Single Sign On

Step by step guide to setup SSO into your application using SAML Identity Provider with JWT protocol

0 views November 21, 2018 July 4, 2019 0

This solution allows you to setup Single Sign-On into your application which does not support SAML 2.0 standard, It allows setting up JWT SSO

You can allow your users to Single Sign-On into your application by verifying Identity with your existing SAML 2.0 compliant Identity Provider. This is done using JSON Web Token (JWT) tokens and it can be easily integrated with your application built in any framework or language.

In case you need our help with below integration or sample code for JWT for your language, feel free to reach out at info@xecurify.com

Pre-requisites:
  • SAML 2.0 supported Identity Provider (In case you don’t have IdP, you can use miniOrange as an Identity Provider)
  • Customizations support in your applications to integrate SSO changes below.

 

This solution can be achieved with an easy setup which includes 2 simple steps,

A. Setup your SAML Identity Provider in miniOrange
B. Add JWT application and provide SSO link in your application

Step A: Setup your SAML Identity Provider in miniOrange

Configure your Identity Provider settings in miniOrange:

1. Login to your miniOrange dashboard
2. Go to “Identity Provider” tab and choose “Add Identity Provider” option.
3. Select “SAML” tab

4. Add configuration details of your IdP with minimum required configuration parameters below.
a. IDP Entity ID: Entity ID or Issuer of your IdP
b. SAML SSO Login URL: SSO URL provided by your IdP
c. X.509 Certificate: Used to verify that the response from the IdP has not been altered in transit.

Configure miniOrange settings in your Identity Provider:

Add configuration details below which will be required by your IdP.
a. Service Provider Entity ID / Issuer: https://login.xecurify.com/moas
b. Assertion Consumption Service (ACS) URL: Find SAML ACS URL option in added Identity Source and choose ACS URL “For SP-Initiated SSO”

c. Signing Certificate (Optional): This is required if you want to enable signed SAML AuthN request so than IdP can verify that the contents have not been altered in transit. Download signing certificate with steps below.
i. Go to “Identity Providers” tab and find your configured IdP
ii. Click “Certificate” link to download the certificate.

Step B: Add JWT application and provide SSO link in your application

a. Add JWT application:

In miniOrange dashboard, you can add JWT application with steps below.

  1. Go to Apps > Manage Apps
  2. Click on “Configure Apps” and select tab “External/JWT”
  3. Select app “External /JWT App”
  4. Configure the name for your application and configure Redirect-URL which tells where to send JWT response. Redirect-URL should be an endpoint on your application where you want to achieve SSO.

In case you are setting up SSO with Mobile Applications where you can’t create an endpoint for Redirect or Callback URL, use below URL.
https://login.xecurify.com/moas/jwt/mobile

Copy Client ID of generated application and keep it with you for next steps.

b. Add SSO link on your application:

https://login.xecurify.com/moas/broker/login/jwt/<customer-id>?client_id=<client-id>&redirect_uri=<redirect-url>

You need to replace below values in URL,
customer-id: Customer ID of your miniOrange account which can be found under settings menu
client-id: Client Id of JWT application created above
redirect-url: Configured Redirect URL against JWT application

c. Perform SSO:

Once you have added link above on your application, you can verify SSO setup by clicking a link.
On successful authentication, you will be redirected to configured Redirect or Callback URL with JWT token

d. Verify JWT token and parse user details for SSO:

On your Callback endpoint, you can read and parse the JWT token.

Structure of JSON Web Token (JWT):  JSON Web Tokens consist of three parts separated by dots (.), which are:

  • Header: Contains signature algorithm name used to sign the payload
  • Payload: Contains user attributes
  • Signature: Signature value of the payload

eg.  xxxx.yyyyyyyyyyyy.zzzzzz

You will need to download a certificate from App > Manage Apps, and clicking Certificate link against your configured application. This certificate will be used for signature validation of JWT response.

 

Single Logout (SLO):

This is an optional step. If you want to ensure that all sessions (SP and IDP) for a user are properly closed, you can configure Single Logout with steps below.

A. Configure miniOrange with IdP SLO endpoint:

a. Go to “Identity Provider” tab and edit the configured Identity Provider
b. Find the option “Single Logout URL” and configure SLO URL provided by your IdP.

B. Configure IdP with miniOrange SLO endpoint:

Configure your Identity Provider with below Single logout endpoint.

https://login.xecurify.in/moas/broker/login/saml_logout/<your-customer-id>

You can find “SSO Binding” option to configure logout binding type to either REDIRECT or POST

C. Configure your JWT application with SLO endpoint:

Configure your JWT application with below Single logout endpoint.
https://login.xecurify.in/moas/broker/login/jwt/logout/<your-customer-id>?redirect_uri=<redirect-url>

your-customer-id: You have to add your miniOragne account customer ID here
redirect-url: This should be replaced with logout URL of your JWT application.