Copyright

© 2021 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.

Trademark

Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.


Introduction

SAML is a Single Sign On (SSO) solution that enables the users to sign on using their own application instead of OP24 credentials. This makes it easier for the users since they only have to maintain one system for all applications that they have.

Single Sign On uses metadata and certificates to exchange trust. To log in, the Service Provider (SP) makes a request to the Identity Provider (IDP). This request contain information about who the SP is, how it wants the data presented, and where the response should be sent. The IDP checks the request and make sure that it recognize it and then send the user to log in.

If the user is already logged in, the IDP skip this step. If the user is not logged in, the user logs in with username and password or any other way that the IDP is set up to do.

After the user has logged in, the IDP sends a response to the SP containing information about the user, such as username, email, or other information requested in the SAML request. The SP check that it recognizes the IDP and then log the user in.

In most cases this means that the user activates the SAML request, gets redirected to the IDP and back, and then is logged in within seconds with no user credentials entered.

Solution

Requirements

The customer needs an IDP with an underlying LDAP or similar. The IDP must be reachable from the network of the OUTSCAN/HIAB and the username it returns must match the username in OUTSCAN/HIAB. There are many ways of getting an IDP depending on how much you want to be able to customize.

The IDP metadata tested before it is accepted into the OUTSCAN/HIAB. It has to have a valid until and it has to have a SingleSingOnService Binding with HTTP-Redirect. It also needs signing and encryption keys since everything is sent encrypted and demands signed responses.

Step-by-Step Guide

Integrating Onelogin as Identity Provider with OUTSCAN or HIAB as Service Provider.


  1. Get OUTSCAN/HIAB metadata by clicking on SP Metadata button on relevant windows.
  2. Go to Add App option under APPS tab in your onelogin account.
  3. Search for SAML in the search bar and select connector with attributes. We required signed assertions and according to onelogin, the connector highlighted in following picture fulfills our requirement (https://support.onelogin.com/hc/en-us/articles/202673944-How-to-Use-the-OneLogin-SAML-Test-Connector)



  4. Fill out the application name and save.
  5. Go to Configuration tab of application and fill out URL validator field according to onelogin guide (https://support.onelogin.com/hc/en-us/articles/202673944-How-to-Use-the-OneLogin-SAML-Test-Connector).
  6. Get response URL from OUTSCAN/HIAB metadata to fill ACS (Consumer) validator field.
  7. Set an additional parameter in Parameters tab.




  8. Fill out other tabs according to you policy. For example, give access and privileges to users etc.
  9. You may also need to give access of application in Applications tab of Users section.
  10. Get SAML Metadata from more action drop down.
  11. Open the metadata file and make sure it has validUntil value in EntityDescriptor tag.
  12. Upload metadata on OUTSCAN/HIAB.

Reference

Security Assertion Markup Language (SAML) v2.0

Integrations