SAML 2.0 Federated Authentication
QPR ProcessAnalyzer can use federated authentication with the SAML 2.0 protocol. When using the federated authentication, QPR ProcessAnalyzer works as a service provider (SP), and uses compatible external identity providers (IdP) to provide user identity (i.e. authenticating users), such as Microsoft Active Directory Federation Services (ADFS) or Shibboleth.
QPR ProcessAnalyzer as SAML 2.0 Service Provider
When QPR ProcessAnalyzer is configured as a SAML 2.0 service provider (SP), users can authenticate to QPR ProcessAnalyzer via the configured SAML 2.0 identity provider (IdP) by clicking Log in Using SSO button in the login screen. This redirects users to the identity provider for authentication. When the authentication is done, users are redirected back to QPR ProcessAnalyzer where user is then logged in.
Alternatively, QPR ProcessAnalyzer can automatically redirect users to the identity provider, so that users won't see the QPR ProcessAnalyzer's login screen. This automatic redirection occurs, when accessing url /<root>/api/saml, e.g. https://customer.onqpr.com/qprpa/api/saml. For example a redirection to this url can be configured to IIS.
When a user logs in to QPR ProcessAnalyzer for the first time, user account is created to QPR ProcessAnalyzer user management. This account can only log in using the federated authentication, because the user account doesn't have a password in QPR ProcessAnalyzer. User accounts are matched between the systems using usernames.
Further notes regarding the federated authentication:
- QPR ProcessAnalyzer only support SAML POST binding (e.g. SAML redirect binding is not supported).
- When QPR ProcessAnalyzer has been configured to use an identity provider, QPR ProcessAnalyzer will fully trust information coming from the identity provider.
- Currently the logout request to IdP is not supported by QPR ProcessAnalyzer.
- SAML AuthnRequests are not signed (by QPR ProcessAnalyzer), and SAML Assertions must be signed (by the IdP) to be accepted by QPR ProcessAnalyzer
Configuring QPR ProcessAnalyzer as SAML 2.0 Service Provider
The configuration entries listed in the tables below, can be defined either
- using the QPR ProcessAnalyzer installer during the QPR ProcessAnalyzer installation (only part of the settings)
- after the QPR ProcessAnalyzer installation by adding to the CONFIGURATIONENTITY table in the QPR ProcessAnalyzer database.
Setup When Using Metadata
Federated authentication can be configured to use SAML2 metadata if it's available as an XML document through HTTP.
| Database field name | Installer field name | Description |
|---|---|---|
| SAML_METADATA_URL | Federation metadata URL | The metadata URL of the identity provider. Check that the metadata can be opened using the configured link. The metadata is an XML document, so it should start <?xml version="1.0" encoding="UTF-8"?> followed by an EntityDescriptor tag. The metadata URL might look something like https://your.federated.identity.provider.com/saml/metadata. |
| SAML_SERVER_ENTITY_IDENTIFIER | Server entity identifier | Use this field to define the identity provider entity ID, if the federation metadata contains multiple identity providers. This field is not mandatory, if the metadata contains only one identity provider. In the federation metadata, a single EntityDescriptor tag represents one identity provider, so you can check the number of available identity providers by checking the federation metadata contents (entityID attribute). |
| Database field name | Installer field name | Description |
|---|---|---|
| SAML_CONSUMER_URL | SAML consumer URL | Url that the identity provider uses when redirecting back to QPR ProcessAnalyzer. Use url with following form: <Location of your QPR ProcessAnalyzer installation>/EnticeServices/rest/authenticate/saml, e.g. http://SERVERNAME/EnticeServices/rest/authenticate/saml. This setting is mandatory for the federated authentication to work. |
| SAML_USER_ID_ATTRIBUTE | User id attribute | The name of the SAML attribute in the assertion that will be used as the user's login name. If this field is not given or is empty, the saml:Assertion > saml:Subject > saml:NameID attribute is used in the assertion. If this field is given, one of the saml:Assertion > saml:AttributeStatement > saml:Attribute elements in the assertion is used (the Name attribute in the saml:Attribute element is used for matching). Please note that the first mentioned saml:NameID element is different than the usual SAML attributes that are defined using saml:Attribute elements. |
Using ADFS as Identity Provider
ADFS (Active Directory Federation Services) can be used as an identity provider to login to QPR ProcessAnalyzer. For ADFS setup, follow the ADFS configuration guide in https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/create-a-relying-party-trust with the following notes:
- Step 4: Select option Enter data about the relying party manually as metadata is not available.
- Step 5: Name can be chosen freely.
- Step 7: Disable option Enable support for the WS-Federation Passive protocol. Select option Enable support for the SAML 2.0 WebSSO protocol and define url https://SERVERNAME/EnticeServices/rest/authenticate/saml where SERVERNAME is the QPR ProcessAnalyzer server hostname.
- Step 8: Define url https://SERVERNAME/EnticeServices/rest/authenticate/saml where SERVERNAME is the QPR ProcessAnalyzer server hostname.
- Step 11: Select option Configure claims issuance policy for this application.
Example:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/claims/CommonName", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/claims/Group"), query = ";userPrincipalName,displayName,mail,tokenGroups;{0}", param = c.Value);
Using Azure AD as Identity Provider
Azure Active Directory (AD) can be used as an identity provider to login to QPR ProcessAnalyzer. Configuration scenario (discussed above) for Azure AD is to use metadata. Following configurations are needed:
- Login to https://portal.azure.com, click Azure Active Directory, click App registrations and click New application registration.
- Define Name for the application, such as "QPR ProcessAnalyzer". Select Application type to be Web app / API. Define Sign-on URL to be http://SERVERNAME/EnticeServices/rest/authenticate/saml (where SERVERNAME is the name of your QPR ProcessAnalyzer server, http/https protocol matches and the port is the right one).
- When the Azure application has been created, from the applications settings click Properties.
- Click Azure Active Directory, click App registrations and click Endpoints. Copy the contents of the Federation Metadata Document field, and configure it to the QPR ProcessAnalyzer SAML_METADATA_URL setting (discussed above).
More information about Azure Active Directory: https://docs.microsoft.com/en-us/azure/active-directory/
References
- General information about federated authentication: https://en.wikipedia.org/wiki/Federated_identity
- General information about SAML 2.0: https://en.wikipedia.org/wiki/SAML_2.0
- General information about Shibboleth: https://en.wikipedia.org/wiki/Shibboleth_(Internet2)
- Shibboleth documentation: https://wiki.shibboleth.net/confluence/display/SHIB2/Home
- General information about ADFS: https://msdn.microsoft.com/en-us/library/bb897402.aspx
- ADFS documentation: https://en.wikipedia.org/wiki/Active_Directory_Federation_Services