Create and deliver personalized experiences across digital properties at scale
Build engaging websites with intuitive web content management
Leverage a complete UI toolbox for web, mobile and desktop development
Build, protect and deploy apps across any platform and mobile device
Build mobile apps for iOS, Android and Windows Phone
Rapidly develop, manage and deploy business apps, delivered as SaaS in the cloud
Automate UI, load and performance testing for web, desktop and mobile
Host, deploy and scale Node.js, Java and .NET Core apps on premise or in the cloud
Optimize data integration with high-performance connectivity
Automate decision processes with a no-code business rules engine
Transform your businesses in order to survive in a completely digitized and connected world driven by software innovation.
Globally scale websites with innovative content management and infrastructure approaches
Content-focused web and mobile solution for empowering marketers
Faster, tailored mobile experiences for any device and data source
UX and app modernization to powerfully navigate today's digital landscape
Fuel agility with ever-ready applications, built in the cloud
Using SAML, an online Service Provider can contact a separate online Identity Provider to authenticate users who are trying to access secure content. Learn how to do this with Rollbase and Salesforce as an example.
Authentication is playing a vital role in cloud based applications. Nowadays users are not interested in remembering each password for each cloud application, and nobody wants to store their password in the application platform. To overcome this, any application which implemented support for SAML-based authentication can configure with any SAML based IDP (Identity Provider).
There are many Cloud IDPs (Salesforce, PingOne, One Login, etc.) and hosted IDPs (Open AM, Open Select, Shibboleth, etc.).
Applications are authenticating with the above IDPs using SAML. SAML authentication involves following three entities:
Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorization data. Using SAML, an online Service Provider can contact a separate online Identity Provider to authenticate users who are trying to access secure content. There are three major components for SAML authentication.
(a) Client (Users)
This is the user who can login to any cloud application.
(b) Identity Provider (IDP)
Identity Provider is responsible for:
(c) Service Provider (SP)
In the use case addressed by SAML, the principal requests a service from the Service Provider. The Service Provider requests and obtains an identity assertion from the Identity Provider. On the basis of this assertion, the Service Provider can make an access control decision—in other words it can decide whether to perform some service for the connected principal.
To configure SAML authentication we need to set up things in our Identity Provider and Service Providers:
In Our case Rollbase acts as a Service Provider and Salesforce, PingID, Okta, Onelogin and OpenAm are the Identity Providers we certified.
As the data transformation between SP and IDP must be encrypted, we'll follow two step Asymmetric encryption. To achieve the Asymmetric encryption we need to have a public certificate which will be shared with IDPs and the respective keystore, which consists of private key.
Registration of the SP in any IDP requires the ACS (Assertion Consumers) URL of the SP (Ex: http://yourhostname/router/login/loginSaml), the Public key and the Entity ID of the SP (Ex: http://yourhostname). And make sure users have given enough permission to access the given application. You'll need to add the attributes in the IDP with user fields to consume by the SP (Rollbase). Example attributes you may need to add include: givenName ,sn, uid and city.
After successful registration of the SP we need to download the IDP metadata file, which is important to configure at SP side.
Now we are allowing Rollbase users to setup authentication at two levels:
This property will disable from setting authentication at tenant level:
This property will explain type of authentication mechanism type:
This property will identify the IDP. The value of this is the value of EntityID in IDP metadatfile:
This property value is the value given at the time of registering the SP in the IDP:
This property value is the name of the IDP metadata file:
Left side values of attribute map are the field that are related to Rollbase, which will be associated with right side values which will come from the IDP:
SPKeyStoreFile=encryption.keystore ot encryption.jks
The value for this is the name of keystore we have and with which public key we registered in IDP:
Value given while generating the keystore:
By default, the value is 2 as in the IDP metadatfile Single signon HTTP redirect index.
And also we need to place the keystore file in our rollbase config folder (ROLLBASE_HOME/config).
Restart the Rollbase instance.
Login as tenant administrator, navigate to setup home from setup application or setup home in the hamburger menu. Click on Authentication, click on the SAML radio button and click on next.
Enter a name for the Name field.
Enter the Issuer (IDP Entity ID) entityID value in IDP metadata file (Ex: https://IDPURL.com/ABC/qazwsx).
Upload the IDP metadata file downloaded from Salesforce.
Enter the Service Provider Entity ID value given while registering in IDP (Ex: http://youhostname).
Enter the Attribute Map value as firstName=givenName|lastName=sn|loginName=uid|city=city
Enter the value for the Identity Provider login URL from your SAML ACS URL value in the SAML information section on the same page.
Enter a value for Identity Provider Logout URL (Ex: www.google.com)
Note the Login URL from SAML information section.
Click on Save.
Logout from tenant.
Open the browser with the above Login URL noted
Refer here for more details.
The following example shows setting up the Rollbase authentication with the Salesforce IDP. Details of configuring sample IdPs with Rollbase can be found here.
Login in to Salesforce https://login.salesforce.com/?locale=in
Click on Setup link in the top right corner.
Click on the Create link.
Click on Apps link.
Click on New button in the Connected Apps section.
Provide values for the Connected App name, Contact Email and then click on the Enable SAML checkbox.
Provide values for the Entity Id and ACS URL, and then click on the Encrypt SAML Response checkbox.
Upload the certificate file we have with us and click on the Save button.
Click on Default IdP certificate link
Click on the Download Certificate button and save it for registering this IdP in the Service Provider.
Click on the Back To List << Connected Apps link
Click on the Connected App you created.
Click on the New button in the Custom Attribute Section.
Add attributes as you will configure in Attribute map at Service Provider.
The following are some examples:
The following shared.properties need to be added along with placing the keystore file in rollbase config folder(ROLLBASE_HOME/config):
Login as tenant administrator, navigate to setup home from setup application or setup home in the hamburger menu. Click on Authentication, Click on the SAML radio button and click on next.
Enter the Issuer (IDP Entity ID) EntityID value in the IDP metadata file (Ex: https://IDPURL.com/ABC/qazwsx).
Enter the Service Provider Entity ID value given while registering in the IDP (Ex: http://youhostname).
Enter a value for the Identity Provider Logout URL (Ex: www.google.com).
Note the Login URL from the SAML Login URL from the SAML information section.
Any user who visits the http://yourhostname/router/login/loginPrivate.jsp or any bookmarked URL they have to navigate to Salesforce login page.
Enter the Salesforce user name and password.
User will be navigated to Rollbase.
Login as tenant administrator, navigate to setup home from setup application or setup home in hamburger menu. Click on Authentication, Click on the SAML radio button and click on next. Provide the value as shown in following image:
Head to the URL SAML Login URL which is in the above image. You will get redirected to the Salesforce login page.
With the increasing importance of authentication in cloud-based applications, it's important to give your users the options they want. With Rollbase you can easily give your customers what they're looking for with SAML-based authentication. Let us know how this is working for you in the comments below.
Rajkumar Mateti is currently working with Progress as a Quality Engineer. He received his M.Tech degree from University of Hyderabad in 2012, and has several years of experience in testing large scale Cloud-based products including PaaS and SaaS products. He has strong knowledge in automated functional testing for large scale enterprise Cloud platforms, and has written several whitepapers.
Copyright © 2016, Progress Software Corporation and/or its subsidiaries or affiliates.
All Rights Reserved.
Progress, Telerik, and certain product names used herein are trademarks or registered trademarks of Progress Software Corporation and/or one of its subsidiaries or affiliates in the U.S. and/or other countries. See Trademarks or appropriate markings.