# Web SSO



# ⏰ Getting started

## Introduction

---

To configure the Web SSO you must complete the next steps

**<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1. </span>Attribute definition**: add the necessary attributes if they are not in the list.

**<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2. </span>Attribute sharing policies**: define the proper attribute sharing policies to determine which attributes will be shared. The policies will apply to those IdPs that meet the conditions defined in the policy. You can define public policies that apply to all IdPs, or specific policies that only apply to certain IdPs.

**<span style="color: #a6d100; font-weight: bold; font-size: 18px;">3. </span>Identity &amp; Service providers**: configure the identity and the service provider.

---

Soffid performs the validation in the following order

**<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1. </span>Login**: first of all, it checks the login, if the access is correct then follow the next step

**<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2. </span>Policies**: then, it checks the attribute sharing policies. Soffid checks all policies and applies the ones that meet the conditions.

**<span style="color: #a6d100; font-weight: bold; font-size: 18px;">3. </span>Attributes**: For policies that result in Yes or True, the attribute conditions will be evaluated. The attributes will be shared when the conditions are true.

# Attribute definition

## Description

<p class="callout success">The attribute definition page displays all the **auto-generated user attributes**. Those attributes will be the attributes to deliver from the identity providers to the service providers depending on the defined rules.</p>

Soffid has a default implementation for common attributes like FullName or uid, but you can modify it by creating a custom script.

## Screen overview

![](https://bookstack.soffid.com/uploads/images/gallery/2021-09/embedded-image-enety9lr.png)

## Custom attributes

- **Name**: a descriptive name.
- **ShortName**: short name to be used by SAML 2 service providers (without blanks).
- **Oid**: OID to be used by SAML 1 and SAML 2 service providers.
- **OpenID name**: OpenID name to be used by OAuth and OpenID connect service provider.
- **Radius ID**: Radius ID name.
- **Value**: an attribute value. Allows you to define a BeanShell script to determine the value of the attribute.

## Examples

Soffid IdP has a default implementation for common attributes like FullName or uid, but you can modify it by creating a custom script. You can use the custom script to define the value of an attribute.

Examples to define the value of an attribute.

#### Example 1

Return full name in upper case:

```Java
return fullName.toUpperCase();
```

#### Example 2

Send one value if an attribute is blank. Otherwise, its value:

```Java
return
    attributes{"company"} == null ||
    attributes{"company"}.isEmpty() ?
        "Soffid" :
        attributes{"company"}
```

#### Example 3

Use serverService to fech the OU attribute of the account owned by the user in the Active Directory (AD) system:

```JSON
for (account: serverService.getUserAccounts(id, "ad")) {
    return account{"attributes"}{"ou"};
}
return null;
```

## Actions

#### Attribute definition query

<table border="1" id="bkmrk-add-or-remove-column" style="width: 797px;"><tbody><tr><td style="width: 191px;">**Add new**

</td><td style="width: 606px;">Allows you to add a new attribute definition in the system. You can choose that option on the hamburger menu or clicking the add button (+).

To add a new it is necessary to fill in the required fields.

</td></tr><tr><td style="width: 191px;">**Delete**</td><td style="width: 606px;">Allows you to remove one or more Attribute definitions by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

</td></tr><tr><td style="width: 191px;">**Import**</td><td style="width: 606px;">Allows you to upload a CSV file with the attribute definition to add or update attribute definition to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button.

</td></tr><tr><td style="width: 191px;">**Download CSV file**

</td><td style="width: 606px;">Allows you to download a CSV file with the basic information of all attribute definitions.

</td></tr></tbody></table>

#### Attribute definition detail

<table border="1" id="bkmrk-delete-allows-to-rem"><tbody><tr style="height: 28px;"><td style="width: 190.909px; height: 28px;">**Delete**

</td><td style="width: 605.455px; height: 28px;">Allows you to save the data of a new Attribute definition or to update the data of a specific Attribute definition. To save the data it will be mandatory to fill in the required fields.

</td></tr><tr style="height: 28px;"><td style="width: 190.909px; height: 28px;">**Save**

</td><td style="width: 605.455px; height: 28px;">Allows you to download a csv file with the basic information of the Attribute definition.

</td></tr></tbody></table>

# Attribute sharing policies

## Description

After defining the attributes to publish, it’s required to write a policy that defines which attributes will be allowed to share with each service provider.

<p class="callout success">Soffid allows you to define security rules that apply to any attribute that should be delivered from identity providers to service providers.</p>

## Custom attributes

- **Policy**: policy name.
- [**Condition** (policy)](#bkmrk-condition): a boolean expression that will be evaluated first. If this expression evaluates to false, the rule is completely ignored. It is used to evaluate to which applies the policy.
- **Attributes List**: allows you to add attributes with the proper condition for each one. 
    - **Attribute**: allows you to select an attribute from the attribute list. Those attributes are defined at the Attribute definition page.
    - **Allow**: if selected value is Yes, the attribute will be shared when the condition was true. If selected value is No, the attribute will no be shared.
    - [**Condition** (shared attributes)](#bkmrk-condition): a boolean expression to be evaluated. Allows you to customize a condition to evaluated and decide if the attribute should or not be delivered

#### Condition

<p class="callout success">It is a boolean expression to be evaluated. The condition will be evaluatuated when the Allow value was yes. You can use the conditions to configure the **conditions policy** and to configure the **shared attributes**.</p>

The boolean operator are the follow:

- **ANY**: the result will always be true.
- **OR**: the result will be true if any of its subexpressions are true
- **AND**: the result will be true if all of its subexpressions are true.
- **Attribute requester**: the result will be true if the service provider public id equals the specified value. Optionally, the ignore case checkbox will ignore upper and lower case differences.
- **Attribute Issuer**: the result will be true if the identity provider public id equals the specified value. Optionally, the ignore case checkbox will ignore upper and lower case differences.
- **PrincipalName**: the result will be true if the principal name equals the specified value. Optionally, the ignore case checkbox will ignore upper and lower case differences. Mind that some service providers want to use the email address as PrincipalName. Some others use the account name or X.509 subject name.
- **Authentication Method**: the result will be true if the used authentication method equals the specified value. Optionally, the ignore case checkbox will ignore upper and lower case differences. Some useful values are: 
    - When using SAML, it contains the standard SAML identifier corresponding to the used authentication method. When multifactor authentication is used, it contains the strongest one: 
        - **urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport** password authentication (using SSL)
        - **urn:oasis:names:tc:SAML:2.0:ac:classes:PreviousSession** already authenticated using previous session
        - **urn:oasis:names:tc:SAML:2.0:ac:classes:X509** user has a X.509 certificate
        - **urn:oasis:names:tc:SAML:2.0:ac:classes:TLSClient** X.509's public key has been verified using TLS protocol
        - **urn:oasis:names:tc:SAML:2.0:ac:classes:TimeSyncToken** time synchronized token.
        - **urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified** unspecified protocol. This tag is used when Soffid IDP relies on third party identity providers that don't give information about the authentication method used, such as oAuth or OpenId.
- When using OpenID connect, the value can be any of:
    
    
    - - **P**: Password
        - **PO**: Password + OneTimePassword
        - **PC**: Password + Certificate
        - **PE**: Password + External identity provider
        - **K**: Kerberos token
        - **KO**: Kerberos token + OneTimePassword
        - **KC**: Kerberos token + Certificate
        - **KE**: Kerberos token + External identity provider
        - **E**: External identity providers
        - **EO**: External identity provider + One time password
        - **EC**: External identity provider + Certificate
        - **O**: One time password
        - **OC**: One time password + Certificate
        - **C**: Certificate
- **Attribute value**: the result will be true if the related attribute has a specific value.
- **Attribute requester (regex)**: the result will be true if the service provider public id matches the specified regular expression.
- **Attribute issuer (regex)**: the result will be true if the identity provider public id matches the specified regular expression.
- **Principal name (regex)**: the result will be true if the principal name matches the specified regular expression. Mind that some service providers want to use the email address as PrincipalName. Some others use the account name or X.509 subject name.
- **Authentication method (regex)**: the result will be true if the used authentication method matches the specified regular expression.
- **Attribute value (regex)**: the result will be true if the related attribute has a specific value.
- **Attribute requester in entity group**: the result will be true if the service provider belongs to the specified group.
- **Attribute issuer in entity group**: the result will be true if the identity provider belongs to the specified group.
- **Attribute issuer nameID format**: the result will be true if the identity provider supports a specified identifier format.
- **Issuer entity attribute**: the result will be true if the identity provider metadata contains a specified attribute name and value.
- **Issuer entity attribute (regex)**: the result will be true if the identity provider metadata contains an attribute name and value that matches the specified regular expression.
- **Requester entity attribute**:the result will be true if the service provider metadata contains a specified attribute name and value.
- **Requester entity attribute (regex)**:the result will be true if the service provider metadata contains an attribute name and value that matches the specified regular expression.
- **Attribute requester nameID format**: the result will be true if the service provider supports a specified identifier format.

## Examples

Examples to define conditions in an attribute sharing policy:

#### Example 1

Give the email address and the user ID to any trusted service provider. We define this as a public policy.

[![image-1651591008906.png](https://bookstack.soffid.com/uploads/images/gallery/2022-05/scaled-1680-/image-1651591008906.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-05/image-1651591008906.png)

[![image-1652347213357.png](https://bookstack.soffid.com/uploads/images/gallery/2022-05/scaled-1680-/image-1652347213357.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-05/image-1652347213357.png)

#### Example 2

Give some extra attributes, like full name and roles to any service provider belonging to soffid-demo entity group

[![image-1651732807889.png](https://bookstack.soffid.com/uploads/images/gallery/2022-05/scaled-1680-/image-1651732807889.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-05/image-1651732807889.png)

[![image-1652347060000.png](https://bookstack.soffid.com/uploads/images/gallery/2022-05/scaled-1680-/image-1652347060000.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-05/image-1652347060000.png)

#### Example 3

Rule that will be applied to the service provider named “test’ or any other service provider whose name starts with “soffid-”

[![image-1652347158677.png](https://bookstack.soffid.com/uploads/images/gallery/2022-05/scaled-1680-/image-1652347158677.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-05/image-1652347158677.png)

[![image-1652347180776.png](https://bookstack.soffid.com/uploads/images/gallery/2022-05/scaled-1680-/image-1652347180776.png)](https://bookstack.soffid.com/uploads/images/gallery/2022-05/image-1652347180776.png)

## Actions

#### Attribute sharing policies query

<table border="1" id="bkmrk-add-or-remove-column" style="width: 797px;"><tbody><tr><td style="width: 167.997px;">**Add new**

</td><td style="width: 628.991px;">Allows you to add a new Attribute sharing policies in the system. You can choose that option on the hamburger menu or clicking the add button (+).

To add a new it is necessary to fill in the required fields.

</td></tr><tr><td style="width: 167.997px;">**Delete**

</td><td style="width: 628.991px;">Allows you to remove one or more Attribute sharing policies by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

</td></tr><tr><td style="width: 167.997px;">**Import**</td><td style="width: 628.991px;">Allows you to upload a CSV file with the ttribute sharing policies to add or update Attribute sharing policies to Soffid.

First, you need to pick up a CSV file, that CSV has to contain a specific configuration. Then you need to check the content to be loaded, it is allowed to choose if you want or not to load a specific attribute. And finally, you need to select the mappings for each column of the CSV file to import the data correctly and to click the Import button.

</td></tr><tr><td style="width: 167.997px;">**Download CSV file**

</td><td style="width: 628.991px;">Allows you to download a CSV file with the basic information of all Attribute sharing policies.

</td></tr></tbody></table>

#### Attribute sharing policies detail

<table border="1" id="bkmrk-delete-allows-to-rem" style="width: 795px;"><tbody><tr style="height: 28px;"><td style="width: 165.199px; height: 28px;">**Delete**

</td><td style="width: 628.807px; height: 28px;">Allows you to save the data of a new Attribute sharing policy or to update the data of a specific Attribute sharing policy. To save the data it will be mandatory to fill in the required fields.

</td></tr><tr><td style="width: 165.199px;">**Apply changes**

</td><td style="width: 628.807px;">Allows you to save the data of a new Metada object or to update the data of a specific Metadata object. To save the data it will be mandatory to fill in the required fields.

</td></tr><tr><td style="width: 165.199px;">**Undo**

</td><td style="width: 628.807px;">Allows you to quit without applying any changes made.

</td></tr></tbody></table>

# Identity & Service providers

## Description

<p class="callout success">Soffid Identity Federation addon helps administrators to manage an Identity Federation. With Soffid you can manage the whole federation security configuration, increasing the security while reducing the federation management costs. Soffid can also act as a Service Provider, serving identities to any SAML capable application server.</p>

The main supported standard is [SAML](http://en.wikipedia.org/wiki/SAML_2.0). SAML allows to completely detach the identification process from web applications, known as Service Providers. With SAML, identification is performed by specialized servers known as Identity Providers. Additionaly, some other, less secure, but some times convenient protocols like [OAuth](https://en.wikipedia.org/wiki/OAuth) (Open Authorization) and [OpenID-Connect](https://en.wikipedia.org/wiki/OpenID_Connect) protocols are supported. Elder protocols like Openid (do not confuse with OpenID-Connect) are deprecated and no longer supported.

<p class="callout info">You can visit the Introduction page to find more information about the [federation members](https://bookstack.soffid.com/link/325#bkmrk-federation-members).</p>

## Federation members

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">1. </span>[Entity Group](#bkmrk-entity-group)

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">2. </span>[Identity Provider](#bkmrk-identity-provider)

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">3. </span>[Service Provider](#bkmrk-service-provider)

<span style="color: #a6d100; font-weight: bold; font-size: 18px;">4. </span>[Virtual Identity Provider](#bkmrk-virtual-identity-pro)

## Entity Group

{{@389}}

## Identity Provider

{{@390}}

## Service Provider

{{@392}}

## Virtual Identity Provider

{{@391}}

## Actions

#### Federation Tree view

<table border="1" id="bkmrk-apply-changes-allow-" style="height: 417px;"><tbody><tr style="height: 101px;"><td style="width: 190px; height: 101px;">**Add group**

</td><td style="width: 619px; height: 101px;">Allows you to create a new Entity group. You can choose that option by clicking on the "Add group" button, then Soffid will display a new window with the fields to fullfil.

To add a new Entity group it will be mandatory to fill in the required fields and save or apply changes..

</td></tr><tr style="height: 123px;"><td style="width: 190px; height: 123px;">**Add identity provider**

</td><td style="width: 619px; height: 123px;">Allows you to add a new Identity Provider. You must click the "Add identity provider" button, under the proper Entity Group and "Identity Provider" label, then Soffid will display a new window with the data to fulfill for new Identity Provider.

To add a new Identity provider it will be mandatory to fill in the required fields and save or apply changes..

</td></tr><tr style="height: 123px;"><td style="width: 190px; height: 123px;">**Add virtual identity provider**

</td><td style="width: 619px; height: 123px;">Allows you to add a Virtual Identity Provider. You must click the "Add virtual identity provider" button, under the proper Identity Provider, which has to be a Soffid IdP, then Soffid will display a new window with the data to fulfill for the new Virtual identity provider.

To add a new Virtual identity provider it will be mandatory to fill in the required fields and save or apply changes..

</td></tr></tbody></table>

#### Entity goup 

##### List

<table id="bkmrk-add-new-from-the-fed" style="height: 181px;"><tbody><tr style="height: 79px;"><td style="width: 156.79px; height: 79px;">**Add new**

</td><td style="width: 623.125px; height: 79px;">You can add a new Entity groups by clicking on the add button (+). Then Soffid will display a new window and you need to fill in the required fields and save or apply changes.

</td></tr><tr style="height: 102px;"><td style="width: 156.79px; height: 102px;"> **Delete**

</td><td style="width: 623.125px; height: 102px;">Allows you to remove one or more Entity group by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

</td></tr></tbody></table>

##### Detail

<table id="bkmrk-apply-changes-allows"><tbody><tr><td style="width: 149.984px;">**Save**</td><td style="width: 659.016px;">Allows you to save the data of a new Entity group or to update the data of a specific Entity group.

To save the data it will be mandatory to fill in the required fields

</td></tr><tr><td style="width: 149.984px;">**Apply changes**

</td><td style="width: 659.016px;">Allows you to save the data of a new Entity group or to update the data of a specific Entity group and quit.

To save the data it will be mandatory to fill in the required fields.

</td></tr><tr><td style="width: 149.984px;">**Delete**

</td><td style="width: 659.016px;">Allows you to delete the Entity group. To delete a host you can click on the hamburger icon and then click the delete button (trash icon).

Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

</td></tr><tr><td style="width: 149.984px;">**Undo**

</td><td style="width: 659.016px;">Allows you to quit without applying any changes made.

</td></tr></tbody></table>

#### Identity Provider

##### List

<table id="bkmrk-add-new-you-can-add-"><tbody><tr style="height: 79px;"><td style="width: 156.79px; height: 79px;">**Add new**

</td><td style="width: 623.125px; height: 79px;">You can add a new Identity provider by clicking on the add button (+). Then Soffid will display a new window and you need to fill in the required fields and save or apply changes.

</td></tr><tr style="height: 102px;"><td style="width: 156.79px; height: 102px;"> **Delete**

</td><td style="width: 623.125px; height: 102px;">Allows you to remove one or more Identity providers by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

</td></tr></tbody></table>

##### Detail

<table id="bkmrk-save-%C2%A0-allows-you-to"><tbody><tr><td style="width: 149.984px;">**Save**</td><td style="width: 659.016px;">Allows you to save the data of a new Identity provider or to update the data of a specific Identity provider.

To save the data it will be mandatory to fill in the required fields

</td></tr><tr><td style="width: 149.984px;">**Apply changes**

</td><td style="width: 659.016px;">Allows you to save the data of a new Identity provider or to update the data of a specific Identity provider and quit.

To save the data it will be mandatory to fill in the required fields.

</td></tr><tr><td style="width: 149.984px;">**Delete**

</td><td style="width: 659.016px;">Allows you to delete the Identity provider. To delete a host you can click on the hamburger icon and then click the delete button (trash icon).

Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

</td></tr><tr><td style="width: 149.984px;">**Undo**

</td><td style="width: 659.016px;">Allows you to quit without applying any changes made.

</td></tr></tbody></table>

#### Service Provider

##### List

<table id="bkmrk-add-new-you-can-add--0"><tbody><tr style="height: 79px;"><td style="width: 156.79px; height: 79px;">**Add new**

</td><td style="width: 623.125px; height: 79px;">You can add a new Service provider by clicking on the add button (+). Then Soffid will display a new window and you need to fill in the required fields and save or apply changes.

</td></tr><tr style="height: 102px;"><td style="width: 156.79px; height: 102px;"> **Delete**

</td><td style="width: 623.125px; height: 102px;">Allows you to remove one or more Service providers by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

</td></tr></tbody></table>

##### Detail

<table id="bkmrk-save-%C2%A0-allows-you-to-0"><tbody><tr><td style="width: 149.984px;">**Save**</td><td style="width: 659.016px;">Allows you to save the data of a new Service provider or to update the data of a specific Service provider.

To save the data it will be mandatory to fill in the required fields

</td></tr><tr><td style="width: 149.984px;">**Apply changes**

</td><td style="width: 659.016px;">Allows you to save the data of a new Identity provider or to update the data of a specific Service provider and quit.

To save the data it will be mandatory to fill in the required fields.

</td></tr><tr><td style="width: 149.984px;">**Delete**

</td><td style="width: 659.016px;">Allows you to delete the Service provider. To delete a host you can click on the hamburger icon and then click the delete button (trash icon).

Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

</td></tr><tr><td style="width: 149.984px;">**Undo**

</td><td style="width: 659.016px;">Allows you to quit without applying any changes made.

</td></tr></tbody></table>

#### Virtyal Identity Provider

##### List

<table id="bkmrk-add-new-you-can-add--1"><tbody><tr style="height: 79px;"><td style="width: 156.79px; height: 79px;">**Add new**

</td><td style="width: 623.125px; height: 79px;">You can add a new Virtual identity provider by clicking on the add button (+). Then Soffid will display a new window and you need to fill in the required fields and save or apply changes.

</td></tr><tr style="height: 102px;"><td style="width: 156.79px; height: 102px;"> **Delete**

</td><td style="width: 623.125px; height: 102px;">Allows you to remove one or more Virtual identity providers by selecting one or more records and next clicking the button with the subtraction symbol (-).

To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

</td></tr></tbody></table>

##### Detail

<table id="bkmrk-save-%C2%A0-allows-you-to-1"><tbody><tr><td style="width: 149.984px;">**Save**</td><td style="width: 659.016px;">Allows you to save the data of a new Virtual identity provider or to update the data of a specific Virtual identity provider.

To save the data it will be mandatory to fill in the required fields

</td></tr><tr><td style="width: 149.984px;">**Apply changes**

</td><td style="width: 659.016px;">Allows you to save the data of a new Virtual identity provider or to update the data of a specific Virtual identity provider and quit.

To save the data it will be mandatory to fill in the required fields.

</td></tr><tr><td style="width: 149.984px;">**Delete**

</td><td style="width: 659.016px;">Allows you to delete the Virtual identity provider. To delete a host you can click on the hamburger icon and then click the delete button (trash icon).

Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

</td></tr><tr><td style="width: 149.984px;">**Undo**

</td><td style="width: 659.016px;">Allows you to quit without applying any changes made.

</td></tr></tbody></table>

---

[*https://en.wikipedia.org/wiki/Federated\_identity*](https://en.wikipedia.org/wiki/Federated_identity)

*[https://en.wikipedia.org/wiki/Identity\_provider](https://en.wikipedia.org/wiki/Identity_provider)*

[*https://en.wikipedia.org/wiki/Service\_provider*](https://en.wikipedia.org/wiki/Service_provider)

# Shared signals & events members

{{@1198}}