Single Sign-On (SSO) / Authentication Options
This page is under construction.
The Vizion Platform supports web browser Single Sign-On utilizing Security Assertion Markup Language (SAML) and OAuth2. SAML holds the dominant position in terms of industry acceptance for federated identity deployments. With this property, a user logs in with a single user ID and password combination to gain access to a connected system or systems without using different usernames or passwords, or in some configurations, seamlessly sign on at each system.
Typically, users will choose to “Always use” their SSO Provider to login. Once the user has login success, the selected SSO provider is saved as the preferred provider. Then when the user returns to the Vizion Platform system, they will automatically be redirected to the preferred SSO provider and skip the login screen.
This feature does not affect FieldVizion and Login for Excel VBA Template.
/LoginFull.do URL can be used to show the login screen even if the user has a preferred SSOprovider.
If the Default Provider option is enabled for a SSO provider, this provider will be used over the preferred SSO.
Session Timeout System Parameters
SessionExpireTime - the hours a user can stay logged into the Vizion Platform for a session regardless of how they sign in. If value = Null, session has no time limit. Once the expire time is reached, the user is automatically logged out.
SamlMaxAuthentiationAge - (for SSO) the hours users can be logged into the Vizion Platform before requiring the user to relogin with SSO provider. The SAML SSO provider tracks the user’s session time. Upon login to the Vizion Platform, the user’s session time is checked with provider. If the session time exceeds the value for "SamlMaxAuthenticationAge," the user cannot log in and is directed to relogin to their SSO provider.
Setting Up SSO Options
Setting up SSO is a highly security-sensitive configuration, and you should have relevant skills to set this up.
Steps to Set Up SSO | ||
|---|---|---|
1 | Navigate to Admin Center >System Administration > Authentication Options |  |
2 | The Authentication Options page displays. Click Add. |
|
3 | Complete the fields on the General tab. For more information, see Authentication Option - General Tab. |  |
4 | After saving you will be redirected to Edit SSO Provider Applet which contains a Tab based on the selected SSO Provider Type. For more information, see either Authentication Option - SAML Tab or Authentication Option - OAuth2 Tab |
|
5 |
|
|
6 |
|
|
7 |
|
|
Authentication Option - General Tab
Field Name | Field Description |
|---|---|
SSO Provider Type | Select from the following SSO Provider Types: SAML, OAuth2 |
Name | Users will see this name as a log in option in the providers drop-down:  |
Default Provider | This option enables to automatically redirect to Identity Provider when the user is not authorized. This option allows the user to be enabled only on one Identity Provider. NOTE: When a user wants to log in with a password or other Identity Provider with this option enabled, he can go to http(s)://<site_url>/LoginFull.do for show login form. |
Enabled | “Enabled” checkbox enables this Identity Provider, but not all SSO. |
Authentication Option - SAML Tab
Field Name | Field Description |
|---|---|
SAML Provider Meta Source | Source for SAML Metadata. Available Options: HTTP (URL) or XML Data |
SAML Provider Meta URL | Contains the URL of SAML Metadata when HTTP(S) URL option selected at SAML Provider Meta Source. |
SAML Provider Meta XML Data | Contains XML text with SAML Metadata when XML Data option selected at SAML Provider Meta Source. You need to click the Setup button to open a window where you can paste this text into the textbox. |
SAML Entity ID | Click the Load Entities button. The server will attempt to parse SAML Metadata which present as URL or entered text and give you a list of available SAML entities to select from. This action is needed because XML can contain more than one Identity Providers. You should select only one of the list. |
Load Entities | Populates metadata XML |
SAML Provider Relogin URL | The URL that displays on the login page (lower left corner) when a user’s SSO session age exceeds the setting for System Parameter SamlMaxAuthenticationAge. This is the URL for the hyperlink provider name in the message that displays for exceeded session age. The user clicks the hyperlink in the message to be automatically logged out of the provider site and be presented with the login page where they need to log out / log back in to continue with SSO in their OneVizion Platform system.
 |
Also OneVizion has some System Parameters for configuring the Service Provider. Required system parameters:
Parameter | Value | Description |
EnableSSOLogin | Yes | Enable ability to authorize with SSO. |
SigningAlgorithm | You need to set value depending on what algorithm is required to be used by Identity Providers | The algorithm used for the creation of digital signature metadata. Algorithms supported: rsa-ripemd160 rsa-sha1 rsa-sha256 rsa-sha384 rsa-sha512 |
SslCertEncryption | You can generate certificate using the following command: openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout private_key.key -out certificate.crt and concatenating content of the generated private_key.key and certificate.crt files. | SSL certificate (X.509 PEM format) used for encrypt SAML requests. Take into account, this certificate will not include certification chain, i.e. is not signed by the trusted authority, and your SAML Identity Provider may refuse it or require additional configuration steps (refer to your identity provider documentation for more details). |
SslCertSigning | You can generate certificate using the following command: openssl req -x509 -nodes -sha256 -days 3650 -newkey rsa:2048 -keyout private_key.key -out certificate.crt and concatenating content of the generated private_key.key and certificate.crt files. | SSL certificate (X.509 PEM format) used for encrypt SAML requests. Take into account, this certificate will not include certification chain, i.e. is not signed by the trusted authority, and your SAML Identity Provider may refuse it or require additional configuration steps (refer to your identity provider documentation for more details). |
Optional system parameters:
Parameter | Default Value | Description |
RequireArtifactResolveSigned | Yes | This parameter indicates that “artifact resolve” (SAML terms) messages should be signed. A web server restart is required when a parameter is changed. It depends on IDP internal configuration. |
RequireLogoutRequestSigned | Yes | This parameter indicates that “logout request” (SAML terms) messages should be signed. A web server restart is required when a parameter is changed. It depends on IDP internal configuration. |
RequireLogoutResponseSigned | Yes | This parameter indicates that “logout response” (SAML terms) messages should be signed. It depends on IDP internal configuration. |
SSLHostnameVerification | Default | Algorithm for verification of a match between hostname in URL and hostname in the presented certificate. default
defaultAndLocalhost
strict
allowAll
|
SSLSecurityProfile | pkix | SSL/TLS Security profile determines how is trust of the peer's SSL/TLS certificate against a set of trust anchors. All certificates defined in metadata, extended metadata or present in the keystore are considered as trusted anchors (certification authorities) for PKIX validation. In MetaIOP mode server's SSL/TLS certificate is trusted when it is explicitly declared in the metadata or extended metadata of the peer. |
SecurityProfile | metaiop | The security profile determines how the trust of digital signatures is handled. In MetaIOP mode certificate is deemed valid when it is declared in the metadata or extended metadata of the peer entity. No validation of the certificate is performed (e.g. revocation) and no certificate chains are evaluated. PKIK profile verifies credentials against a set of trust anchors. Certificates present in the metadata or extended of the peer entity are treated as trust anchors, together with all keys in the keystore. Certificate chains are verified in the mode. |
SignMetadata | No | If Yes then the generated metadata will be digitally signed using the specified signature key. It depends on IDP internal configuration. |
After the SSO provider was added and enabled, you can download auto-generated SAML Metadata for the OneVizion side at <Base URL>/saml/metadata. This metadata helps with pairing OneVizion with your Identity Provider.
Example login form with SAML provider:
Please pay attention that users will be identified using E-Mail address! (NameIDFormat is required to be urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress)
NOTE: Changes will take effect after the web server restarts.
Authentication Option - OAuth2 Tab
Field Name | Field Description |
|---|---|
General | |
SSO Provider Certificate Chain | Certificate chain is a X.509 PEM text data. You can load chain automatically using Load Certificates button. In case of OAuth2 it is used for server-side communications security. |
Login URL (suffix) | Unique Login URL for this SSO Provider. Use this URL for generate ClientID and ClientSecret before set it at OneVizion. |
Logout Redirect URL | Optional. Redirect URL (HTTP GET) after user logout from OneVizion. Placeholder “{returnTo}” can be used for specify back url. |
Client ID | OAuth2 Client ID |
Client Secret | OAuth2 Client Secret |
Scope | Optional. OAuth2 Scope which will be used at Authentication process. Separate multiple values using comma or semicolon. |
Fixed State | Optional. By default “state” parameter is generating using random for every Authenticaton attempt. If you require to use fixed “state” parameter for all attempts - specify value at this field. |
User Authorization | |
User Authorization URL | URL for retrieve OAuth2 Authorization Code |
User Authorization Response Type | Optional. Response type for Authorization Code which should be received from OAuth2 server. Default: “code” |
Access Token retrieve method: Authorization code | |
Authorization Code Grant Type | Optional. Grant Type which will be used in Access Token retrieve request. Default: “authorization_code” |
Access Token Request URL | URL for retrive OAuth2 Access Token using OAuth2 Authorization Code. |
Access Token Request Authentication scheme | Available options: Header, Form Body. For Header option the “Authorization: Basic client_id:client_secret” (base64 encoded) HTTP header will be passed to request. For Form Body option data (client_id, client_secret) will be passed at body as “application/x-www-form-urlencoded” content type. |
User Information retrieve method: User Information Service | |
User Information Service URL | URL for service which returns User information in JSON format |
User Information Grant Type | Required Grant Type for this User Information Service |
User Select SQL query | You need to click Setup button to open SQL query editor window.
This SQL query is used for get an association between OneVizion User and OAuth2 User entity.
The values returned from User Information Service will be bind to SQL parameter using it’s key as parameter name.
Example SQL query finds an association using E-Mail returned from User Information Service. |
We are supporting OAuth 2 version, but we have limited implementation. This implementation is described in the diagram below:
Also, OneVizion has some System Parameters for configure Service Provider side.
Required system parameters:
Parameter | Value | Description |
EnableSSOLogin | Yes | Enable ability to authorize with SSO. |
Example login form:
NOTE: Changes will take effect after the web server restarts.
Configure user permissions
If you want to prevent users from logging into the sysetm with username and password (Users can login with SSO ONLY), then:
a) Check Disable Username/Password Authentication for Web UI and
b) Erase Password on System Users settings. When password not erased - user will be able to login through API.
Example Authentication through SSO
Open website.
The drop-down link on Login form will be underlined if more than 1 providers are present for login.
Once users log in they will be redirected to the Identity Provider website. An example is shown below.
If some error raised, for example, OneVizion unable to find associated user - user will see an error message at the Login form. Also, an error message will be shown when a user tries to login with E-Mail and have accounts in different tenants.
Usage Log
Usage Log contains two new Actions: SSO Logon (when user successfully authenticated with SSO) and SSO Logon Fail (when an error is raised after user attempt to authenticate).
NOTE: For SAML we fill “WS Request” with SAML response from Service Provider (it contains XML data). This can be used for debugging SAML.
Rules
For distinguishing what users try to login or already logged in using SSO at Rules you can use database function: “pkg_sec.get_sso_provider_id”. It returns an ID of SSO provider used by the user for login into OneVizion.
Startup Errors
In the case of a Startup Error, the Admin is able to capture the reason by opening “catalina.out”, or other Tomcat log file and locate “Unable to init [<SSO type>]” (where SSO type can be SAML, OPEN_ID, OAUTH2). This line will also contain "stacktrace" and the reason why SSO did not start
Adding SSO Providers to Security Roles
Rather than all users having access to all SSO providers, System Administrators can assign SSO providers to security roles. System Administrators will use the SSO Provider checkbox on the Edit Security Role applet to apply SSO provider selections.
In addition, the Role Assignments tab is available on the SSO Provider Admin form where the administrator can view or change role assignments for SSO Providers.
Steps to select SSO provider for a security role
Step | Instruction | Screenshot Help/Example |
|---|---|---|
1 | Navigate to the Edit Security Role applet for the security role you want to change. |
|
2 | Click the SSO tab and check the provider(s) to allow for this security role. | 
|
3 | Click OK. |
|
4 | Click the SSO Provider checkbox. | 
|
5 | Click OK. |
|
