Single Sign-On (SSO)
This is a separately licensed product.
OneVizion® supports web browser Single Sign-On utilizing Security Assertion Markup Language (SAML), OpenID, and OAuth2. SAML holds the dominant position in terms of industry acceptance for federated identity deployments. With this property, a user logs in with a single user ID and password combination to gain access to a connected system or systems without using different usernames or passwords, or in some configurations, seamlessly sign on at each system.
Now instead of the "SamlMaxAuthenticationAge" parameter, the "SessionExpireTime" parameter controls user session timeout when the user is logged in with SAML Identity Provider.
If the user's session time on IDP exceeds SessionExpireTime, the login error is: "Your <SSO Provider name> session age exceeds the SessionExpireTime configured in OneVizion. Please relogin in <SSO Provider name>."
Users can now save their preferred SSO provider and then skip the login screen on their next login
attempts. On the login screen, the user will select their SSO provider and switch on Always use “*” and skip this
form next time.
After clicking the Continue button, the system redirects the user to their preferred SSO provider and the
user is logged in to their Vizion Platform system.
Once the user has login success, the selected SSO provider is saved as the preferred provider. Then
when the user returns to the Vizion Platform system, they will automatically be redirected to the
preferred SSO provider and skip the login screen. If the user does not have login success after selecting a
preferred SSO, the system will not save the provider, and the login screen will be presented the next
time the user accesses the system.
Notes:
This feature does not affect FieldVizion and Login for Excel VBA Template.
/LoginFull.do URL can be used to show the login screen even if the user has a preferred SSO
provider.
If the Default Provider option is enabled for a SSO provider, this provider will be used over the
preferred SSO.
Setup SSO
Setting up SSO is a highly security-sensitive configuration, and you should have relevant skills to set this up.
To begin the Single Sign-On setup, access the SSO Providers Page from the Menu Application. You will find the SSO Providers page located under the Admin Center.
Click the Add Icon, , to open the Add SSO Applet.
Click the Add Icon, , to open the Add SSO Applet.
Add SSO Applet
SSO Provider Type | Administrators are able to choose from the following SSO Provider Types: SAML, OAuth2 |
Name | Name will be used at Login Page and users will see it at Authentication providers drop-down:
|
Default Provider | This option enables to automatically redirect to Identity Provider when the user is not authorized. This option allows the user to be enabled only on one Identity Provider. NOTE: When a user wants to log in with a password or other Identity Provider with this option enabled, he can go to http(s)://<site_url>/LoginFull.do for show login form. |
Enabled | “Enabled” checkbox enables this Identity Provider, but not all SSO. |
After saving you will be redirected to Edit SSO Provider Applet which contains a Tab based on the selected SSO Provider Type.
SAML
Edit SSO Provider Form SAML.
Field | Description |
SSO Provider Certificate Chain - Deprecated 22.6 | The certificate chain is a X.509 PEM text data. You can load the chain automatically using Load Certificates button. |
SAML Provider Meta Source | Source for SAML Metadata. Available Options: HTTP (URL) or XML Data |
SAML Provider Meta URL | It contains the URL of SAML Metadata when HTTP(S) URL option selected at SAML Provider Meta Source. |
SAML Provider Meta XML Data | It contains XML text with SAML Metadata when XML Data option selected at SAML Provider Meta Source. You need to click the Setup button to open a window where you can paste this text into the textbox. |
SAML Entity ID | Before you select it you need to click the Load entities button. The server will attempt to parse SAML Metadata which present as URL or entered text and give you a list of available SAML entities. This action is needed because XML can contain more than one Identity Providers. You should select only one of the list. |
Load Entities | "Load Entities", which will populate metadata XML |
Also OneVizion has some System Parameters for configuring the Service Provider. Required system parameters:
Parameter | Value | Description |
EnableSSOLogin | Yes | Enable ability to authorize with SSO. |
SigningAlgorithm | You need to set value depending on what algorithm is required to be used by Identity Providers | The algorithm used for the creation of digital signature metadata. Algorithms supported: rsa-ripemd160 rsa-sha1 rsa-sha256 rsa-sha384 rsa-sha512 |
SslCertEncryption | You can generate certificate using the following command: openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout private_key.key -out certificate.crt and concatenating content of the generated private_key.key and certificate.crt files. | SSL certificate (X.509 PEM format) used for encrypt SAML requests. Take into account, this certificate will not include certification chain, i.e. is not signed by the trusted authority, and your SAML Identity Provider may refuse it or require additional configuration steps (refer to your identity provider documentation for more details). |
SslCertSigning | You can generate certificate using the following command: openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout private_key.key -out certificate.crt and concatenating content of the generated private_key.key and certificate.crt files. | SSL certificate (X.509 PEM format) used for encrypt SAML requests. Take into account, this certificate will not include certification chain, i.e. is not signed by the trusted authority, and your SAML Identity Provider may refuse it or require additional configuration steps (refer to your identity provider documentation for more details). |
Optional system parameters:
Parameter | Default Value | Description |
RequireArtifactResolveSigned | Yes | This parameter indicates that “artifact resolve” (SAML terms) messages should be signed. A web server restart is required when a parameter is changed. It depends on IDP internal configuration. |
RequireLogoutRequestSigned | Yes | This parameter indicates that “logout request” (SAML terms) messages should be signed. A web server restart is required when a parameter is changed. It depends on IDP internal configuration. |
RequireLogoutResponseSigned | Yes | This parameter indicates that “logout response” (SAML terms) messages should be signed. It depends on IDP internal configuration. |
SSLHostnameVerification | Default | Algorithm for verification of a match between hostname in URL and hostname in the presented certificate. default
defaultAndLocalhost
strict
allowAll
|
SSLSecurityProfile | pkix | SSL/TLS Security profile determines how is trust of the peer's SSL/TLS certificate against a set of trust anchors. All certificates defined in metadata, extended metadata or present in the keystore are considered as trusted anchors (certification authorities) for PKIX validation. In MetaIOP mode server's SSL/TLS certificate is trusted when it is explicitly declared in the metadata or extended metadata of the peer. |
SecurityProfile | metaiop | The security profile determines how the trust of digital signatures is handled. In MetaIOP mode certificate is deemed valid when it is declared in the metadata or extended metadata of the peer entity. No validation of the certificate is performed (e.g. revocation) and no certificate chains are evaluated. PKIK profile verifies credentials against a set of trust anchors. Certificates present in the metadata or extended of the peer entity are treated as trust anchors, together with all keys in the keystore. Certificate chains are verified in the mode. |
SignMetadata | No | If Yes then the generated metadata will be digitally signed using the specified signature key. It depends on IDP internal configuration. |
After the SSO provider was added and enabled, you can download auto-generated SAML Metadata for the OneVizion side at <Base URL>/saml/metadata. This metadata helps with pairing OneVizion with your Identity Provider.
Example login form with SAML provider:
Please pay attention that users will be identified using E-Mail address! (NameIDFormat is required to be urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
NOTE: Changes will take effect after the web server restarts.
OpenID
Deprecated 22.15
We are supporting OpenID 2.0 version.
Edit SSO Provider Form OpenID
Example login form:
Also, OneVizion has some System Parameters for configure Service Provider side.
Required system parameters:
Parameter | Value | Description |
EnableSSOLogin | Yes | Enable ability to authorize with SSO. |
Please pay attention that users will be identified using OpenID Identity URL
It’s needed to be filled for every user that wants authorize through OpenID SSO.
NOTE: Changes will take effect after the web server restarts.
OAuth2
Edit SSO Provider Form OAuth2
We are supporting OAuth 2 version, but we have limited implementation. This implementation is described in the diagram below:
Field | Description |
General | |
SSO Provider Certificate Chain | Certificate chain is a X.509 PEM text data. You can load chain automatically using Load Certificates button. In case of OAuth2 it is used for server-side communications security. |
Login URL (suffix) | Unique Login URL for this SSO Provider. Use this URL for generate ClientID and ClientSecret before set it at OneVizion. |
Logout Redirect URL | Optional. Redirect URL (HTTP GET) after user logout from OneVizion. Placeholder “{returnTo}” can be used for specify back url. |
Client ID | OAuth2 Client ID |
Client Secret | OAuth2 Client Secret |
Scope | Optional. OAuth2 Scope which will be used at Authentication process. Separate multiple values using comma or semicolon. |
Fixed State | Optional. By default “state” parameter is generating using random for every Authenticaton attempt. If you require to use fixed “state” parameter for all attempts - specify value at this field. |
User Authorization | |
User Authorization URL | URL for retrieve OAuth2 Authorization Code |
User Authorization Response Type | Optional. Response type for Authorization Code which should be received from OAuth2 server. Default: “code” |
Access Token retrieve method: Authorization code | |
Authorization Code Grant Type | Optional. Grant Type which will be used in Access Token retrieve request. Default: “authorization_code” |
Access Token Request URL | URL for retrive OAuth2 Access Token using OAuth2 Authorization Code. |
Access Token Request Authentication scheme | Available options: Header, Form Body. For Header option the “Authorization: Basic client_id:client_secret” (base64 encoded) HTTP header will be passed to request. For Form Body option data (client_id, client_secret) will be passed at body as “application/x-www-form-urlencoded” content type. |
User Information retrieve method: User Information Service | |
User Information Service URL | URL for service which returns User information in JSON format |
User Information Grant Type | Required Grant Type for this User Information Service |
User Select SQL query | You need to click Setup button to open SQL query editor window.
This SQL query is used for get an association between OneVizion User and OAuth2 User entity.
The values returned from User Information Service will be bind to SQL parameter using it’s key as parameter name.
Example SQL query finds an association using E-Mail returned from User Information Service. |
Also, OneVizion has some System Parameters for configure Service Provider side.
Required system parameters:
Parameter | Value | Description |
EnableSSOLogin | Yes | Enable ability to authorize with SSO. |
Example login form:
NOTE: Changes will take effect after the web server restarts.
Configure user permissions
If you want to prevent users from logging into the sysetm with username and password (Users can login with SSO ONLY), then:
a) Check Disable Username/Password Authentication for Web UI and
b) Erase Password on System Users settings. When password not erased - user will be able to login through API.
Example Authentication through SSO
Open website.
The drop-down link on Login form will be underlined if more than 1 providers are present for login.
Once users log in they will be redirected to the Identity Provider website. An example is shown below.
If some error raised, for example, OneVizion unable to find associated user - user will see an error message at the Login form. Also, an error message will be shown when a user tries to login with E-Mail and have accounts in different tenants.
Usage Log
Usage Log contains two new Actions: SSO Logon (when user successfully authenticated with SSO) and SSO Logon Fail (when an error is raised after user attempt to authenticate).
NOTE: For SAML we fill “WS Request” with SAML response from Service Provider (it contains XML data). This can be used for debugging SAML.
Rules
For distinguishing what users try to login or already logged in using SSO at Rules you can use database function: “pkg_sec.get_sso_provider_id”. It returns an ID of SSO provider used by the user for login into OneVizion.
Startup Errors
In the case of a Startup Error, the Admin is able to capture the reason by opening “catalina.out”, or other Tomcat log file and locate “Unable to init [<SSO type>]” (where SSO type can be SAML, OPEN_ID, OAUTH2). This line will also contain "stacktrace" and the reason why SSO did not start
Adding SSO Providers to Security Roles
Rather than all users having access to all SSO providers, System Administrators can assign SSO providers to security roles. System Administrators will use the SSO Provider checkbox on the Edit Security Role applet to apply SSO provider selections.
In addition, the Role Assignments tab is available on the SSO Provider Admin form where the administrator can view or change role assignments for SSO Providers.
Steps to select SSO provider for a security role
Step | Instruction | Screenshot Help/Example |
|---|---|---|
1 | Navigate to the Edit Security Role applet for the security role you want to change. |
|
2 | Click the SSO tab and check the provider(s) to allow for this security role. |
|
3 | Click OK. |
|
4 | Click the SSO Provider checkbox. |
|
5 | Click OK. |
|
Updated 2/2/2024 per Andrey’s request for Case 177599
Updated 9/11/2023 Release 23.17 Sec-223715
Updated 06/05/2023 Release 23.10 SSO-216699
Updated 02/27/2023 Release 23.3 SSO-220686
Updated 11/28/2022 Release 22.23 SSO-216698
Updated 08/08/2022 Release 22.15 Sec-168242
Udated 04/04/2022 Release 22.6 SSO-184864
Updated 09/07/2020 Release 20.16 CodeQ-153687
Updated 06/22/2020 Release 20.11 SSO-159782
Updated 01/28/2020 Release 20.0 GUI Changes
- 1 Setup SSO
- 1.1.1 Add SSO Applet
- 1.2 SAML
- 1.3 OpenID
- 1.4 OAuth2
- 1.5 Configure user permissions
- 1.6 Usage Log
- 1.7 Rules
- 1.8 Startup Errors
- 1.9 Adding SSO Providers to Security Roles
