Skip to main content

Service Provider

Definition

The Service Providers are standard application servers that relays on Identity Providers to let the users log in.

Join federation

To join the federation, the service provider management team must deliver its "Metadata". The service provider Metadata describes how the service providers behaves:

  • Which security algorithms does it support.
  • The public portion of its signing and encrypting keys.
  • The SAML protocols does it support.
  • The URL of each SAML protocol endpoint.
  • Contact information.

To let a service provider join your federation, simply click on the Service Providers node of the left hand side tree, click on the "Add" button and enter the required information:

  1. Public ID. It must match the EntityID at service provider metadata.
  2. Name. Enter a member description.
  3. Metadata. Paste the metadata sent by the member administrator.

Screen overview

&&TODO&&

Standard attributes

Identification

  • Type: identifies the service provider type. Currently there are three types:
    • SAML:
    • publicIDSAML API client:
    • OpenID Connect:
  • publicID: public name of the service provider.
  • Name: friendly user name or brief description.

SAML

Service configuration

  • Metadata: you must provide the identity provider metadata. You can either copy it from Soffid federation page, or instruct the service provider to download the federation metadata by itself.

To publish the federation members metadata, the main sync server exports the members metadata at the path /SAML/metadata.xml. Thus, if your sync server is listening at soffid1.your.domain, you can get the whole federation metadata document from https://soffid1.your.domain:760/SAML/metadata.xml.
After some seconds, up to five minutes, every federation member will notice any change.

Login rules

  • Allow impersonations: &&TODO&&
  • UID Script: &&TODO&&

SAML API client

Identification

  • Organization: company name of the external IdP.
  • Contact: email address of the external IdP.

Service configuration

  • Metadata: you must provide the identity provider metadata. You can either copy it from Soffid federation page, or instruct the service provider to download the federation metadata by itself.

To publish the federation members metadata, the main sync server exports the members metadata at the path /SAML/metadata.xml. Thus, if your sync server is listening at soffid1.your.domain, you can get the whole federation metadata document from https://soffid1.your.domain:760/SAML/metadata.xml.
After some seconds, up to five minutes, every federation member will notice any change.

Login rules

  • Allow impersonations: &&TODO&&
  • UID Script: &&TODO&&

Network

  • Host name
  • Standar oirt
  • Disable SSL
  • Assertion path

SAML Security

  • Public key
  • Certificate chain

 

OpenID Connect

 

 

Service configuration

  • MetadataoAuth key
  • oAuth secret

Login rules

  • Allow impersonations
  • UID Script

Profiles

OpenID

authorization flow

Implicit flow

  • The Service Provider sends the user to the IdP.
  • The IdP authenticates the user.
  • The user returns control to the Service Provider along an OpenID token and an OAuth token.

Client credentials flow

  • The Service Provider sends the user to the IdP.
  • The IdP authenticates the user.
  • The user returns control to the Service Provider along an authorization code.
  • The Service Provider gets the OpenID token and OAuth token from the IdP by presenting the authorization code, and its client secret. This request is using a direct connection between them.

Password authentication flow

  • The Service Provider asks for a user name and password.
  • The Service Provider gets the OpenID token and OAuth token from the IdP by presenting the user's name and password, and optionally its client secret. This request is using a direct connection between them.
  • Implicit: application server redirects the end user to the IdP, that in turn, returns the oAuth token along the OpenID token.
  • Authorization code: application server redirects the user to the IdP, which in turn, returns an authorization code that can be used to retrieve the token and the OpenID token from the token endpoint.
  • User's password: the server access directly to the token endpoint, sending the username and password, to retrieve the oAuth and OpenID token. This mechanism is highly insecure, as allows unauthenticated clients to impersonate end users
  • User's password + Client credential: it is a secure version of the previous one, requiring the client to use its client secret.
  • Client id: the identifier used by the application server.
  • Client secret: password used by the application server. It is used in Authorization code flow as well as “User’s password + Client credentials” flow.
  • Response URL: set the password to return the control after authenticating a user.​
  • oAuth Session timeout (secs): 

     time in seconds that will take the oAuth session. The oAuth has its own life cycle, regardless the session timeout

Actions

Tree view

Add service provider

Allows you to add a new Service Provider. You must click the "Add Service Provider" button, under the proper Entity Group and "Service Providers" label, then Soffid will show a new window with the data to fill in to create the new Service Provider..

List view

Add identity provider

Allows you to add a new Service Provider. You must click the "Add Identity Provider" button, under the proper Entity Group and "Identity Provider" label, then Soffid will show a new window with the data to fill in to create the new Identity Provider..

Identity Provider detail

SaveAllows you to save or update the Service Provider.
Apply changesAllows you to save or update the Service Provider and quit.
Delete

Allows you to delete the Service Provider. To delete a the Service Provider, you can click on the hamburger icon and then click the delete button (trash icon).

Soffid will ask you for confirmation to perform that action, you could confirm or cancel the operation.

UndoAllows you to quit without applying any changes.

 

&&TODO&&