Web SSO

⏰ Getting started

Introduction


To configure the Web SSO you must complete the next steps

1. Attribute definition: add the necessary attributes if they are not in the list.

2. Attribute sharing policies: define the proper attribute sharing policies to determine which attributes will be shared. The policies will apply to those IdPs that meet the conditions defined in the policy. You can define public policies that apply to all IdPs, or specific policies that only apply to certain IdPs.

3. Identity & Service providers: configure the identity and the service provider.


Soffid performs the validation in the following order

1. Login: first of all, it checks the login, if the access is correct then follow the next step

2. Policies: then, it checks the attribute sharing policies. Soffid checks all policies and applies the ones that meet the conditions.

3. Attributes: For policies that result in Yes or True, the attribute conditions will be evaluated. The attributes will be shared when the conditions are true.


Attribute definition

Description

The attribute definition page displays all the auto-generated user attributes. Those attributes will be the attributes to deliver from the identity providers to the service providers depending on the defined rules.

Soffid has a default implementation for common attributes like FullName or uid, but you can modify it by creating a custom script.

Screen overview

Custom attributes

Examples

Soffid IdP has a default implementation for common attributes like FullName or uid, but you can modify it by creating a custom script. You can use the custom script to define the value of an attribute.

Examples to define the value of an attribute.

Example 1

Return full name in upper case:

return fullName.toUpperCase();

Example 2

Send one value if an attribute is blank. Otherwise, its value:

return
    attributes{"company"} == null ||
    attributes{"company"}.isEmpty() ?
        "Soffid" :
        attributes{"company"}

Example 3

Use serverService to fech the OU attribute of the account owned by the user in the Active Directory (AD) system:

for (account: serverService.getUserAccounts(id, "ad")) {
    return account{"attributes"}{"ou"};
}
return null;

Actions

Attribute definition query

Add new

Allows you to add a new attribute definition in the system. You can choose that option on the hamburger menu or clicking the add button (+).

To add a new it is necessary to fill in the required fields.

Delete

Allows you to remove one or more Attribute definitions  by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Import

Allows you to upload a CSV file with the attribute definition to add or update attribute definition to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button.

Download CSV file

Allows you to download a CSV file with the basic information of all attribute definitions. 

Attribute definition detail

Delete

Allows you to save the data of a new Attribute definition or to update the data of a specific Attribute definition. To save the data it will be mandatory to fill in the required fields.

Save

Allows you to download a csv file with the basic information of the Attribute definition.


Attribute sharing policies

Description

After defining the attributes to publish, it’s required to write a policy that defines which attributes will be allowed to share with each service provider.

Soffid allows you to define security rules that apply to any attribute that should be delivered from identity providers to service providers.

Custom attributes

Condition

It is a boolean expression to be evaluated. The condition will be evaluatuated when the Allow value was yes. You can use the conditions to configure the conditions policy and to configure the shared attributes.

The boolean operator are the follow:

Examples

Examples to define conditions in an attribute sharing policy:

Example 1

Give the email address and the user ID to any trusted service provider. We define this as a public policy.

image-1651591008906.png

image-1652347213357.png

Example 2

Give some extra attributes, like full name and roles to any service provider belonging to soffid-demo entity group

image-1651732807889.png

image-1652347060000.png

Example 3

Rule that will be applied to the service provider named “test’ or any other service provider whose name starts with “soffid-”


image-1652347158677.png

image-1652347180776.png

Actions

Attribute sharing policies query

Add new

Allows you to add a new Attribute sharing policies in the system. You can choose that option on the hamburger menu or clicking the add button (+).

To add a new it is necessary to fill in the required fields.

Delete

Allows you to remove one or more Attribute sharing policies by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

Import

Allows you to upload a CSV file with the ttribute sharing policies to add or update Attribute sharing policies to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button.

Download CSV file

Allows you to download a CSV file with the basic information of all Attribute sharing policies. 

Attribute sharing policies detail

Delete

Allows you to save the data of a new Attribute sharing policy or to update the data of a specific Attribute sharing policy. To save the data it will be mandatory to fill in the required fields.

Apply changes

Allows you to save the data of a new Metada object or to update the data of a specific Metadata object. To save the data it will be mandatory to fill in the required fields.

Undo

Allows you to quit without applying any changes made.


Identity & Service providers

Description

Soffid Identity Federation addon helps administrators to manage an Identity Federation. With Soffid you can manage the whole federation security configuration, increasing the security while reducing the federation management costs. Soffid can also act as a Service Provider, serving identities to any SAML capable application server.

The main supported standard is SAML. SAML allows to completely detach the identification process from web applications,  known as Service Providers. With SAML, identification is performed by specialized servers known as Identity Providers.  Additionaly, some other, less secure, but some times convenient protocols like OAuth (Open Authorization) and OpenID-Connect protocols are supported. Elder protocols like Openid (do not confuse with OpenID-Connect) are deprecated and no  longer supported.

You can visit the Introduction page to find more information about the federation members.

Federation members

1. Entity Group

2. Identity Provider

3. Service Provider

4. Virtual Identity Provider

Entity Group

Description

An entity group is just like a folder that allows you to manage different kinds of federation members. One of the most common ways to group federation members is by trust level.

When you create an entity group, the Identity Providers and the Service Providers records will be displayed. Then you could add identities and services selecting the proper record.

Screen overview

image-1652360950792.png

Standard attributes


Identity Provider

Description

An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network.

An Identity Provider is responsible for identifying users. Also, it is responsible for giving service providers information regarding the identified user.

Soffid allows you to configure different identity providers, you can choose the best option for you by selecting the IdP type:

To create an identity provider, it is advisable to install a dedicated sync server. It can be configured as a proxy sync server as it does not need direct access to the Soffid database. Instead, it will connect to the main sync server to get users and federation information.

For more information about how to configure a dedicated sync server, you can visit the Install Sync server page.

Standard attributes

The fields for each IdP type are detailed below:

Soffid IdP

Identification
Service Configuration

The Metadata is the information that any application needs to use the IdP. That is an XML file that contains the public encryption keys and the services provided

Leave it blank as Soffid IdP will fulfill it for you.

The metadata will be created when the network data and SAML Security data. Restarting the sync server will be necessary to fill in the Metadata.

Network
💻 Image

image-1709029065265.png

Server certificate management: there are two options for certificate management. You can visit the Server certificate management page for more information.

SAML Security
Session management
Authentication
Advanced Authentication
Profiles

A profile is a protocol or subset of protocols implemented by the Identity Provider. There are some accepted protocols, those allows a custom config dependent on the selected profile.

You can visit the Profiles chapter for more information about each one.

Look and feel

Soffid allows you to personalize your login page by adding some style elements, as well as header and footer elements.


External SAML IdP

Identification
Service Configuration

The Metadata is the information that any application need to use the IdP. That is an XML file that contains the public encryption keys and the services provided

Leave it blank as Soffid IdP will fulfill it for you.

Login Rules

OpenID-Connect

Service Configuration

{
    "authorization_endpoint": "https://server/oauth2/auth",
    "token_endpoint": "https://server/oauth2/token",
    "userinfo_endpoint": "https://server/oauth2/userinfo",
    "scopes_supported": [ "openid","email","profile"]
}

The Metadata is the information that any application need to use the IdP. That is an XML file that contains the public encryption keys and the services provided

Login rules

sn = attributes{"screen_name"};
i = sn.indexOf(" ");
if (i> 0) {
	user.firstName = sn.substring(0, i);
	user.lastName = sn.substring(i+1);
} else {
	user.firstName = "?";
  	user.lastName = sn;
}
return attributes{"name"};

Facebook

Identification
Service Configuration
Login rules

Google

Identification
Service Configuration
Login rules

Linkedin

Identification
Service Configuration
Login rules

(*) What is CAPTCHA --> https://support.google.com/a/answer/1217728?hl=en

(*) https://www.google.com/recaptcha/about/

Service Provider

Definition

The Service Providers are standard applications that rely on Identity Providers to let the users log in.

Join federation

To join the federation, the service provider management team must deliver its "Metadata". The service provider Metadata describes how the service providers behave:

Standard attributes

The standard attributes depend on the Service provider type.

SAML

To enable External SAML protocol you can visit the Authentication page. Also, on that page you could download the metadata XML file.

Identification
Service configuration

To publish the federation members' metadata, the main sync server exports the member's metadata at the path /SAML/metadata.xml. Thus, if your sync server is listening at soffid1.your.domain, you can get the whole federation metadata document from:

https://soffid1.your.domain:760/SAML/metadata.xml


After some seconds, up to five minutes, every federation member will notice any change.

Login rules


You can visit the Openid-connect to SAML interoperability page for more detailed information.


SAML API client

Identification
Service configuration

Leave it blank as Soffid IdP will fulfill it for you.

The metadata will be created when the network data and SAML Security data.

Login rules

You can visit the Openid-connect to SAML interoperability page for more detailed information.

Network
SAML Security

OpenID Connect

Identification
Login rules

You can visit the Openid-connect to SAML interoperability page for more detailed information.

OpenID authorization flow

OpenID Connect Dynamic Registration

Identification
Login rules
OpenID authorization flow
Registration token

Cas client

Identification
Login rules
CAS configuration

Radius client

Identification
Login rules
Radius configuration

TACACS+

Identification
Login rules
Tacacs+ configuration

https://www.rfc-editor.org/rfc/rfc8907.html


    Virtual Identity Provider

    Definition

    A single identity provider usually offers different profiles or service levels to diffeferent service provider. To be able to define this behavior, any Identity Provider can be split into many virtual identity providers. Those identity providers will be served by the same actual identity provider, but they will have different profile configurations.

    Standard attributes

    Identification

    Service configuration

    Leave it blank as Soffid IdP will fulfill it for you.

    SAML Security

    Authentication

    Advances authentication

    Profiles

    A profile is a protocol implemented by the Identity Provider. There are some accepted protocols, those allows a custom config dependent on the selected profile

    You can visit the Profiles chapter for more information about each one.

    Service Providers

    It will be necessary to bind any service provider to the virtual identity provider. When no such bind exists for a service provider, the actual identity provider profile configuration applies. 

    Actions

    Federation Tree view

    Add group

    Allows you to create a new Entity group. You can choose that option by clicking on the "Add group" button, then Soffid will display a new window with the fields to fullfil.

    To add a new Entity group it will be mandatory to fill in the required fields and save or apply changes..

    Add identity provider

    Allows you to add a new Identity Provider. You must click the "Add identity provider" button, under the proper Entity Group and "Identity Provider" label, then Soffid will display a new window with the data to fulfill for new Identity Provider.

    To add a new Identity provider it will be mandatory to fill in the required fields and save or apply changes..

    Add virtual identity provider

    Allows you to add a Virtual Identity Provider. You must click the "Add virtual identity provider" button, under the proper Identity Provider, which has to be a Soffid IdP, then Soffid will display a new window with the data to fulfill for the new Virtual identity provider.

    To add a new Virtual identity provider it will be mandatory to fill in the required fields and save or apply changes..

    Entity goup 

    List

    Add new

    You can add a new Entity groups by clicking on the add button (+). Then Soffid will display a new window and you need to fill in the required fields and save or apply changes.

    Delete

    Allows you to remove one or more Entity group by selecting one or more records and next clicking the button with the subtraction symbol (-).

    To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

    Detail
    Save

     

    Allows you to save the data of a new Entity group or to update the data of a specific Entity group.

    To save the data it will be mandatory to fill in the required fields

    Apply changes

    Allows you to save the data of a new Entity group or to update the data of a specific Entity group and quit.

    To save the data it will be mandatory to fill in the required fields.

    Delete

    Allows you to delete the Entity group. To delete a host you can click on the hamburger icon and then click the delete button (trash icon).

    Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

    Undo

    Allows you to quit without applying any changes made.

    Identity Provider

    List

    Add new

    You can add a new Identity provider by clicking on the add button (+). Then Soffid will display a new window and you need to fill in the required fields and save or apply changes.

    Delete

    Allows you to remove one or more Identity providers by selecting one or more records and next clicking the button with the subtraction symbol (-).

    To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

    Detail
    Save

     

    Allows you to save the data of a new Identity provider or to update the data of a specific Identity provider.

    To save the data it will be mandatory to fill in the required fields

    Apply changes

    Allows you to save the data of a new Identity provider or to update the data of a specific Identity provider and quit.

    To save the data it will be mandatory to fill in the required fields.

    Delete

    Allows you to delete the Identity provider. To delete a host you can click on the hamburger icon and then click the delete button (trash icon).

    Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

    Undo

    Allows you to quit without applying any changes made.

    Service Provider

    List

    Add new

    You can add a new Service provider by clicking on the add button (+). Then Soffid will display a new window and you need to fill in the required fields and save or apply changes.

    Delete

    Allows you to remove one or more Service providers by selecting one or more records and next clicking the button with the subtraction symbol (-).

    To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

    Detail
    Save

     

    Allows you to save the data of a new Service provider or to update the data of a specific Service provider.

    To save the data it will be mandatory to fill in the required fields

    Apply changes

    Allows you to save the data of a new Identity provider or to update the data of a specific Service provider and quit.

    To save the data it will be mandatory to fill in the required fields.

    Delete

    Allows you to delete the Service provider. To delete a host you can click on the hamburger icon and then click the delete button (trash icon).

    Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

    Undo

    Allows you to quit without applying any changes made.

    Virtyal Identity Provider

    List

    Add new

    You can add a new Virtual identity provider by clicking on the add button (+). Then Soffid will display a new window and you need to fill in the required fields and save or apply changes.

    Delete

    Allows you to remove one or more Virtual identity providers by selecting one or more records and next clicking the button with the subtraction symbol (-).

    To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

    Detail
    Save

     

    Allows you to save the data of a new Virtual identity provider or to update the data of a specific Virtual identity provider.

    To save the data it will be mandatory to fill in the required fields

    Apply changes

    Allows you to save the data of a new Virtual identity provider or to update the data of a specific Virtual identity provider and quit.

    To save the data it will be mandatory to fill in the required fields.

    Delete

    Allows you to delete the Virtual identity provider. To delete a host you can click on the hamburger icon and then click the delete button (trash icon).

    Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

    Undo

    Allows you to quit without applying any changes made.



    https://en.wikipedia.org/wiki/Federated_identity

    https://en.wikipedia.org/wiki/Identity_provider

    https://en.wikipedia.org/wiki/Service_provider

    Shared signals & events members