Identity & Service providers

Description

Soffid Identity Federation addon helps administrators to manage an Identity Federation. With Soffid you can manage the whole federation security configuration, increasing the security while reducing the federation management costs. Soffid can also act as a Service Provider, serving identities to any SAML capable application server.

The main supported standard is SAML. SAML allows to completely detach the identification process from web applications,  known as Service Providers. With SAML, identification is performed by specialized servers known as Identity Providers.  Additionaly, some other, less secure, but some times convenient protocols like OAuth (Open Authorization) and OpenID-Connect protocols are supported. Elder protocols like Openid (do not confuse with OpenID-Connect) are deprecated and no  longer supported.

You can visit the Introduction page to find more information about the federation members.

Federation members

1. Entity Group

2. Identity Provider

3. Service Provider

4. Virtual Identity Provider

Entity Group

Description

An entity group is just like a folder that allows you to manage different kinds of federation members. One of the most common ways to group federation members is by trust level.

When you create an entity group, the Identity Providers and the Service Providers records will be displayed. Then you could add identities and services selecting the proper record.

Screen overview

image-1652360950792.png

Standard attributes


Identity Provider

Description

An identity provider (abbreviated IdP or IDP) is a system entity that creates, maintains, and manages identity information for principals and also provides authentication services to relying applications within a federation or distributed network.

An Identity Provider is responsible for identifying users. Also, it is responsible for giving service providers information regarding the identified user.

Soffid allows you to configure different identity providers, you can choose the best option for you by selecting the IdP type:

To create an identity provider, it is advisable to install a dedicated sync server. It can be configured as a proxy sync server as it does not need direct access to the Soffid database. Instead, it will connect to the main sync server to get users and federation information.

For more information about how to configure a dedicated sync server, you can visit the Install Sync server page.

Standard attributes

The fields for each IdP type are detailed below:

Soffid IdP

Identification
Service Configuration

The Metadata is the information that any application needs to use the IdP. That is an XML file that contains the public encryption keys and the services provided

Leave it blank as Soffid IdP will fulfill it for you.

The metadata will be created when the network data and SAML Security data. Restarting the sync server will be necessary to fill in the Metadata.

Network
💻 Image

image-1709029065265.png

Server certificate management: there are two options for certificate management. You can visit the Server certificate management page for more information.

SAML Security
Session management
Authentication
Advanced Authentication
Profiles

A profile is a protocol or subset of protocols implemented by the Identity Provider. There are some accepted protocols, those allows a custom config dependent on the selected profile.

You can visit the Profiles chapter for more information about each one.

Look and feel

Soffid allows you to personalize your login page by adding some style elements, as well as header and footer elements.


External SAML IdP

Identification
Service Configuration

The Metadata is the information that any application need to use the IdP. That is an XML file that contains the public encryption keys and the services provided

Leave it blank as Soffid IdP will fulfill it for you.

Login Rules

OpenID-Connect

Service Configuration

{
    "authorization_endpoint": "https://server/oauth2/auth",
    "token_endpoint": "https://server/oauth2/token",
    "userinfo_endpoint": "https://server/oauth2/userinfo",
    "scopes_supported": [ "openid","email","profile"]
}

The Metadata is the information that any application need to use the IdP. That is an XML file that contains the public encryption keys and the services provided

Login rules

sn = attributes{"screen_name"};
i = sn.indexOf(" ");
if (i> 0) {
	user.firstName = sn.substring(0, i);
	user.lastName = sn.substring(i+1);
} else {
	user.firstName = "?";
  	user.lastName = sn;
}
return attributes{"name"};

Facebook

Identification
Service Configuration
Login rules

Google

Identification
Service Configuration
Login rules

Linkedin

Identification
Service Configuration
Login rules

(*) What is CAPTCHA --> https://support.google.com/a/answer/1217728?hl=en

(*) https://www.google.com/recaptcha/about/

Service Provider

Definition

The Service Providers are standard applications that rely on Identity Providers to let the users log in.

Join federation

To join the federation, the service provider management team must deliver its "Metadata". The service provider Metadata describes how the service providers behave:

Standard attributes

The standard attributes depend on the Service provider type.

SAML

To enable External SAML protocol you can visit the Authentication page. Also, on that page you could download the metadata XML file.

Identification
Service configuration

To publish the federation members' metadata, the main sync server exports the member's metadata at the path /SAML/metadata.xml. Thus, if your sync server is listening at soffid1.your.domain, you can get the whole federation metadata document from:

https://soffid1.your.domain:760/SAML/metadata.xml


After some seconds, up to five minutes, every federation member will notice any change.

Login rules


You can visit the Openid-connect to SAML interoperability page for more detailed information.


SAML API client

Identification
Service configuration

Leave it blank as Soffid IdP will fulfill it for you.

The metadata will be created when the network data and SAML Security data.

Login rules

You can visit the Openid-connect to SAML interoperability page for more detailed information.

Network
SAML Security

OpenID Connect

Identification
Login rules

You can visit the Openid-connect to SAML interoperability page for more detailed information.

OpenID authorization flow

OpenID Connect Dynamic Registration

Identification
Login rules
OpenID authorization flow
Registration token

Cas client

Identification
Login rules
CAS configuration

Radius client

Identification
Login rules
Radius configuration

TACACS+

Identification
Login rules
Tacacs+ configuration

https://www.rfc-editor.org/rfc/rfc8907.html


    Virtual Identity Provider

    Definition

    A single identity provider usually offers different profiles or service levels to diffeferent service provider. To be able to define this behavior, any Identity Provider can be split into many virtual identity providers. Those identity providers will be served by the same actual identity provider, but they will have different profile configurations.

    Standard attributes

    Identification

    Service configuration

    Leave it blank as Soffid IdP will fulfill it for you.

    SAML Security

    Authentication

    Advances authentication

    Profiles

    A profile is a protocol implemented by the Identity Provider. There are some accepted protocols, those allows a custom config dependent on the selected profile

    You can visit the Profiles chapter for more information about each one.

    Service Providers

    It will be necessary to bind any service provider to the virtual identity provider. When no such bind exists for a service provider, the actual identity provider profile configuration applies. 

    Actions

    Federation Tree view

    Add group

    Allows you to create a new Entity group. You can choose that option by clicking on the "Add group" button, then Soffid will display a new window with the fields to fullfil.

    To add a new Entity group it will be mandatory to fill in the required fields and save or apply changes..

    Add identity provider

    Allows you to add a new Identity Provider. You must click the "Add identity provider" button, under the proper Entity Group and "Identity Provider" label, then Soffid will display a new window with the data to fulfill for new Identity Provider.

    To add a new Identity provider it will be mandatory to fill in the required fields and save or apply changes..

    Add virtual identity provider

    Allows you to add a Virtual Identity Provider. You must click the "Add virtual identity provider" button, under the proper Identity Provider, which has to be a Soffid IdP, then Soffid will display a new window with the data to fulfill for the new Virtual identity provider.

    To add a new Virtual identity provider it will be mandatory to fill in the required fields and save or apply changes..

    Entity goup 

    List

    Add new

    You can add a new Entity groups by clicking on the add button (+). Then Soffid will display a new window and you need to fill in the required fields and save or apply changes.

    Delete

    Allows you to remove one or more Entity group by selecting one or more records and next clicking the button with the subtraction symbol (-).

    To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

    Detail
    Save

     

    Allows you to save the data of a new Entity group or to update the data of a specific Entity group.

    To save the data it will be mandatory to fill in the required fields

    Apply changes

    Allows you to save the data of a new Entity group or to update the data of a specific Entity group and quit.

    To save the data it will be mandatory to fill in the required fields.

    Delete

    Allows you to delete the Entity group. To delete a host you can click on the hamburger icon and then click the delete button (trash icon).

    Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

    Undo

    Allows you to quit without applying any changes made.

    Identity Provider

    List

    Add new

    You can add a new Identity provider by clicking on the add button (+). Then Soffid will display a new window and you need to fill in the required fields and save or apply changes.

    Delete

    Allows you to remove one or more Identity providers by selecting one or more records and next clicking the button with the subtraction symbol (-).

    To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

    Detail
    Save

     

    Allows you to save the data of a new Identity provider or to update the data of a specific Identity provider.

    To save the data it will be mandatory to fill in the required fields

    Apply changes

    Allows you to save the data of a new Identity provider or to update the data of a specific Identity provider and quit.

    To save the data it will be mandatory to fill in the required fields.

    Delete

    Allows you to delete the Identity provider. To delete a host you can click on the hamburger icon and then click the delete button (trash icon).

    Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

    Undo

    Allows you to quit without applying any changes made.

    Service Provider

    List

    Add new

    You can add a new Service provider by clicking on the add button (+). Then Soffid will display a new window and you need to fill in the required fields and save or apply changes.

    Delete

    Allows you to remove one or more Service providers by selecting one or more records and next clicking the button with the subtraction symbol (-).

    To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

    Detail
    Save

     

    Allows you to save the data of a new Service provider or to update the data of a specific Service provider.

    To save the data it will be mandatory to fill in the required fields

    Apply changes

    Allows you to save the data of a new Identity provider or to update the data of a specific Service provider and quit.

    To save the data it will be mandatory to fill in the required fields.

    Delete

    Allows you to delete the Service provider. To delete a host you can click on the hamburger icon and then click the delete button (trash icon).

    Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

    Undo

    Allows you to quit without applying any changes made.

    Virtyal Identity Provider

    List

    Add new

    You can add a new Virtual identity provider by clicking on the add button (+). Then Soffid will display a new window and you need to fill in the required fields and save or apply changes.

    Delete

    Allows you to remove one or more Virtual identity providers by selecting one or more records and next clicking the button with the subtraction symbol (-).

    To perform that action, Soffid will ask you for confirmation, you could confirm or cancel the operation.

    Detail
    Save

     

    Allows you to save the data of a new Virtual identity provider or to update the data of a specific Virtual identity provider.

    To save the data it will be mandatory to fill in the required fields

    Apply changes

    Allows you to save the data of a new Virtual identity provider or to update the data of a specific Virtual identity provider and quit.

    To save the data it will be mandatory to fill in the required fields.

    Delete

    Allows you to delete the Virtual identity provider. To delete a host you can click on the hamburger icon and then click the delete button (trash icon).

    Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

    Undo

    Allows you to quit without applying any changes made.



    https://en.wikipedia.org/wiki/Federated_identity

    https://en.wikipedia.org/wiki/Identity_provider

    https://en.wikipedia.org/wiki/Service_provider


    Revision #53
    Created 7 September 2021 07:01:00 by pgarcia@soffid.com
    Updated 21 June 2022 14:32:40 by pgarcia@soffid.com