M310 FEDERATION
Last updated Jul 06, 2015

Enable Login Function using External Authentication service (SAML)

If the identification information (for authentication purposes) could be shared between systems, it wouldn't be necessary to do it for each anymore, and Users would be released from the trouble of managing multiple passwords. Questetra is capable of allowing Users who have been authenticated in our "SimpleSAMLphp" or in "Salesforce.com", the CRM in the Cloud, to log into Questetra without password.

Enable Login Function using External Authentication service (SAML)


a. OpenID Connect
Specified by “OpenID Foundation” which promotes development of safe websites and mobile profile (REST)
b. SAML
Specified by “OASIS”, an organization which promotes business standards. (XML based data exchange)
  • Systems which manage user identities and perform identification (authentication) are collectively referred to as “Id Provider (IdP)”
  • Systems which provide any service to authenticated users are collectively referred to as “Service Provider (SP)”
  • BPM system (Questetra) will behave as SP. (It cannot be used as IdP)
  • The email address will be used as user identification (ID/ identifier) for exchanging authentication information
  • For the authentication method (e.g. Multi-factor authentication), refer to the instructions of respective authentication services
  • You must add the SAML IdP function in “AD Federation Services”, etc., for “Active Directory”
1. View the Identification Information
Go to SSO (SAML) menu, and put a check on Enable Single Sign-On
2. Write down the Identification Information
Write down the information to identify Questetra (SP Information)
R3100 SAML Communication Specification
  • Supports SAML 2.0 standard only (Salesforc, etc.)
  • Service Provider’s Entity ID, ACS (Assertion Consumer Service) URL, Single Logout Service URL, Verification certificate
  • A file (XML file) that consists of SP information is referred to as a “SP Metadata”. (Obtaining function is not implemented)
1. Enter the Identification Information of Questetra
Enter Entity ID, ACS URL, Verification certificate, etc.
2. Obtain IdP’s Verification certificate
Write down the information to identify IdP


R3102 Setting of Federation with SimpleSAMLphp

  • IdP’s Entity ID, Sign-in page URL, (Sign-out page URL), (NameID format), Verification certificate
  • A file (XML file) that consists of IdP information is referred to as a “Idp Metadata”
1. Enter IdP Information
IdP’s Entity ID, Sign-in page URL, (Sign-out page URL), (NameID format), Verification certificate
2. Run a Login Test
Move to Questetra’s login page and confirm SAML login button
1. Disable Login with Password
Put a Check to Disable Password Authentication, if necessary
2. Confirm the Login Page
Confirm if Password Login is hidden (M101)
  • Users cannot login with a password and ID which are configured in Questetra
  • However, Users with System Administrator Authorization can login with their ID and password (e.g. Fault on IdP side)




We introduce an example of the procedure for introducing the SimpleSAMLphp at Linux environment.
Apache, PHP Installation
# yum install httpd php php-xml
SimpleSAMLphp Installation
File Arrangements and Alias Setting in Apache
# wget http://simplesamlphp.googlecode.com/files/simplesamlphp-1.9.0.tar.gz
# tar zxf simplesamlphp-1.9.0.tar.gz
# mv simplesamlphp-1.9.0 /var/simplesamlphp
# echo "Alias /simplesaml /var/simplesamlphp/www" > /etc/httpd/conf.d/saml.conf
Enable Sample Authentication
# cd /var/simplesamlphp
# touch modules/exampleauth/enable
Enable IDP
/var/simplesamlphp/config/config.php
'enable.saml20-idp'             => true,
Creating Secret key, Certification for IDP
The followings are sample of input. Input as you like.
# cd /var/simplesamlphp
# openssl req -new -days 365 -x509 -nodes -keyout idp.key -out idp.crt
Generating a 2048 bit RSA private key
..............+++
.........................................................+++
writing new private key to 'idp.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Kyoto
Locality Name (eg, city) [Default City]:Kyoto
Organization Name (eg, company) [Default Company Ltd]:Questetra, Inc.
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:Questetra BPM Suite
Email Address []:
To Register User information
Register User information of ‘example-userpass’ for authentication. Make sure that it is not commented out.
In the example below, information is “User Name = user, Password = uuuuuuuu, email address = =user@questetra.com”
A User who has the same email address must exist in Questetra BPM Suite.
/var/simplesamlphp/config/authsources.php
$config = array(
….
'example-userpass' => array(
'exampleauth:UserPass',
'user:uuuuuuuu' => array(
'uid' => array('user'),
'email' => array('user@questetra.com'),
),
),

….
IDP Setting
Specify the Secret key and the Certification you have created before.
You can enable Signature validation requested from the SP. (Not indispensable)
/var/simplesamlphp/metadata/saml20-idp-hosted.php
….
'privatekey' => 'idp.key',
'certificate' => 'idp.crt',
'validate.authnrequest' => TRUE,
'validate.logout' => TRUE,
….
Booting Apache
# service https start
Verify that the Administration screen is displayed at http://XX.XX.XX.XX/simplesaml/(XX.XX.XX.XX is hostname of the server)
Verify that “SAML 2.0 IdP metadata” is displayed at http://XX.XX.XX.XX/simplesaml/module.php/core/frontpage_federation.php
SAML Setting in Questetra BPM Suite
Check on Enable Single Sign-On in System Setting > SSO (SAML), and set the following items.
  • Idp Setting
    • Entity ID: http://XX.XX.XX.XX/simplesaml/saml2/idp/metadata.php (Copy from Entity ID in SAML 2.0 IdP metadata)
    • URL of Login page:: http://XX.XX.XX.XX/simplesaml/saml2/idp/SSOService.php
    • URL of Logout page: http://XX.XX.XX.XX/simplesaml/saml2/idp/SingleLogoutService.php (Not indispensable)
    • Certification: (Entirely copy idp.crt previously created)
  • SP Information
    • (Set description here into SimpleSAMLphp later.)
Preparing Verification certificate of Questetra BPM Suite
Copy the SP Verification certificate indicated on the setting screen Questetra BPM Suite, save it as the following file.
/var/simplesamlphp/cert/questetra.crt
SP Setting
Add the following based on SP information settings screen of Questetra BPM Suite.
  • In between parentheses in $metadat: SP Information-Entity ID
  • AssertionConsumerService: ACS URL
  • SingleLogoutService: SP Information-Single logout service URL
  • certificate: The file name of SP Information-Verification certificate which saved in the previous section.
/var/simplesamlphp/metadata/saml20-sp-remote.php
$metadata['https://fsXX.questetra.net/XXXXXXXX/'] = array(
'AssertionConsumerService' => 'https://fsXX.questetra.net/XXXXXXXX/saml/SSO/alias/bpm',
'NameIDFormat' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:email',
'simplesaml.nameidattribute' => 'email',
'simplesaml.attributes' => FALSE,
'certificate' => 'questetra.crt',
'SingleLogoutService' => 'https://fsXX.questetra.net/XXXXXXXX/saml/SingleLogout/alias/bpm',
);
Rebooting Apache
# service https restart



We introduce the procedure of Single Sign-On setting with SAML2.0 that uses Salesforce as IdP (as of 2015 February).
We can use Salesforce as ID provider on the Developer Edition / Enterprise Edition / Unlimited Edition / Database.com Edition.
[Salesforce] Domain Setting
+ Salesforce:(User Name)Setup→Menu in the left side of screenDomain ManagementMy Domain
To use Salesforce ID provider of SAML, it is required to enable access to Salesforce via own domain.
Domain name cannot be edited later. After setting, we need to wait the approval of Salesforce.

Salesforce Domain Setting

[Salesforce] Enable ID Provider
+ Salesforce:(User Name)Setup→Menu in the left side of screenSecurity ControlsIdentity Provider
Click Enable Identity Provider.
[Salesforce] Add Service Provider
Display the screen for SAML setting in Questetra BPM Suite.
+ Questetra:(upper right User Name)System Settings→Menu in the left side of screenSSO (SAML)

sfdc_QBPMS_SP_en

Set up new Connected Apps in Salesforce.
+ Salesforce:Identity ProviderService ProvidersService Providers are now created via Connected Apps. Click here.

sfdc_newapps_cut

  • Basic Information
    • Connected App Name: Questetra (Can set up freely if you can identify)
    • API Name: Questetra (Can set up freely if you can identify)
    • Contact Email: Administrator’s Email address
  • Check Web App SettingsEnable SAML
    • Entity Id: Copying Entity ID of SP Information in Questetra BPM Suite
    • ACS URL: Copying ACS URL of SP Information in Questetra BPM Suite
    • Subject Type: Username(Default)
    • Name ID Format: 「urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified」(Default)
    • Issuer: Created domain name(Default)
    • Verify Request Signatures: After checking here, save the Verification certificate displayed on SP Information in Questetra BPM Suite to a text file, then upload the text file.
You can change the settings at the following menu.
+ Salesforce:(User Name)Setup→Menu in the left side of screenManage AppsConnected Apps
[Salesforce] Add and Connect Permission Sets
+ Salesforce:(User Name)Setup→Menu in the left side of screenManage UsersPermission Sets
Creat new Permission Sets at New.

sfdc_new_permissionsets_cut

  • Label: Questetra_PermissionSets (Can set up freely if you can identify)
  • API Name: Questetra_grant (Can set up freely if you can identify)
Click Save after input.
Connect Permission Sets with Users

+ Salesforce:(User Name)SetupManage UsersUsers

Select a User for Single Sign-On. Permission Set AssignmentsEdit Assignments

sfdc_connect_user_cut

Add created Permission Sets to Enabled Permission Sets.
Connect Permission Sets with Apps
+ Salesforce:(User Name)SetupManage AppsConnected AppsPermission SetsManage Permission Sets

sfdc_connect_apps_cut

Check created Permission Sets → Save.
[Questetra BPM Suite] Identity Provider Setting
Set up IdP Information by following the procedure below at
+ Questetra:(upper right User Name)System SettingsSSO (SAML)

sfdc_QBPMS_IdP_en

+ Salesforce:(User Name)Setup→Menu in the left side of screenSecurity ControlsIdentity Provider

Salesforce Identity Provide Setting

  • Entity ID: Copying Issuer information
  • Verification certificate: Download certificate>Copying all the content of downloaded certificate
+ Salesforce:(User Name)Setup→Menu in the left side of screenManage AppsConnected Apps

Salesforce Service Provider Setting

  • Sign-in page URL: Copying SP-Initiated POST Endpoint
If you finished inputting items above and save, Setup is complete.
You can check Log at + Salesforce:(User Name)SetupManage UsersIdentity Provider Event Log.