Interchange 5.12 Administrator Guide Save PDF Selected topic Selected topic and subtopics All content Single Sign-On Interchange supports Single Sign-On (SSO). This means that if you have a third-party SAML user identity provider (IdP), you can allow users who are authenticated on that IdP to connect to the Interchange user interface without additional authentication. The SSO implementation in Interchange is a so-called SP-initiated SSO exchange, where Interchange acts as the Service Provider (SP). The Interchange SSO functionality requires the use of a third-party SAML-based identity provider (IdP). Example sign on scenario: When Interchange is configured for SSO, the following events occur at log on: A user tries to connect through a browser to Interchange (the Service Provider). The user is redirected by the Service Provider to the Identity Provider (IdP). If the user is not already authenticated on the IdP, the user is prompted to provide account credentials. If the user is already authenticated, the IdP redirects the user back to the Service Provider. The IdP analyzes the logon credentials and returns a signed response to the browser. The browser sends the signed response to the Service Provider (to the assertion consumer URL from the Service Provider). In Interchange, this is a standard URL: https://< Interchange>/ui/core/SsoSamlAssertionConsumer . The Service Provider parses the SAML assertion details in the response and maps them to Interchange roles, then provides the requested resource (assuming the identified user has access rights). User authentication cases If the user is not logged into the IdP server, when the user attempts to log on to Interchange, he or she is redirected to the IdP login page. For Interchange-defined users, the normal authentication logic is applied, including the defined user roles. For externally validated users, the SAML assertion must be mapped to a defined role in Interchange. You can map Interchange roles to SAML assertion attributes in the Interchange user interface. If a user that tries to log over SSO SAML does not exist in Interchange, Interchange creates the user with a flag that prevents the account from being used for normal (non-SSO) logins. Logging out of Interchange does not log the user out at the IdP level. Features and characteristics The third-party IdP is used for identification, not for authorization. Authorization details remain in the Interchange role definitions. In the Interchange user interface, you can specify the certificates to use for encryption and for validation of the signature of the assertion that is sent by the IdP. SSO authenticated users cannot change their own passwords. None of the settings on the Change global settings page apply to external users, except Maximum session length. Your SSO configuration settings are included in the global system backup and restore. Interchange supports the SSO connection via a dedicated embedded server. This server is automatically started at system startup. Select System management > Manage embedded servers to open the Embedded servers page and view the CnHttpsSamlSsoServer in the embedded servers list. Single Logout Interchange supports the SAML SSO Single Logout (SLO) process from the Identity Provider (IdP) or from the Interchange Service Provider (SP). For single logout requests, Interchange supports the following two SAML protocol bindings: HTTP-redirect binding For SP initiated single logout only. The HTTP Redirect binding defines a mechanism by which SAML protocol messages can be transmitted within URL parameters. HTTP Redirect binding is used in cases in which the SAML requester and responder must communicate using an HTTP user agent as intermediary. This may be necessary, for example, if the communicating parties do not share a direct path of communication. It may also be needed if the responder requires an interaction with the user agent in order to fulfill the request, such as when the user agent must authenticate to it. HTTP-POST binding For IdP and SP initiated single logout. The HTTP POST binding defines a mechanism by which SAML protocol messages may be transmitted within the base64-encoded content of an HTML form control. The HTTP POST binding is intended for cases in which the SAML requester and responder need to communicate using an HTTP user agent (as defined in HTTP 1.1 [RFC2616]) as an intermediary. This may be necessary, for example, if the communicating parties do not share a direct path of communication. It may also be needed if the responder requires an interaction with the user agent in order to fulfill the request, such as when the user agent must authenticate to it. Single Logout scenarios The following scenarios illustrate the results of the various logout configuration settings. Scenario 1 Configuration: Single logout parameter Setting Interchange logout redirect URL Not configured IdP HTTP-POST binding URL Not configured IdP HTTP-Redirect binding URL Not configured User action: Logout link clicked from Interchange UI. Result: Page is displayed to close the browser and terminate the session. Scenario 2 Configuration: Single logout parameter Setting Interchange logout redirect URL Not configured IdP HTTP-POST binding URL Not configured IdP HTTP-Redirect binding URL Configured User action: Logout link clicked from Interchange UI. Result: Page is displayed to close the browser and terminate the session. Scenario 3 Configuration: Single logout parameter Setting Interchange logout redirect URL Not configured IdP HTTP-POST binding URL Configured IdP HTTP-Redirect binding URL Not configured Initiator: Interchange (SP Initiated Logout) User action: Logout link clicked from Interchange UI. Result: LogoutRequest with POST binding is sent to IDP. Scenario 4 Configuration: Single logout parameter Setting Interchange logout redirect URL Configured with POST binding URL IdP HTTP-POST binding URL Configured IdP HTTP-Redirect binding URL Not configured Initiator: IdP (IdP initiated logout - POST binding) User action: Logout link clicked from Interchange UI. Result: Interchange redirect to the URL that triggers IDP initiated POST single logout. Scenario 5 Configuration: Single logout parameter Setting Interchange logout redirect URL Configured with Redirect binding URL IdP HTTP-POST binding URL Not configured IdP HTTP-Redirect binding URL Configured Initiator: IdP (IdP initiated logout - Redirect binding) User action: Logout link clicked from Interchange UI. Result: Interchange redirect to the URL that triggers IdP initiated Redirect single logout. Scenario 6 Configuration: Single logout parameter Setting Interchange logout redirect URL Configured with POST binding URL IdP HTTP-POST binding URL Not configured IdP HTTP-Redirect binding URL Configured User action: Logout link clicked from Interchange UI. Result: Logout URL error displayed in SP browser. Scenario 7 Configuration: Single logout parameter Setting Interchange logout redirect URL Configured with Redirect binding URL IdP HTTP-POST binding URL Configured IdP HTTP-Redirect binding URL Not configured User action: Logout link clicked from Interchange UI. Result: Logout URL error displayed in SP browser. SAML metadata Interchange provides SAML metadata to provision Single Logout Service endpoints for sending logout requests and responses. Configure SSO / SLO To set up SSO and SLO in Interchange, see Configure SSO SAML. Related topics Admin user Change password Manage roles Date and time preferences Global user settings Unlock a blocked user Manage password policies of transport users Related Links
Single Sign-On Interchange supports Single Sign-On (SSO). This means that if you have a third-party SAML user identity provider (IdP), you can allow users who are authenticated on that IdP to connect to the Interchange user interface without additional authentication. The SSO implementation in Interchange is a so-called SP-initiated SSO exchange, where Interchange acts as the Service Provider (SP). The Interchange SSO functionality requires the use of a third-party SAML-based identity provider (IdP). Example sign on scenario: When Interchange is configured for SSO, the following events occur at log on: A user tries to connect through a browser to Interchange (the Service Provider). The user is redirected by the Service Provider to the Identity Provider (IdP). If the user is not already authenticated on the IdP, the user is prompted to provide account credentials. If the user is already authenticated, the IdP redirects the user back to the Service Provider. The IdP analyzes the logon credentials and returns a signed response to the browser. The browser sends the signed response to the Service Provider (to the assertion consumer URL from the Service Provider). In Interchange, this is a standard URL: https://< Interchange>/ui/core/SsoSamlAssertionConsumer . The Service Provider parses the SAML assertion details in the response and maps them to Interchange roles, then provides the requested resource (assuming the identified user has access rights). User authentication cases If the user is not logged into the IdP server, when the user attempts to log on to Interchange, he or she is redirected to the IdP login page. For Interchange-defined users, the normal authentication logic is applied, including the defined user roles. For externally validated users, the SAML assertion must be mapped to a defined role in Interchange. You can map Interchange roles to SAML assertion attributes in the Interchange user interface. If a user that tries to log over SSO SAML does not exist in Interchange, Interchange creates the user with a flag that prevents the account from being used for normal (non-SSO) logins. Logging out of Interchange does not log the user out at the IdP level. Features and characteristics The third-party IdP is used for identification, not for authorization. Authorization details remain in the Interchange role definitions. In the Interchange user interface, you can specify the certificates to use for encryption and for validation of the signature of the assertion that is sent by the IdP. SSO authenticated users cannot change their own passwords. None of the settings on the Change global settings page apply to external users, except Maximum session length. Your SSO configuration settings are included in the global system backup and restore. Interchange supports the SSO connection via a dedicated embedded server. This server is automatically started at system startup. Select System management > Manage embedded servers to open the Embedded servers page and view the CnHttpsSamlSsoServer in the embedded servers list. Single Logout Interchange supports the SAML SSO Single Logout (SLO) process from the Identity Provider (IdP) or from the Interchange Service Provider (SP). For single logout requests, Interchange supports the following two SAML protocol bindings: HTTP-redirect binding For SP initiated single logout only. The HTTP Redirect binding defines a mechanism by which SAML protocol messages can be transmitted within URL parameters. HTTP Redirect binding is used in cases in which the SAML requester and responder must communicate using an HTTP user agent as intermediary. This may be necessary, for example, if the communicating parties do not share a direct path of communication. It may also be needed if the responder requires an interaction with the user agent in order to fulfill the request, such as when the user agent must authenticate to it. HTTP-POST binding For IdP and SP initiated single logout. The HTTP POST binding defines a mechanism by which SAML protocol messages may be transmitted within the base64-encoded content of an HTML form control. The HTTP POST binding is intended for cases in which the SAML requester and responder need to communicate using an HTTP user agent (as defined in HTTP 1.1 [RFC2616]) as an intermediary. This may be necessary, for example, if the communicating parties do not share a direct path of communication. It may also be needed if the responder requires an interaction with the user agent in order to fulfill the request, such as when the user agent must authenticate to it. Single Logout scenarios The following scenarios illustrate the results of the various logout configuration settings. Scenario 1 Configuration: Single logout parameter Setting Interchange logout redirect URL Not configured IdP HTTP-POST binding URL Not configured IdP HTTP-Redirect binding URL Not configured User action: Logout link clicked from Interchange UI. Result: Page is displayed to close the browser and terminate the session. Scenario 2 Configuration: Single logout parameter Setting Interchange logout redirect URL Not configured IdP HTTP-POST binding URL Not configured IdP HTTP-Redirect binding URL Configured User action: Logout link clicked from Interchange UI. Result: Page is displayed to close the browser and terminate the session. Scenario 3 Configuration: Single logout parameter Setting Interchange logout redirect URL Not configured IdP HTTP-POST binding URL Configured IdP HTTP-Redirect binding URL Not configured Initiator: Interchange (SP Initiated Logout) User action: Logout link clicked from Interchange UI. Result: LogoutRequest with POST binding is sent to IDP. Scenario 4 Configuration: Single logout parameter Setting Interchange logout redirect URL Configured with POST binding URL IdP HTTP-POST binding URL Configured IdP HTTP-Redirect binding URL Not configured Initiator: IdP (IdP initiated logout - POST binding) User action: Logout link clicked from Interchange UI. Result: Interchange redirect to the URL that triggers IDP initiated POST single logout. Scenario 5 Configuration: Single logout parameter Setting Interchange logout redirect URL Configured with Redirect binding URL IdP HTTP-POST binding URL Not configured IdP HTTP-Redirect binding URL Configured Initiator: IdP (IdP initiated logout - Redirect binding) User action: Logout link clicked from Interchange UI. Result: Interchange redirect to the URL that triggers IdP initiated Redirect single logout. Scenario 6 Configuration: Single logout parameter Setting Interchange logout redirect URL Configured with POST binding URL IdP HTTP-POST binding URL Not configured IdP HTTP-Redirect binding URL Configured User action: Logout link clicked from Interchange UI. Result: Logout URL error displayed in SP browser. Scenario 7 Configuration: Single logout parameter Setting Interchange logout redirect URL Configured with Redirect binding URL IdP HTTP-POST binding URL Configured IdP HTTP-Redirect binding URL Not configured User action: Logout link clicked from Interchange UI. Result: Logout URL error displayed in SP browser. SAML metadata Interchange provides SAML metadata to provision Single Logout Service endpoints for sending logout requests and responses. Configure SSO / SLO To set up SSO and SLO in Interchange, see Configure SSO SAML. Related topics Admin user Change password Manage roles Date and time preferences Global user settings Unlock a blocked user Manage password policies of transport users