follow us On Twitter Follow us on Facebook Gladinet Cloud Storage Blog Support forum

Friday, March 11, 2016

Single Sign On (SSO) Support in CentreStack via SAML

When it comes to Single Sign On support via SAML, there are always two parties.

  • One is the IdP (the identity provider) 
  • and the other is SP (service provider).

In this documentation, the IdP will be a public IdP such as SSOCircle and the SP will be CentreStack. The SSOCircle is used as an example to set up the IdP, it can work with other IdP as well.

On the CentreStack side, it is a multi-tenant system and each tenant may want to have its own SSO service. So the Single Sign On is a per-tenant setting.

You can find the Single Sign On at the tenant manager section, under group policy and then "Single Sign On".

Step 1: Register CentreStack at IdP

IdP will need to register CentreStack as a service provider (SP) by importing the SP's meta data.
You will find the CentreStack's metadata at the following location (per-tenant setting).

We can use the following xml to register centrestack as an SP at SSOCircle.

Now at the SSOCircle, need to add a new service provider

In the next screen, we can paste in the xml from CentreStack side, set the FQDN to the URL contained within the XML, and check the 3 parameters, the FirstName, LastName and Email.

Now the SSOCircle side of the registration is done.

Step 2: Register SSOCircle at CentreStack side.

The IdP registration and SP registration is a two-way I trust you and now you trust me kind of manual setup.

The meta data from the SSOCircle look like this and it can be imported to CentreStack.

Inside the meta data from SSOCircle, you will see there is a HTTP-Redirect URL, that will be the URL we use to register the IdP. And also register the 3 paramaters (FirstName, LastName, EmailAddress) from the IdP.

Step 3: Login at the IdP, but use service at SP

As the summary, the IdP and SP register each other's meta data, register each other's URL and parameters. After that, it will be single signon at the IdP side. The login will be at the IdP side, and after login, it will redirect back to the SP side.

No comments: