With miniOrange Identity broker service you can delegate all your single sign on requirements, user management, 2 factor authentication and even risk based access at the click of a button and focus on your business case. We can integrate with any type of app even if it does not understand any standard protocol like SAML, OpenId Connect or OAuth. miniOrange Single Sign-On Service can establish trust between two apps via secure https endpoint and automated user mapping to achieve SSO.
What is Identity Brokering
Identity Broker:
Identity brokering is a way to establish trust between parties that want to use online identities of one another. Over the years we have developed many standards for doing this like SAML, OpenID, OAUTH, OpenID Connect but the problem is that very few people understand how these protocols work and where are they supposed to be used. It gets complicated to implement such protocols and is also expensive and time-consuming.
Identity Broker Service:
An Identity broker service hides all the complexity of these protocols and provides a simple HTTPS endpoint for parties to use. Without implementing SAML, OpenID, OAUTH or OpenID Connect, you can suddenly start speaking these languages and have access to identity and access tokens from hundreds of providers. The only thing you will need to know is how to call an HTTPS endpoint which is much simpler than understanding different standards.
Identity broker terminologies:
When considering Identity Broker, there are multiple identity providers because it's not necessary for all of your user Identities to be stored in one Identity Provider. miniOrange provides a right to admin where he can configure multiple SAML Identity Providers and configure which users/apps authenticate against which Identity Source. From the given information about identity broker you can do SP initiated SSO or IDP initiated SSO according to your requirements.
- Multiple SAML Providers :
It's not necessary for all of your user Identities to be stored in one Identity Provider/Source. In a realistic scenario, user identities are stored across different Identity Providers. miniOrange provides a feature where you can configure multiple Identity Providers to authenticate your user against. Admins can configure multiple SAML Identity Providers and configure which users/apps authenticate against which Identity Source.
- App based Identity Source :
With the ability to configure multiple Identity Sources one issue that arises is to figure out a way to authenticate the right set of users against the correct Identity Source. One way to handle this is by allowing admins to configure the Identity Source on a per-app basis. miniOrange provides a feature where admins can configure which Identity Source should the users be authenticated from if the authentication request originates from a particular app.
- Domain-based redirection to IDP :
With the ability to configure multiple SAML Identity Providers one issue that arises is to figure out a way to authenticate the right set of users against the correct SAML Identity Provider. One way to handle this is through domain-based redirection. miniOrange providers a feature where Admins can configure the domains of the users who would authenticate against a particular SAML Identity Provider. miniOrange system would automatically check the domain of the user and redirect him to the correct SAML Identity Provider to authenticate against.
- IDP discovery :
It might not always be possible to know where the user identity is stored and which Identity Source to authenticate against. miniOrange provides an Identity Provider Discovery endpoint where the users can choose their Identity Provider to authenticate from. On successful authentication, this Identity Source is remembered by the system so that the user is redirected to that Identity Source automatically without prompting the user to choose his/her Identity Source on each login attempt.
- Assertion Attribute Mapping :
- SP initiated SSO :
Single sign-on (SSO) is a session and user authentication service that allows a user to use one set of login credentials (e.g. name and password) to access multiple applications. When users land on the Service Provider first and are then redirected to the Identity Provider for authentication then it's termed at SP Initiated SSO.Users can be automatically redirected or redirected on clicking a button/link to the IdP with an authentication request. This request is read and processed by the IdP. In case the user has an active session at the IdP then the user is redirected back to the Service Provider with a valid authentication response.
miniOrange supports SP-initiated SSO in broker flow with each application having it's own unique SSO endpoint.
- IDP initiated SSO :
Single sign-on (SSO) is a session and user authentication service that allows a user to use one set of login credentials (e.g. name and password) to access multiple applications. When users land on the Identity Provider first and are then redirected to the Service Provider then it's termed at IDP Initiated SSO.In case of the broker flow miniOrange provides a way for Admins to allow their users to log in to their IP first and then be redirected to the app with a valid authentication response. miniOrange provides unique IDP initiated SSO endpoints on a per-app basis which can be used to redirect the user from their Identity Provider directly.
Advantages of using miniOrange Identity broker service:
When you are using miniOrange Identity broker service you don't need to think about complexity you are free to explore your business ideas. miniOrange covers all your security concerns according to your business model. Given below are the advantages and the services provide by "miniOrange identity broker".
Advantages of miniOrange identity broker:-
You don't need to understand complex Single Sign on protocols like SAML, OpenID and OAUTH.
You can enable your apps using simple HTTPS calls.
You can provide social login to your site without the hassle of understanding how all this works.
If you get access tokens from the site of your choice, you can then put custom code and extend that application.
Besides all the advantages listed above,
miniOrange identity broker services provides:-
The ability to configure any IdP of your choice including OKTA, PING, RSA, Centrify,Google, Facebook, LinkedIn and even Custom ones.
Once you have the identity established with your choice of Identity provider,miniOrange allows you to use our 2 factor authentication product on top for the app of your choice.
miniOrange also allows you to provide risk based access to your apps so that you can have another layer of security based on trusted devices, trusted locations, trusted time of access and even user behavior.
SAML Integration:
This document is about configuring Single Sign-On (SSO) Settings for SAML Integration. Our SAML broker service will act as a Service Provider to any IDP of your choice and you don't have to worry about understanding SAML protocol at all. It can work with ADFS, Okta, salesforce, SimpleSamlPhp, Shibboleth, PING, RSA, Centrify, One Login, miniOrange or any other SAML Identity Provider (IdP). This SAML service returns all the attributes provided by the IdP along with the username of the logged in user. You can then use these attributes to login user into your application.
Configure Single Sign-On (SSO) Settings for SAML Integration :
To configure and use miniOrange SAML Broker services, create a business free trial account here.
Click here to login to miniOrange admin dashboard.
Go to Identity Providers from side menu.
Click on Add Identity Source.
By default SAML is selected, enter all the required fields and click on SAVE button.
For registering miniOrange as Service Provider following are the endpoint URLs given below:
| ACS URL (cloud version) |
https://login.xecurify.com/moas/broker/login/saml/acs/<YOUR_CUSTOMER_KEY> |
| ACS URL (on-premise version) |
https:///broker/login/saml/acs/<YOUR_CUSTOMER_KEY> |
| SP Entity ID |
https://login.xecurify.com/moas/ |
Note: You can go to
Integrations ->
Custome App Integrations to get your
Customer Key
OAuth Integration:
This document is about configuring Single Sign-On (SSO) Settings for OAuth Integration. The OAuth Server is created in WordPress by virtue of which, the user can work with OAuth2 compliant client. These client applications can be Salesforce, Slack or any other third party applications which support OAuth Server allows Single Sign On to client applications with WordPress credentials.
Configure Single Sign-On (SSO) Settings for OAuth Integration :
To configure and use miniOrange OAUTH Broker services, you can create a business free trial account here.
Login to miniOrange console.
Go to Identity Providers from side menu.
Click on Add Identity Source.
Select OAuth, enter all the required fields and click on SAVE button.
For Facebook:
Leave the Scope field empty.
Create Developers account with Facebook.
Create an App here.
Under "Tell us about your website" section, enter https://login.xecurify.com/moas/oauth/client/callback in the Site URL field
Collect App ID and App Secret by navigating to My Apps ->(Your App name).
Enter the App ID and App Secret in Client ID and Client Secret field respectively under Apps -> Add App Credentials.
Click on SAVE button to add the Facebook App.
Now to integrate Login With Facebook, add a button and add the following URL to it.
https://login.xecurify.com/moas/oauth/client/authorize?token=token&id=
customer_key&encrypted=<true,false>&app=facebook_oauth&returnurl=return_url
For Google:
- Enter https://www.googleapis.com/auth/plus.login in the Scope field.
- Visit the Google website for developers console.developers.google.com
- At Google, create a new Project and enable the Google+ API. This will enable your site to access the
Google+ API
- At Google, provide https://login.xecurify.com/moas/oauth/client/callbackfor the new Project's
Redirect URI
- At Google, you must also configure the Consent Screen with your Email Address and Product Name. This is
what Google will display to users when they are asked to grant access to your site/app
- At Google, under APIs & auth -> Credentials get Client Id by clicking on the button Create Client
Id.
- Collect the Client ID and Client Secret
- Enter the App ID and App Secret in Client ID and Client Secret field respectively under Apps -> Add App
Credentials.
- Click on SAVE button to add the Google App.
- Now to integrate Login With Google, add a button and add the following URL to it.
https://login.xecurify.com/moas/oauth/client/authorize?token=token&id=customer_key&encrypted=<true,false>&app=google_oauth&returnurl=return_url
For LinkedIn:
- Leave the Scope field empty.
- If you have not already done so, create an
application. If you have an existing application, select it to modify its settings.
- After app creation, collect Client ID and CLient Secret from here.
- Enter https://login.xecurify.com/moas/oauth/client/callback in Authorized Redirect URLs and
click on Add button.
- Now click on Update button to save settings.
- Enter the Client ID and Client Secret in Client ID and Client Secret field respectively under Apps -> Add
App Credentials.
- Click on SAVE button to add the LinkedIn.
- Now to integrate Login With LinkedIn, add a button and add the following URL to it.
https://login.xecurify.com/moas/oauth/client/authorize?token=##token##&id=##customer_key##&encrypted=<true,false>&app=linkedin_oauth&returnurl=##return_url##
-token in above URL can be encrypted or unencrypted. The token should contain Client Id (You received from EVE Online), timestamp and API Key (The Customer API Key you collected above) separated by colon.
-customer_key is the Customer Key you collected above Value of
encrypted value can be true or false depending on, if the token is encrypted or not.
-return_url will be the URL where you want to redirect the user after Login with EVE Online.
OpenID Integration:
Before your application can use miniOrange Open ID Connect authentication system for user login, you must set up an application in miniOrange administrator console to obtain Open ID Connect credentials, set a redirect URI, and (optionally) and add an application name.
Configure Single Sign-On (SSO) Settings for OpenID Integration :
Step 1 : Create app and get credentials
- To configure and use miniOrange SAML Broker services, create a business free trial account here.
- Click here to login to miniOrange admin dashboard.
- Go to Identity Providers from side menu.
- Click on Add Identity Source.
- Select OpenID, enter all the required fields and click on SAVE button.
Note that not all types of credentials use both a client ID and client secret and won't be listed in the document if they are not used.
So now once you have created the application for OpenID Connect. You need to create a policy for the same to let user authenticate with our various b authentication methods
Step 2. Create a policy
- Go to the miniOrange Administrator Console.
- Go to Policy > App Authentication Policy. Then select tab "Add Policy".
- In the Application name select the OpenID Application that you have created.
- Enter configuration settings and Save.
Download our miniOrange SampleApp
You can download our miniOrange Sample Application written in JAVA/PHP/PYTHON to have a demonstration of our OpenId Connect flow or to make an OpenId Connect client application for yourself.
JAVA
Click here to download miniOrange OpenId Sample Application for JAVA.
PHP
Click here to download miniOrange OpenId Sample Application for PHP
Python
Click here to download miniOrange OpenId Sample Application for Python
Create a REST service or similar on your application to handle response from Authorization Endpoint(Note : this must be the redirect URI parameter).
Example (https://<your-domain>/rest/openidresponse)
Response attributes: code, state.
Now you just need to make two calls: one to get an access token and another to get user info with the help of that access_token.
