Identity Provider Initiated Authentication
Distribion supports validation of the response from the client portal. There is no communication protocol from Distribion to the client portal or identity provider.
The client’s generated SAML response from the identity provider is sent as a HTTP POST parameter: SAML Response to Distribion Portal.
The Client Identity Provider ensures a user is authenticated and authorized before sending back an assertion.
SAML Process Steps
Distribion provides guided step by step documentation in the “Single Sign-On SAML Support Center”. This ensures that Distribion, (the provider), and client follow proper procedures and have a joint checklist for SSO setup.
To Login: Administration>DMP Configuration Center>Integration Manager>Manage Single Sign-On with SAML
https://yourplatformname.dmplocal.com/main/index.php?p=integration.sso_saml
Setup
Attributes Tab:
Requirements | Description | Owner |
Certificate | Client supplied certificate | Client |
Should new user accounts be automatically created | Yes/No Decision | Client |
What SAML attribute will contain a list of groups to add user to? | Ex. User_Group | Client |
Additional Attributes contain URL to send the user to after they are in the system | Ability to map additional fields | Client |
Encryption with SAML attribute; If yes, key to be generated | Yes/No Decision | Client/Distribion |
What SAML attribute contains the value of the alternate key when email fails | Alternate authentication | Client |
Email address cannot be found, what is another primary key for authentication | Secondary ID | Client |
Error Page URL Redirect | Redirect url when SSO login fails | Client |
Setup Attributes:
Error Codes:
Client customization of any errors
Attribute Mappings:
Note: First Name, Last Name and Email are required fields
Sample of Attributes displayed
Deploy:
Distribion provides specific directions and examples to
Encode to base64 version
Base64 encoded SAML
Provides URL to connect to dmp using
Post Method
Get Method
SAML html to test SAML gateway
SSO Identity Provider Initiated - Summarized
Terminology
Certificate – Distribion will be provided the validating certificate.
Response Parameter – The 64 encoded response string sent by client. The SAML response parameter is “SAML Response”.
User Email – Required field that identifies the user within the Distribion Platform.
User Name – Generally a required field that identifies user within Distribion Platform. The field is configurable and setup by client.
User Profile Fields – Fields determined by client, examples include: status, location, department, state etc.
Groups – Permissions or access roles defined within Distribion Platform. Users can be owned by more than one group.
Approvers – Multiple child nodes that are validated by valid user email login.
Date and Time – Authinstant attribute reviewed for comparison of system timestamp.
Note: If user does not exist, user is redirected to a login failure page
Create/Update/Edit Users – The following modes of pass-through are provided:
Authentication only
Authenticate and Create Only
Authenticate, Create and Update
Data Transfer
Client provides the authentication information to Distribion using “POST” method with the SAML response parameter
SAML Functionality not supported
Metadata generation - Distribion Server supports static service provider metadata xml.
Metadata discovery - Distribion Server does not query an IdP for its metadata.
Interaction with an independent service provider is not supported.
SAML Code - Samples
<saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Attribute FriendlyName="user_groups" Name="USER_GROUP">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
Administrator
</saml:AttributeValue>
</saml:Attribute></saml:AttributeStatement><saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Attribute FriendlyName="USER_ID" Name="USER_ID">
<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
4
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response>
Post method URL
https://communicationsbuilder.dmplocal.com/main/?p=integration.sso_login
Get method URL
https://communicationsbuilder.dmplocal.com/main/index.php?p=integration.sso_saml
Sample HTML
Sample HTML that can be used to test the SAML gateway. Uses the base64 code
<h1>Test Page To Single SignOn using SAML</h1>
<form method="post" action="https://communicationsbuilder.dmplocal.com/main/index.php?p=integration.sso_login">
Must redirect you to DMP SSO Page
<input type="submit" value="Click here to redirect to DMP" />
<hr>
<br />
Base64Coded SAML Assertion
<br />
<textarea name="saml" rows="20" cols="100">
</textarea>
<br />
</form>