Click here to load reader
Upload
lyhanh
View
212
Download
0
Embed Size (px)
Citation preview
From: March 2018 ©2018 Ploetz + Zeller GmbH
Symbio SAML requirements Release 1801 ff.
Symbio SAML requirements 2
Content 1 Symbio.........................................................................................................................................................3
1.1 Overview ............................................................................................................................................3
1.2 SAML requirements .......................................................................................................................3
1.2.1 Claim rule settings ................................................................................................................5
1.2.2 LDAP Attributes as Claims .................................................................................................6
1.3 Configuring Symbio ......................................................................................................................7
1.4 Known restrictions .........................................................................................................................8
1.4.1 EntityID of Service Provider...............................................................................................8
1.4.2 SAML Logout URL .................................................................................................................8
1.4.3 Claim rules not provided in ServiceProvider MetaData file ..................................8
2 Imprint .........................................................................................................................................................9
Symbio SAML requirements 3
1 Symbio
1.1 Overview
1.2 SAML requirements
Type Responsibility Description
Service
Provider
P+Z Symbio EntityID is:
• http://symbioworld.com/web
Service
Provider
Metadata
P+Z
Symbio Service Provider metadata xml file can be
downloaded here:
https://customer.symbioweb.com/collection/storage/
viewer/1031/Public/ServiceProviderFederationMetadata
Please adjust URL by modifying values accordingly
• customer: subdomain we provided
• collection: name of storage collection we created
• storage: name of database we created
Assertion
Consumer
Service URL
P+Z
Example:
https://customer.symbioweb.com/AuthServices/Acs
Symbio SAML requirements 4
(ACS) /
ReplyURL
• customer -> subdomain
Identity
Provider (IdP)
with SAML 2.0
Customer • MS Active Directory Federation Services (AD FS)
• Ping Identity
• Citrix NetScaler
IdP Entity ID Customer Examples:
• https://sso.test.customer.com/idp
• http://adfs.customer.de/adfs/services/trust
IdP Metadata
file
Customer Also contains IdP certificate which is trusted in your
organization.
Example:
• https://adfs.customer.de/federationmetadata/2007-06/federationmetadata.xml
IdP SSO
Endpoint/
Service URL
Customer Examples:
• https://sso.test.customer.com/saml/idp/profile/redirectorpost/sso
• https://adfs.customer.de/adfs/ls/
IdP HTTP
Redirect
Binding
Customer SHA 256-signature required
Certificate
Signing
Customer Certificate with private key and without password in
Base64-encoded PFX-file
Claims Customer Following claims are required:
• Name (name)
• UPN (upn)
• Last Name (surname)
• First name (givenname)
• E-Mail (emailaddress)
Following claims are additionally recommended to fine-
control user roles within Symbio:
• Group (group)
Active
Directory User
Groups
Customer If group management is required, e.g. to permit globally
specific permissions in Symbio, please create the following
AD user groups:
• SymbioViewers
• SymbioAuthors
• SymbioApprovers
• SymbioAnalysts
• SymbioArchitects
• SymbioAdmins
Symbio SAML requirements 5
1.2.1 Claim rule settings
If ADFS are used, the following claim rules need to be created in the following order.
Pos. Claim Type Required? Claims
1 Group
Member-
ships
Custom
Rule
Recommended c:[Type ==
"http://schemas.microsoft.com/ws/200
8/06/identity/claims/windowsaccountn
ame", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory",
types =
("http://schemas.xmlsoap.org/claims/
Group"), query = ";tokenGroups;{0}",
param = c.Value);
2 Group
Filtering
Custom
Rule
Recommended c:[Type ==
"http://schemas.xmlsoap.org/claims/G
roup", Value =~ "(?i)symbio"]
=> issue(claim = c);
3 Basic Claim
Rule
Send
LDAP
Attributes
as Claims
Yes Please see next page for details
4 Office
Address
Send
LDAP
Attributes
as Claims
Optional Please see next page for details
5 Thumbnail
Image
Send
LDAP
Attributes
as Claims
Optional Please see next page for details
Symbio SAML requirements 6
1.2.2 LDAP Attributes as Claims
Title Description of
content
Required? Claim Type
Name Name of user Yes http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
UPN Attribute of
unique content
Yes http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn
Last Name Last name of
user
Yes http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
First Name First name of
user
Yes http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
E-Mail Email address of
user
Yes http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Group Group claims
(one claim with
type per group
if AD groups are
to be used in
Symbio)
Optional
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/group
Street-
Address
Office address
of user
No http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streetaddress
Office ZIP Office zip code
of user
No http://schemas.xmlsoap.org/ws/2005/05/identity/claims/postalcode
Office
Country
Office country
of user
No http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country
Telephone-
Number
Private phone
number of user
No http://schemas.xmlsoap.org/ws/2005/05/identity/claims/homephone
Business
phone
number
Business phone
number of user
No http://schemas.xmlsoap.org/ws/2005/05/identity/claims/otherphone
Date of
birth
Date of birth of
user
No http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dateofbirth
Thumbnail
photo
Thumbnail
photo of user
No http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbnailPhoto
Symbio SAML requirements 7
1.3 Configuring Symbio
The following screenshot described the current SAML settings configurable per database (as of
Symbio 1803). These settings are explained below.
Standard role defines which role a user gets assigned when not part of any configured Symbio
SAML user group. To take effect 1. SAML group management must be checked, else all SAML-
authenticated users will be assigned the Viewer role.
1. SAML group management activates automatic mapping of SAML group claims to Symbio SAML
user group membership. After activating, please configure the groups created under Active Directory
User Groups (above) as SAML user groups in Symbio and set their role Application role accordingly.
A SAML-authenticated user will be given the highest role based on his claims-mapped user group
application roles upon login. This role will be re-evaluated on each login to reflect changes on the
IdP side (group claims) and in Symbio (SAML user group application roles).
2.a) Entity id: please enter the IdP's Entity ID here.
2.b) Metadata: please upload the IdP's Metadata XML here.
2.c) SSO service url: please enter the IdP's SSO Login URL here.
Symbio SAML requirements 8
3. Optional certificate for signing of requests will hold an uploaded certificate with private key
and without password in Base64-encoded PFX-file format which Symbio will use to sign requests to
the IdP. You need to issue this certificate yourself and you need to ensure that it is trusted by your
IdP. Normally, signing of requests are not necessary. A possible use case for request signing would
be that you intend to transmit sensitive data within claims back to Symbio and you want to ensure
that only Symbio will be able to request such a login.
On the other hand, responses of the IdP should always be signed with the certificate contained in
the Metadata XML to protect the sensitive data contained in Symbio.
Claim Mapping will allow you to upload an XML file with a mapping definition of SAML claims to
Symbio user attributes. This only needs to be set if you have specific mappings which are not
covered by the Symbio standard, e.g. when using Azure AD. A sample mapping XML file for standard
Azure AD claims is located in application folder “App_Data/SSO” and can be selected directly in the
claims mapping dialog by selecting the "data" tab.
1.4 Known restrictions
The following SAML restrictions are known and will be scheduled for next versions of Symbio.
1.4.1 EntityID of Service Provider
Currently Symbio as Service Provider provides only the same, identical Entity ID. If you need to
distinguish, e.g. between Productive and Test environment, this needs to be done by using different
EntityID on Identity Provider (IdP) level.
1.4.2 SAML Logout URL
Currently Symbio does not support SAML logout URL. This means SAML users cannot log off from
Symbio. It depends on SSO token how long users are logged into Symbio without to login again.
1.4.3 Claim rules not provided in ServiceProvider MetaData file
Symbio’s ServiceProvider MetaData file does not contain claim rules. Since Symbio 1801 claim
mappings can be configured directly in Symbio. Please see section above.
Symbio SAML requirements 9
2 Imprint
Publisher
Ploetz + Zeller GmbH
Einsteinring 41-43
85609 Aschheim
Tel.: +49 89 890635 – 0
Fax: +49 89 890635 – 55
E-Mail: [email protected]
LEGAL NOTICE
Ploetz + Zeller GmbH assumes no liability or guarantee for the accuracy,
completeness or usefulness of any information, including contributions,
representations and illustrations provided by this document. The described and
possible functions of the software refer to its current version. The software does
not contain any specific adjustments for customers. The information contained in
this document can be modified at any time. Ploetz + Zeller GmbH is not obliged
to provide information related to the updating of this document.
This documentation, as well as all included contributions, representations and
illustrations are protected by copyright. Any exploitation, which is not explicitly
authorized by the copyright law, requires the prior approval of Ploetz + Zeller
GmbH. This applies especially to copies, adaptations, translations, microfilming, as
well as to storing and processing in electronic systems.
Ploetz + Zeller GmbH considers the information, knowledge and representations
contained in this document its own property. The documentation or the contained
information, knowledge and presentations cannot be published or disseminated
without the previous written approval of
Ploetz + Zeller GmbH, neither as a whole nor in parts, and neither directly nor
indirectly.
Symbio SAML requirements 10
All related rights are reserved for Ploetz + Zeller GmbH, especially those
concerning the awarding of patents. The transfer of the documentation does not
imply the right for a license or for the use.
Ploetz + Zeller GmbH reserves the right to carry out technical changes. The
product names used are trademarks or registered trademarks of the current
owner.
Symbio® is a registered trademark of PLOETZ + ZELLER GmbH, Munich, Germany.
ARIS® is a registered trademark of Software AG, Darmstadt, Germany.
Symbio SAML requirements 11
Ploetz + Zeller GmbH
Einsteinring 41-43
85609 Aschheim
Tel.: +49 89 890635 – 0
Fax: +49 89 890635 – 55
E-Mail: [email protected]
©2018 Ploetz + Zeller GmbH