Incoming SAML 2.0 Single Sign-On With Auth0

Follow

Introduction

The main purpose of establishing a Single Sign On (SSO) process with Absorb is to allow your users a single point of entry into your system while providing them access to multiple other independent systems. With this process a user logs in with a single ID to gain access to a multitude of other systems without being prompted for different usernames and passwords.

This article discusses configuration of SSO using Auth0. For the purposes of this article the Absorb system will act as the Service provider (SP). Your Auth0 account will act as the Identity Provider (IdP). 

Please note that SSO is an additional feature that usually involves an additional fee and technical resources on the client side to develop and/or configure the solution.

Disclaimer: Absorb LMS supports Incoming SAML 2.0 Single Sign-On as a feature, however we do not officially support any specific client-side (IdP) solution. Although Auth0 is known to generally work with our implementation of SAML SSO, it is the client's responsibility to configure/develop and maintain their side of the integration. This will require a client resource who is knowledgeable and familiar with your particular Auth0 instance. This guide is provided to our clients as a convenience only, based on our past experience working with clients who employ Auth0. 

Contents:

Creating a Client

See https://auth0.com/docs/clients for more information on creating a client.

Choose the appropriate client type

  • Native: Used for mobile, desktop or hybrid apps, than run natively in a device, like Android, Ionic, or iOS.
  • Single Page Web Applications: Used for JavaScript front-end apps that run on a browser, such as Angular, jQuery, or React.js. 
  • Regular Web Applications: Used for web applications that run on a server. e.g. ASP.NET, Java, or Node.js.
  • Non Interactive Clients: Used for server to server applications like CLIs, daemons or services running on your backend. Typically you would use this option if you have a service that requires access to an API.
    CreateClient.png

Review The Client Settings

  • Set an appropriate name for the client.
  • Token Endpoint Authentication Method: Post
  • Allowed Callback URLs: This is the URL where your Absorb LMS is hosted - please contact us if you do not know this. This URL usually configured as part of your initial LMS onboarding. e.g. https://companyname.myabsorb.com OR https://some.custom.url
  • Allowed Logout URLs: This is the URL Absorb redirects users to when a user logs out of the Absorb system.
  • Use Auth0 instead of the IdP to do Single Sign On: Leave this turned off.

Configure client to use Auth0 as Identity Provider

      1. In the dashboard screen, click the "Clients" link on the left side of the screen.Clients.PNG
      2. Find the row for your application and click on the "Settings" icon to the right of your applications  name. (the round gear icon)
      3. Scroll to the bottom of the page and click on “Advanced Settings”.Certificate.PNG
      4. In the expanded window, click on “Certificates” to bring up the Certificates section. Click on the "DOWNLOAD CERTIFICATE"  In the pop up which appears, select the desired certificate format. Save the downloaded file.
        DownloadCertificate.PNG
      5. Click on Endpoints to bring up the Endpoints section.Endpoints.PNG
      6. Copy the contents of the "SAML Protocol URL" field. You will need to provide this to Absorb.
      7. Scroll up to the top of the page and click on the "Addons" link. Click the box labeled "SAML2 WEB APP" SAML2_Addon.png
      8. In the "Application Callback URL" field, enter the URL to which the SAML assertions should be sent after the user has been authenticated by Auth0.ApplicationCallbackURL.png
      9. Click on the "Usage" tab. This tab will provide you with the information needed to configure the application.
      10. Modify the SAML Settings as appropriate. See example below. Refer to the Examples section for a text version of this configuration.ExampleSAMLSettings.PNG

Absorb Setup

Login to the Absorb admin portal as a System Admin and navigate to Portal Settings. From Portal Settings, there is a button in the right-side context menu labelled Manage SSO Settings. If you can't see this button, please contact your Absorb Client Success Manager to discuss enabling the feature.

Capture2.PNG

Once you have clicked the button, you will be brought to the Manage Single Sign-On Settings page. Any existing configurations will appear here, as well as the option to Add a new one. 

Click Add and fill in the fields as shown below.

      • The ‘Key’ field should contain the full x509 certificate that you copied in Step 4.
      • The ‘Id Property‘ should match whatever Absorb parameter was mapped in Step 10 – usually email address.
      • The ‘Login URL’ should be the 'SAML Protocol URL' value from Step 6.
      • The 'Logout URL' can be left blank or set to the 'SAML Protocol URL' value from Step 6. Auth0 handles login and logout with the same URL.
      • Set Automatically Redirect as desired.

Auth0AbsorbSSOSettings.PNG

Examples

See below for an example configuration as seen in step 10.

{
  "mappings": {
    "email": "http:schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  },
  "createUpnClaim": false,
  "passthroughClaimsWithNoMapping": false,
  "mapUnknownClaimsAsIs": false,
  "mapIdentities": false,
  "signatureAlgorithm": "rsa-sha256",
  "digestAlgorithm": "sha256",
  "nameIdentifierProbes": [
    "http:schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
  ]
}

See below for an example SAML Response. Please note the x509 certificate used in the example below would be replaced with one from the IdP.

<samlp:Response
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"
ID="identifier_2"
InResponseTo="identifier_1"
Version="2.0"
IssueInstant="2004-12-05T09:22:05"
Destination="https://company.myabsorb.com/account/saml">
<saml:Issuer>https://IdP.example.org/SAML2</saml:Issuer>
<samlp:Status>
<samlp:StatusCode
Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
</samlp:Status>
<saml:Assertion Version="2.0" ID="_aca78291-11a2-40f2-ba16-4cfbd93865db" IssueInstant="2015-08-11T21:14:33.053Z"
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
<saml:Issuer>https://IdP.example.org/SAML2</saml:Issuer>
<Signature
xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_aca78291-11a2-40f2-ba16-4cfbd93865db">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<InclusiveNamespaces PrefixList="#default saml ds xs xsi"
xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />
</Transform>
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>T+64Rwm7xlNr2mTli9rU/Jmyd5o=</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>WDjZhBehjVKAGLwe1nYMiQtCMspwZaDxnknn+eMk62kD08R8S4bt2nm4kTCaJ6hKxaQ/P7S5W8Kq0JIQV0pRqR+Y9m98CHtT97No6LQFbgBjlMXpEWyZbJ8zBpy5dJbUHOC3ZaFlnBrfLBxW0DR8l0mb6+uLs0VuqQm+5T606Dw=</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>MIIBnjCCAQcCBEbTmdAwDQYJKoZIhvcNAQEEBQAwFjEUMBIGA1UEAxMLd3d3LmlkcC5jb20wHhcNMDcwODI4MDM0MzEyWhcNMTcwODI1MDM0MzEyWjAWMRQwEgYDVQQDEwt3d3cuaWRwLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAo31q3mJZayXfZkLDuLcnanc/KG+RDFW+OlYDP+RubvWnt8X5jtiUTcp8IQ46TNEUFskmsonUb5AnG+zOCcawb2dJr8kBtCNhfi/TufZGBQNjuAxNMi34yIgRdGinaznHgclrAIIZTyKerQqYjPL1xRDsFGpzqGGi/2opzN8nV5kCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBmNwFN+98aybuQKFJFr69s9BvBVYtk+Hsx3gx0g4e5sLTlkcSU03XZ8AOet0my4RvUspaDRzDrv+gEgg7gDP/rsVCSs3dkuYuUvuWbiiTq/Hj4EKuKZa8nIerZ3Oz4Xa1/bK88eT7RVsv5bMOxgJbSEvTidTvOpV0G13duIqyrCw==</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<saml:Subject>
<saml:NameID>absorb.test</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData Recipient="https://company.myabsorb.com/account/saml" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2015-08-11T15:14:33.053Z" NotOnOrAfter="2015-08-11T15:19:33.053Z">
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2015-08-11T21:14:33.053Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
</saml:Assertion>
</samlp:Response>

 

References

https://auth0.com/docs/protocols/saml/saml-idp-generic

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.