Follow

SAML Overview

Overview

Glia supports clients using Single Sign-On via Security Assertion Markup Language (SAML 2.0). SAML is an XML-based, open-standard data format that allows parties to securely exchange user authentication and authorization data. SAML-Based Single Sign-On (SSO) allows clients to have full control over the authorization and authentication of user accounts that can access the web-based Operator Application. In this model, Glia acts as a service provider while Glia's clients act as identity providers that control usernames, passwords and other information used during the identification, authentication and authorization process of users by Glia web applications. In addition, all logs remain with the identity provider (Glia’s client) for audit purposes.

Glia supports two ways of SSO by means of SAML: Identity Provider (IdP) Initiated SSO (Unsolicited Web SSO) and Service Provider (SP) initiated SSO. In an IdP Initiated SSO, a user is logged on to the IdP and attempts to access a resource (Glia) on a remote SP server. The SAML assertion is transported to the Service Provider (Glia) via HTTP POST. 

Also, an important thing to note is that SAML requests have to include the Conditions section in saml:Assertion node. More about SAML request structure in here under SAML Response with Signed Assertion part. Example:

<saml:Conditions NotBefore="2018-03-27T22:02:18.494Z" NotOnOrAfter="2018-03-27T22:12:18.494Z">
<saml:AudienceRestriction>
<saml:Audience>https://clientdomain.app.salemove.com/</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>

 

Identity Provider (IdP) Initiated SSO

In general, an IdP Initiated SSO process is as follows:

  1. A user has logged onto the IdP.
  2. The user requests access to a protected SP resource such as Glia.
  3. Alternatively, the IdP retrieves attributes from the user data store.
  4. The IdP SSO service returns a SAML response to the browser. This response contains the authentication assertion and any additional attributes.
  5. The browser automatically posts the SAML response to the SP.
  6. The SP validates the assertions and allows the user to access the resource

 

mceclip0.png

Important information to start using SAML identity provider with Glia

Single Sign On URL: https://clientdomain.app.salemove.com/saml
Recipient URL: https://clientdomain.app.salemove.com/saml/acs
Destination URL: https://clientdomain.app.salemove.com/saml/acs
Audience Restriction: https://clientdomain.app.salemove.com/
Logout: https://clientdomain.app.salemove.com/saml/logout
Signature Algorithm: SHA256/SHA512

Make sure to use HTTPS everywhere!

Service Provider (SP) initiated SSO

In general, an SP-Initiated SSO process is as follows:

  1. The user requests access to a protected SP resource such as Glia.
  2. The request is redirected to the federation server to handle authentication.
  3. If the user is not already logged on to the IdP site or if re-authentication is required, the IdP requests credentials (e.g., ID and password) and the user logs on.
  4. Additional information about the user may be retrieved from the user data store for inclusion in the SAML response. These attributes are predetermined as part of the federation agreement between the IdP and the SP.
  5. The IdP SSO service returns to the browser a SAML response containing the authentication assertion and any additional attributes.
  6. The browser automatically posts the SAML response to the SP.
  7. The SP validates the assertions and allows access to the resource to the user.

 page2image21121888.png

Configuration

From Glia Side

Glia needs some information for enabling SSO for the site.

Parameter Description Example
Identity Provider metadata SSO URL (IDPSSODescriptor) In order to perform Service Provider initiated SSO, it’s important for Glia to know how and with what parameters the Identity Provider expects incoming authentication requests. It’s best if a URL describing the metadata is provided. If that’s absolutely not possible, a copy of the metadata XML can also be provided.
Subdomain

The subdomain that the Operator will use to access the operator console. It will be appended as a subdomain for the Glia application domain app.salemove.com.

Typically, the subdomain is the name of the client. The subdomain is a string which value must follow the rules for domain names.

If the client is Insurance Life then a subdomain can be insurancelife and the URL that the operators will use for accessing the Operator console will be insurancelife.app.salemove.com 
Certificate Fingerprint

 The fingerprint of the Certificate that will be included in the Access-Request to Glia. The certificate is typically an x509 certificate.

The fingerprint is typically calculated using SHA1 cryptographic hash function. Notice that depending on the Identity Provider the client might use another type of cryptographic function such as SHA256.

Value is typically 40 digits long. Example value: 3ccd735d1ffdf8ed01c7817d6880e6173d823d 2e 

 

From the Client’s Side

The client needs a couple of parameters from Glia to configure the service on their side.

Parameter Description Example
Login URL The URL used by the client’s identity provider to send the POST request along with the XML Response requesting access to Glia Operator Console POST https://clientdomain.app.salem ove.com/saml/acs
Logout URL The URL used by the client’s identity provider to logout an operator GET https://clientdomain.app.salem ove.com/saml/logout 

 

Via the API

Glia API enables to configure Single Sign-On for a Site programmatically. For a Site to use SSO for authentication site needs to have a SAML Provider. A SAML Provider describes the Client’s Identity Provider and holds information such as: Certificate fingerprint, XML selectors for extracting Operator’s information from the XML Response payload sent to Glia during the authentication process, and the domain used by the client for accessing Glia Operator Console. A brief description of the main attributes of a SAML Provider can be found in the table below.

Parameter Description
idp_metadata_url A URL to the SAML Provider endpoint that returns the Provider’s configuration data. Typically, the Identity Provider provides with an endpoint that returns a description of the Identity Provider configuration. Glia uses this endpoint to pull information related to the x509 certificate and its fingerprint.
name_identifier_format The format of the attribute that describes the operator’s email address within a SAML response
subdomain The subdomain that will be used by Operators to access the Operator console. E.g. if the subdomain is set to client_name then the Operators will access Glia via client_name.app.salemove.com
idp_name_attribute The name of the attribute within a SAML response where the Operator’s name is placed
idp_email_attribute  The name of the attribute within a SAML response where the Operator’s email is placed.

 

A SAML Provider can be associated with a site by setting the parameter site_id at creation/update of the SAML via Glia’s REST API.

For more information please visit: https://developer.glia.com/saml
Sample Glia SAML metadata file can be found here.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments