Identity Provider Initiated Authentication

 

  • Distribion supports validation of the response from the client portal.  There is no communication protocol from Distribion to the client portal or identity provider.

  • The client’s generated SAML response from the identity provider is sent as a HTTP POST parameter: SAML Response to Distribion Portal.

  • The Client Identity Provider ensures a user is authenticated and authorized before sending back an assertion.

SAML Process Steps

Distribion provides guided step by step documentation in the “Single Sign-On SAML Support Center”. This ensures that Distribion, (the provider), and client follow proper procedures and have a joint checklist for SSO setup.

To Login: Administration>DMP Configuration Center>Integration Manager>Manage Single Sign-On with SAML

https://yourplatformname.dmplocal.com/main/index.php?p=integration.sso_saml

 

Setup 

Attributes Tab:

Requirements

Description

Owner

Certificate

Client supplied certificate 

Client

Should new user accounts be automatically created

Yes/No Decision

Client

What SAML attribute will contain a list of groups to add user to?

Ex. User_Group

Client

Additional Attributes contain URL to send the user to after they are in the system

Ability to map additional fields 

Client

Encryption with SAML attribute; If yes, key to be generated

Yes/No Decision

Client/Distribion

What SAML attribute contains the value of the alternate key when email fails

Alternate authentication

Client

Email address cannot be found, what is another primary key for authentication

Secondary ID

Client

Error Page URL Redirect

Redirect url when SSO login fails

Client


Setup Attributes:

Error Codes:

  • Client customization of any errors

Attribute Mappings: 

  • Note: First Name, Last Name and Email are required fields

    • Sample of Attributes displayed

Deploy: 

 

  • Distribion provides specific directions and examples to 

    • Encode to base64 version

    • Base64 encoded SAML

  • Provides URL to connect to dmp using

    • Post Method

    • Get Method

  • SAML html to test SAML gateway

SSO Identity Provider Initiated - Summarized

Terminology

  1. Certificate – Distribion will be provided the validating certificate.

  2. Response Parameter – The 64 encoded response string sent by client.  The SAML response parameter is “SAML Response”.

  3. User Email – Required field that identifies the user within the Distribion Platform.

  4. User Name – Generally a required field that identifies user within Distribion Platform.  The field is configurable and setup by client.

  5. User Profile Fields – Fields determined by client, examples include:  status, location, department, state etc.

  6. Groups – Permissions or access roles defined within Distribion Platform.  Users can be owned by more than one group.

  7. Approvers – Multiple child nodes that are validated by valid user email login.

  8. Date and Time – Authinstant attribute reviewed for comparison of system timestamp.

Note: If user does not exist, user is redirected to a login failure page

Create/Update/Edit Users – The following modes of pass-through are provided:

  1. Authentication only

  2. Authenticate and Create Only

  3. Authenticate, Create and Update

Data Transfer

Client provides the authentication information to Distribion using “POST” method with the SAML response parameter

 

SAML Functionality not supported

  • Metadata generation - Distribion Server supports static service provider metadata xml.

  • Metadata discovery - Distribion Server does not query an IdP for its metadata.

  • Interaction with an independent service provider is not supported.

SAML Code - Samples

        <saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

                           <saml:Attribute FriendlyName="user_groups" Name="USER_GROUP">

                               <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">

                               Administrator

                               </saml:AttributeValue>

                           </saml:Attribute></saml:AttributeStatement><saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

           <saml:Attribute FriendlyName="USER_ID" Name="USER_ID">

               <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">

               4

               </saml:AttributeValue>

           </saml:Attribute>

       </saml:AttributeStatement>

   </saml:Assertion>

</samlp:Response>

Post method URL

https://communicationsbuilder.dmplocal.com/main/?p=integration.sso_login

Get method URL

https://communicationsbuilder.dmplocal.com/main/index.php?p=integration.sso_saml

 

Sample HTML

 

  • Sample HTML that can be used to test the SAML gateway. Uses the base64 code 

<h1>Test Page To Single SignOn using SAML</h1>

<form method="post" action="https://communicationsbuilder.dmplocal.com/main/index.php?p=integration.sso_login">

Must redirect you to DMP SSO Page

<input type="submit" value="Click here to redirect to DMP" />

<hr>

<br />

Base64Coded SAML Assertion

<br />

   <textarea name="saml" rows="20" cols="100">

       </textarea>

<br />

</form>