interactions with the Web API).		QPR ProcessAnalyzer has [[Web_API:_saml2/acs\|/saml2/acs]] endpoint which accepts a SAML assertion from the IdP and returns a HTTP redirection to QPR ProcessAnalyzer Web UI. The url contains a ''sys:samlHash'' parameter which is used by the Web UI to login the user using the [[Web_API:_Token\|/token]] endpoint (to get a session token to use in the interactions with the Web API).

	== Troubleshooting ==		== Troubleshooting ==

Ollvihe: /* Troubleshooting */

2022-12-20T21:04:40Z

Troubleshooting

← Older revision		Revision as of 21:04, 20 December 2022
Line 65:		Line 65:
	'''Problem''': When trying to authenticate with SAML, QPR ProcessAnalyzer responds: ''Bad Request - Request too long''.		'''Problem''': When trying to authenticate with SAML, QPR ProcessAnalyzer responds: ''Bad Request - Request too long''.

	'''Solution''': This error comes when the ~~request~~ from IdP contains too long data. The SAML assertion is encoded to ~~the~~ http ~~headers~~, which has a certain allowed maximum length. One option is to increase ~~these~~ limits in the Windows http.sys web server (https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/iisadmin-service-inetinfo/httpsys-registry-windows). Alternatively, it may be possible reduce the amount of data ~~added~~ by the IdP to the SAML assertion.		'''Solution''': This error comes when the SAML assertion (message from IdP to QPR ProcessAnalyzer) contains too long data. The SAML assertion is encoded to an http header (as part of a cookie), which has a certain allowed maximum length. One option is to increase the limits in the Windows http.sys web server (https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/iisadmin-service-inetinfo/httpsys-registry-windows). Alternatively, it may be possible reduce the amount of data included by the IdP to the SAML assertion.

	==References==		==References==

Ollvihe: /* SAML 2.0 Authentication API */

2022-12-20T21:03:15Z

SAML 2.0 Authentication API

← Older revision		Revision as of 21:03, 20 December 2022
Line 61:		Line 61:
	== SAML 2.0 Authentication API ==		== SAML 2.0 Authentication API ==
	QPR ProcessAnalyzer has [[Web_API:_Samlsignin\|/saml2/acs]] endpoint which accepts a SAML assertion from the IdP and returns a HTTP redirection to QPR ProcessAnalyzer Web UI. The url contains a ''sys:samlHash'' parameter which is used by the Web UI to login the user using the [[Web_API:_Token\|/token]] endpoint (to get a session token to use in the interactions with the Web API).		QPR ProcessAnalyzer has [[Web_API:_Samlsignin\|/saml2/acs]] endpoint which accepts a SAML assertion from the IdP and returns a HTTP redirection to QPR ProcessAnalyzer Web UI. The url contains a ''sys:samlHash'' parameter which is used by the Web UI to login the user using the [[Web_API:_Token\|/token]] endpoint (to get a session token to use in the interactions with the Web API).

			== Troubleshooting ==
			'''Problem''': When trying to authenticate with SAML, QPR ProcessAnalyzer responds: ''Bad Request - Request too long''.

			'''Solution''': This error comes when the request from IdP contains too long data. The SAML assertion is encoded to the http headers, which has a certain allowed maximum length. One option is to increase these limits in the Windows http.sys web server (https://learn.microsoft.com/en-us/troubleshoot/developer/webapps/iis/iisadmin-service-inetinfo/httpsys-registry-windows). Alternatively, it may be possible reduce the amount of data added by the IdP to the SAML assertion.

	==References==		==References==

Ollvihe: /* Introduction */

2022-03-01T22:01:35Z

Introduction

← Older revision		Revision as of 22:01, 1 March 2022
Line 12:		Line 12:
	* The identity provider needs to publish the identity provider metadata, because QPR ProcessAnalyzer reads the identity provider settings from there.		* The identity provider needs to publish the identity provider metadata, because QPR ProcessAnalyzer reads the identity provider settings from there.
	* QPR ProcessAnalyzer only supports SAML POST binding (e.g., SAML redirect binding is not supported).		* QPR ProcessAnalyzer only supports SAML POST binding (e.g., SAML redirect binding is not supported).
	*''SAML AuthnRequests'' are self-signed using a certificate that is embedded to QPR ProcessAnalyzer. The certificate public key is available in the service provider metadata published by the [[Web API: saml2\|QPR ProcessAnalyzer Web API]].		*''SAML AuthnRequests'' are self-signed using a certificate that is embedded to QPR ProcessAnalyzer. The certificate public key is available in the service provider metadata published by the [[Web API: saml2\|QPR ProcessAnalyzer Web API]]. The embedded certificate has a maximum validity of one year, so if using the embedded certificate, make sure to update QPR ProcessAnalyzer to the latest releases, to maintain having a valid certificate.
	*''SAML Assertions'' must be signed (by the identity provider) to be accepted by QPR ProcessAnalyzer.		*''SAML Assertions'' must be signed (by the identity provider) to be accepted by QPR ProcessAnalyzer.
	*SAML Assertions can optionally be encrypted by the identity provider. This requires the SAMLEncryptionCertificate setting to be defined in the [[PA_Configuration_database_table#SAML_2.0_Federated_Authentication_Settings\|QPR ProcessAnalyzer configuration table]].		*SAML Assertions can optionally be encrypted by the identity provider. This requires the SAMLEncryptionCertificate setting to be defined in the [[PA_Configuration_database_table#SAML_2.0_Federated_Authentication_Settings\|QPR ProcessAnalyzer configuration table]].

Ollvihe: /* Introduction */

2022-02-22T23:08:31Z

Introduction

← Older revision		Revision as of 23:08, 22 February 2022
Line 8:		Line 8:
	When a user logs in to QPR ProcessAnalyzer for the first time, user account is created to QPR ProcessAnalyzer user management. This account can only log in using the federated authentication, because the user account doesn't have a password in QPR ProcessAnalyzer. User accounts are matched between QPR ProcessAnalyzer and the identity provider using usernames.		When a user logs in to QPR ProcessAnalyzer for the first time, user account is created to QPR ProcessAnalyzer user management. This account can only log in using the federated authentication, because the user account doesn't have a password in QPR ProcessAnalyzer. User accounts are matched between QPR ProcessAnalyzer and the identity provider using usernames.

	Additional notes for the ~~federated~~ authentication:		Additional notes for the SAML authentication:
	* QPR ProcessAnalyzer needs to use https when SAML 2.0 authentication is used.		* QPR ProcessAnalyzer needs to use https when SAML 2.0 authentication is used.
	* The identity provider needs to publish the identity provider metadata, because QPR ProcessAnalyzer reads the identity provider settings from there.		* The identity provider needs to publish the identity provider metadata, because QPR ProcessAnalyzer reads the identity provider settings from there.

← Older revision		Revision as of 07:28, 3 October 2025
Line 4:		Line 4:
	When QPR ProcessAnalyzer is configured as a SAML 2.0 service provider (SP), users can authenticate to QPR ProcessAnalyzer via the configured SAML 2.0 identity provider (IdP). When accessing QPR ProcessAnalyzer, users are automatically redirected to the identity provider for authentication. When the authentication is done, users are redirected back to QPR ProcessAnalyzer where user is then automatically logged in. When using federated authentication, users don't normally see the QPR ProcessAnalyzer login page. The login page can be accessed (e.g. when login using QPR ProcessAnalyzer user management credentials) by adding '''forceLogin=1''' parameter to the url, e.g. <nowiki>https://customer.onqpr.com/QPRPA/ui/#/login?forceLogin=1</nowiki>.		When QPR ProcessAnalyzer is configured as a SAML 2.0 service provider (SP), users can authenticate to QPR ProcessAnalyzer via the configured SAML 2.0 identity provider (IdP). When accessing QPR ProcessAnalyzer, users are automatically redirected to the identity provider for authentication. When the authentication is done, users are redirected back to QPR ProcessAnalyzer where user is then automatically logged in. When using federated authentication, users don't normally see the QPR ProcessAnalyzer login page. The login page can be accessed (e.g. when login using QPR ProcessAnalyzer user management credentials) by adding '''forceLogin=1''' parameter to the url, e.g. <nowiki>https://customer.onqpr.com/QPRPA/ui/#/login?forceLogin=1</nowiki>.

	QPR ProcessAnalyzer can also automatically redirect users to the identity provider from the url '''/qprpa/~~saml2~~''', e.g. <nowiki>https://customer.onqpr.com/qprpa/~~saml2~~</nowiki>. Redirection to this url can be configured to IIS, when users access QPR ProcessAnalyzer with the server name only, e.g. <nowiki>https://customer.onqpr.com</nowiki>. The advantage of using this url is that the QPR ProcessAnalyzer web application is not loaded before the authentication, making the authentication flow faster. When going to the identity provider using a url starting with <nowiki>https://customer.onqpr.com/QPRPA/ui/</nowiki>, the QPR ProcessAnalyzer web application is loaded before going to the identity provider.		QPR ProcessAnalyzer can also automatically redirect users to the identity provider from the url '''/qprpa/Saml2''', e.g. <nowiki>https://customer.onqpr.com/qprpa/Saml2</nowiki>. Redirection to this url can be configured to IIS, when users access QPR ProcessAnalyzer with the server name only, e.g. <nowiki>https://customer.onqpr.com</nowiki>. The advantage of using this url is that the QPR ProcessAnalyzer web application is not loaded before the authentication, making the authentication flow faster. When going to the identity provider using a url starting with <nowiki>https://customer.onqpr.com/QPRPA/ui/</nowiki>, the QPR ProcessAnalyzer web application is loaded before going to the identity provider.

	When a user logs in to QPR ProcessAnalyzer for the first time, user account is created to QPR ProcessAnalyzer user management. This account can only log in using the federated authentication, because the user account doesn't have a password in QPR ProcessAnalyzer. User accounts are matched between QPR ProcessAnalyzer and the identity provider using usernames.		When a user logs in to QPR ProcessAnalyzer for the first time, user account is created to QPR ProcessAnalyzer user management. This account can only log in using the federated authentication, because the user account doesn't have a password in QPR ProcessAnalyzer. User accounts are matched between QPR ProcessAnalyzer and the identity provider using usernames.
Line 25:		Line 25:
	To configure the SAML 2.0 authentication, follow these steps:		To configure the SAML 2.0 authentication, follow these steps:
	# Define settings '''SAMLMetadataUrl''', '''ServiceProviderLocation''', '''SAMLUserIdAttribute''', '''SAMLGroupsAttribute''' (optional), '''SAMLEncryptionCertificate''' (optional), and '''SAMLSigningCertificate''' (optional) in the [[PA_Configuration_database_table#SAML_2.0_Federated_Authentication_Settings\|QPR ProcessAnalyzer configuration table]]. QPR ProcessAnalyzer needs to be restarted for the settings to take effect.		# Define settings '''SAMLMetadataUrl''', '''ServiceProviderLocation''', '''SAMLUserIdAttribute''', '''SAMLGroupsAttribute''' (optional), '''SAMLEncryptionCertificate''' (optional), and '''SAMLSigningCertificate''' (optional) in the [[PA_Configuration_database_table#SAML_2.0_Federated_Authentication_Settings\|QPR ProcessAnalyzer configuration table]]. QPR ProcessAnalyzer needs to be restarted for the settings to take effect.
	# Configure a redirection from the root path of the QPR ProcessAnalyzer server to '''/qprpa/~~saml2~~''', so that users are automatically redirected to the identity provider for authentication.		# Configure a redirection from the root path of the QPR ProcessAnalyzer server to '''/qprpa/Saml2''', so that users are automatically redirected to the identity provider for authentication.
	# The identity provider configuration depends on which identity provide is used. See below for help how to configure [[#Using Azure AD as Identity Provider\|Azure AD]] and [[#Using ADFS as Identity Provider\|ADFS]] as the identity provider.		# The identity provider configuration depends on which identity provide is used. See below for help how to configure [[#Using Azure AD as Identity Provider\|Azure AD]] and [[#Using ADFS as Identity Provider\|ADFS]] as the identity provider.

Line 37:		Line 37:
	# Go to '''Manage''' > '''Single sign-on''' > '''SAML'''.		# Go to '''Manage''' > '''Single sign-on''' > '''SAML'''.
	# Click '''Edit''' pencil on the '''Basic SAML Authentication''' and define following settings (where <hostname> is the name of the QPR ProcessAnalyzer server):		# Click '''Edit''' pencil on the '''Basic SAML Authentication''' and define following settings (where <hostname> is the name of the QPR ProcessAnalyzer server):
	##'''Identifier (Entity ID):''' https://<hostname>/qprpa/~~saml2~~		##'''Identifier (Entity ID):''' https://<hostname>/qprpa/Saml2
	## '''Reply URL (Assertion Consumer Service URL):''' https://<hostname>/qprpa/~~saml2~~/~~acs~~		## '''Reply URL (Assertion Consumer Service URL):''' https://<hostname>/qprpa/Saml2/Acs
	## '''Sign on URL:''' It's recommended to leave this setting empty.		## '''Sign on URL:''' It's recommended to leave this setting empty.
	# Copy the '''App Federation Metadata Url''' to the clipboard to store it to to the ''SAMLMetadataUrl'' setting in the QPR ProcessAnalyzer configuration table.		# Copy the '''App Federation Metadata Url''' to the clipboard to store it to to the ''SAMLMetadataUrl'' setting in the QPR ProcessAnalyzer configuration table.
Line 51:		Line 51:
	* Step 4: Select option '''Enter data about the relying party manually''' as metadata is not available.		* Step 4: Select option '''Enter data about the relying party manually''' as metadata is not available.
	* Step 5: Name can be chosen freely.		* Step 5: Name can be chosen freely.
	* Step 7: Disable option '''Enable support for the WS-Federation Passive protocol'''. Select option '''Enable support for the SAML 2.0 WebSSO protocol''' and define url '''~~<nowiki>~~https://<hostname>/qprpa/~~saml2~~/Acs~~</nowiki>~~''' where SERVERNAME is the QPR ProcessAnalyzer server hostname.		* Step 7: Disable option '''Enable support for the WS-Federation Passive protocol'''. Select option '''Enable support for the SAML 2.0 WebSSO protocol''' and define url '''https://<hostname>/qprpa/Saml2/Acs''' where SERVERNAME is the QPR ProcessAnalyzer server hostname.
	* Step 8: Define url '''https://<hostname>/qprpa/~~saml2~~/Acs''' where <hostname> is the QPR ProcessAnalyzer server hostname.		* Step 8: Define url '''https://<hostname>/qprpa/Saml2/Acs''' where <hostname> is the QPR ProcessAnalyzer server hostname.
	* Step 11: Select option '''Configure claims issuance policy for this application'''.		* Step 11: Select option '''Configure claims issuance policy for this application'''.

Line 62:		Line 62:

	== SAML 2.0 Authentication API ==		== SAML 2.0 Authentication API ==
	QPR ProcessAnalyzer has [[Web_API:_saml2/acs\|/~~saml2~~/~~acs~~]] endpoint which accepts a SAML assertion from the IdP and returns a HTTP redirection to QPR ProcessAnalyzer Web UI. The url contains a ''sys:samlHash'' parameter which is used by the Web UI to login the user using the [[Web_API:_Token\|/token]] endpoint (to get a session token to use in the interactions with the Web API).		QPR ProcessAnalyzer has [[Web_API:_saml2/acs\|/Saml2/Acs]] endpoint which accepts a SAML assertion from the IdP and returns a HTTP redirection to QPR ProcessAnalyzer Web UI. The url contains a ''sys:samlHash'' parameter which is used by the Web UI to login the user using the [[Web_API:_Token\|/token]] endpoint (to get a session token to use in the interactions with the Web API).

	== Troubleshooting ==		== Troubleshooting ==