SAML Enablement for Single Sign-On

Single Sign-On (SSO) is an authentication process that allows a user to access multiple applications with one set of login credentials. By logging in once, you can access all services registered with the credentials.

The key benefits of SSO are as follows:

  • Improves user productivity
  • Reduces risk of bad password habits
  • Simplifies login process for end-users

eG Enterprise supports SSO through SAML (Security Assertion Markup Language). SAML is an open standard that allows identity providers (IdP) to pass authorization credentials to service providers (SP).

A service provider (SP) needs the authentication from the identity provider (IdP) to grant authorization to the user. An identity provider performs the authentication that the end user is who they say they are and sends that data to the service provider along with the user’s access rights for the service.

An SSO Login can be SP-initiated or IdP-initiated. In the case of an SP-initiated SSO login:

  1. An end-user first connects to the SP and selects the SAML IdP that will provide the authentication.
  2. Upon selection of an IdP, the SP will automatically direct the end-user to the login page of the IdP, where the user will have to provide his/her login credentials.
  3. Once the IdP verifies and validates the credentials, the end-user will be automatically logged into the SP portal. What an end-user can do in the SP portal depends upon the access rights/privileges that have been configured for that user in the SP.

In the case of an IdP-initiated login:

  1. An end-user provides his/her login credentials in the IdP's login page.
  2. Upon successfully logging into the IdP's portal, the end-user chooses the SP that he/she wants to connect to.
  3. Once the SP is chosen, the end-user will be automatically directed to the SP's portal. What an end-user can do in the SP portal depends upon the access rights/privileges that have been configured for that user in the SP.

eG Enterprise supports both SP-initiated and IdP-initiated SSO logins via SAML. To configure support for such logins, the following broad steps should be followed:

  1. Enable support for SSO logins;
  2. Configure SAML as the Authentication Provider for eG Enterprise;
  3. Configure eG Enterprise as an SP in one/more IdPs;
  4. Configure one/more IdPs in eG Enterprise;
  5. Configure eG users to use SAML for authenticating their logins

Each of these steps have been elaborately discussed below.

Enabling the SSO Feature in eG Enterprise

To achieve this, follow the steps below:

  1. Login to the eG admin interface.
  2. Follow the Settings -> Manager menu sequence.
  3. Expand the Account Security node in the left panel of the MANAGER SETTINGS page, and select the Single Sign-On sub-node within.
  4. The right panel will change to display a Single Sign-On section (see Figure 1).

    Figure 1 : Enabling support for SSO login

  1. In the right panel of Figure 1, set the Enable single sign-on (SSO) flag to Yes, to enable support for SSO.
  2. If SSO is enabled, you can configure any user login to eG Enterprise to be authenticated by an IdP that the user chooses at the time of the login. This means that after a user successfully logs into eG Enterprise via an IdP, a session for that user will be open both on eG Enterprise and the IdP. However, by default, if the user logs out of eG Enterprise, that user's session on the IdP will continue to remain open. This is because, the Allow the user to logout from the SAML Identity Provider (IdP) flag is set to No by default.

    Sometimes, an open session on an IdP may leave the door open for Cross-Site Request Forgery (CSRF) and session hijacking attacks. To avoid such attacks, you may want to enable SAML Single Logout (SLO). This additional protocol helps address the problem of orphaned logins. If SLO is enabled, then all server sessions established via SAML SSO can be automatically terminated by initiating the logout process once. SLO can be initiated from either the SP or the IdP. Where eG Enterprise is the SP, you can initiate SLO from eG Enterprise by setting the Allow the user to logout from the SAML Identity Provider (IdP) flag to Yes. This setting ensures that if a user who is logged into eG Enterprise via SAML SSO logs out, his session on the IdP is automatically killed.

    Note:

    • As mentioned earlier, if the Allow the user to logout from the SAML Identity Provider (IdP) flag is set to No, then, even if a user logs out of eG Enterprise, his/her user session on IdP will continue to remain active. In this case, if the same user attempts to connect to the eG management console yet again, he/she will not be expected to enter his/her login credentials again; instead, the user will automatically login to the console upon hitting the eG manager's URL. This is because, when connecting to the eG manager, the user will only 'reconnect' to the session that is already open on the IdP. Since the IdP has already validated the user credentials in the 'active' session, the user will be allowed to automatically login to the eG management console.
    • If the user clears his/her browser cache after logging out of an SP, then that user's session on IdP will be terminated instantly, even if the Allow the user to logout from the SAML Identity Provider (IdP) flag is set to No.
  3. Finally, click the Update button.

Configuring SAML as the Authentication Provider for eG Enterprise

For this, do the following:

  1. Login to the eG admin interface.
  2. Follow the Settings -> Manager menu sequence. Figure 2 will then appear. Click the General Settings node in the tree structure in the left panel of Figure 2. Upon selection, the contents of the right panel will change to display the General Settings section, as depicted by Figure 2.

    Figure 2 : Selecting the authentication provider for logins

  3. Set SAML Identity Provider as the Authentication provider for logins to eG Enterprise and click the Update button. '

Configuring eG Enterprise as a Service Provider in the IdP

The next step is to configure eG Enterprise as an SP in the IdP. The procedure for this differs from one IdP to another. Some of the popular IdPs are OneLogin, Active Directory (AD), AD FS, Okta etc.

For instance, to register eG Enterprise as an SP with OneLogin, you can follow the steps detailed below:

  1. Login to the OneLogin console.
  2. Click on the Configuration option in the left panel of the console to configure a new SP (see Figure 3).

    Figure 3 : Configuring the IdP with the name of the SP

  3. In the right panel, provide a Display Name for the new SP.
  4. Upload an icon for the SP that you want displayed in OneLogin.
  5. Then, if you want to initiate Single Logout (SLO) from the IdP, provide the SAML Single Logout URL of the SP - in our case, this should be the Single Logout URL of eG Enterprise (see Figure 4). In case of IdP-initiated SLO, whenever a user attempts to log out of the IdP, the IdP generates a digitally signed LogoutRequest and appends it to the SP's SLO endpoint, which is a dedicated URL that expects to receive SLO messages from the IdP. This is the URL that you should specify against SAML Single Logout URL. Once the SP receives the LogoutRequest at the SAML Single Logout URL, it validates the request, terminates its own login session for the end-user, and sends out a LogoutResponse to the IdP. Upon receipt of the response from SP, the IdP terminates its session.

    Figure 4 : Specifying the Single Logout URL and ACS URL of eG Enterprise

  6. Then, specify the ACS URL Validator of eG Enterprise. To configure an IdP to work with an SP, an Assertion Consumer Service (ACS) URL has to be specified. The ACS URL is an endpoint on the service provider where the identity provider will redirect to with its authentication response. This endpoint should be an HTTPS endpoint because it will be used to transfer Personally Identifiable Information (PII).

    Note:

    Where eG Enterprise is the SP, follow the steps below to determine the values to be configured against SAML Single Logout URL and ACS URL Validator:

    • Login to the eG admin interface.
    • Follow the User Management -> SAML Identity Providers menu sequence.
    • When Figure 5 appears, click the View Metadata button therein. The message box that then pops up (see Figure 5) clearly displays the ACS URL and Logout URL of eG Enterprise.

      Figure 5 : Determining the ACS URL and Logout URL of eG Enterprise

  7. Finally, click the Save button to save the configuration.

Configuring One/More IdPs in eG Enterprise

After registering eG Enterprise as an SP with the IdP, proceed to configure the IdP in eG Enterprise. For that, do the following:

  1. Login to the eG admin interface.
  2. Follow the User Management -> SAML Identity Providers menu sequence.
  3. Figure 6 then appears, listing all the IdPs (if any) that pre-exist in the eG Enterprise system. To create a new IdP, click the Configure SAML IdP button in Figure 6.

    Figure 6 : Clicking the Configure SAML IdP button

  4. Figure 7 then appears. Here, first specify the Identify Provider (IdP) Name. Then, specify the Login URL of the IdP.

    Figure 7 : Configuring an IdP in eG Enterprise

  5. Next, if you want the SP - i.e., eG Enterprise - to initiate a SAML Single Logout (SLO), then specify the Logout URL of the IdP here. In case of an SP-initiated SLO, the initiating SP generates a digitally signed LogoutRequest SAML message and returns it to the end-user's browser. The IdP's SLO endpoint is appended with the LogoutReqest. The endpoint URL is a dedicated URL that expects to receive SLO messages from the SP. This is the URL that you should specify against Logout URL.
  6. Then, configure the IdP Certificate. When registering eG Enterprise as an SP with the target IdP, the IdP will issue a trusted X.509 certificate for the eG manager.Copy the contents of that certificate and paste it here.
  7. Next, indicate whether/not you want to set the IdP being configured as the default IdP during login. To set it as the default IdP, turn on the Set as default IdP for login? flag by choosing the Yes option. To not set it as the default IdP, turn off the Set as default IdP for login? flag by choosing the No option.
  8. Finally, click the Update button in Figure 7 to save the configuration.

Configuring eG Users to Use SAML for Authenticating their Logins

The next step in the SAML-enablement process is to configure individual eG Enterprise users to use SAML for authenticating their logins. For this, do the following:

  1. Login to the eG admin interface.
  2. Follow the User Management -> Add User menu sequence.
  3. When adding a user, choose the User role. Then, set SAML as the User type (see Figure 8).

    Figure 8 : Setting SAML as the User type of a new eG user

  4. Once SAML is chosen as the User type, you will be required to choose the Identity Provider that eG Enterprise should integrate with for SAML authentication.
  5. After selecting the IdP, provide the User ID. Note that you will not have to provide a password for that user in eG Enterprise. This is because, the login password will be created in and maintained by the IdP.
  6. Click the Next button to configure the user's alerting preferences, privileges, and monitoring scope.
  7. Finally, click the Add button to add the user.