AppSuite:SAML SSO Integration: Difference between revisions

From Open-Xchange
No edit summary
 
(5 intermediate revisions by 3 users not shown)
Line 1: Line 1:
= SAML SSO Integration =
= SAML SSO Integration =
== Introduction ==


With 7.8.0 OX App Suite supports single sign-on via SAML 2.0. In concrete the backend supports the ''Web Browser SSO Profile'' and the ''Single Logout Profile'', supported bindings are ''HTTP-Redirect'' and ''HTTP-POST''. The core implementation of SAML needs always be complemented by an environment-specific counterpart. Such a counterpart is called a ''SAML backend''. It is responsible for resolving users by incoming assertions and can make use of several extension points that allow to customize the generation and processing of SAML messages.
The content on this page has moved to https://documentation.open-xchange.com/7.10.5/middleware/login_and_sessions/saml_2.0_sso.html


=== Message Flows ===
== Optional: Univention Corporate Server SAML-SSO Configuration with OX App Suite ==


Every SAML request message (i.e. <code>&lt;AuthnRequest&gt;</code> or <code>&lt;LogoutRequest&gt;</code>) is sent via the ''HTTP-Redirect'' binding to a formerly configured endpoint. The binding for <code>&lt;LogoutResponse&gt;</code> messages, that are sent in response to IdP-initiated logout requests is configurable and can be either ''HTTP-Redirect'' or ''HTTP-POST''. Messages of type <code>&lt;Response&gt;</code> are accepted via the ''HTTP-POST'' binding only, while <code>&lt;LogoutRequest&gt;</code> and <code>&lt;LogoutResponse&gt;</code> messages are accepted via ''HTTP-Redirect'' too.
Further information on the optional Univention Corporate Server SAML-SSO Configuration with OX App Suite, can be found here: https://oxpedia.org/wiki/index.php?title=AppSuite:UCS_SAML_SSO_with_OX_App_Suite
 
Below are illustrations of the supported message flows. For reasons of clarity several query parameters like ''SAMLRequest'' or ''RelayState'' have been omitted.
 
==== Login ====
[[File:SAML_login_flow.png]]
 
==== SP-initiated Logout ====
[[File:SAML_sp_logout_flow.png]]
 
==== IdP-initiated Logout ====
[[File:SAML_idp_logout_flow.png]]
 
== Developers Guide ==
 
The core implementation is contained in its own bundle <code>com.openexchange.saml</code> within the backend repository and relies on the OpenSAML library (https://wiki.shibboleth.net/confluence/display/OpenSAML). This guide assumes that you are familiar with the terminology and technological aspects of SAML 2.0.
 
=== The SAML backend ===
 
A SAML backend consists at least of an implementation of <code>com.openexchange.saml.spi.SAMLBackend</code>. An instance of this implementation must be registered as OSGi service under this interface. It is considered best practice to start with inheriting from <code>com.openexchange.saml.spi.AbstractSAMLBackend</code> instead of implementing the interface directly. This reduces the number of methods to implement while default implementations are used where it is possible. You probably need to override some of the other methods as well to customize their behavior. Especially the validation of SAML responses needs likely to be adjusted, as the default strategy is very strict and will fail if the IdP does not obey the specification in every point. Start with reading the JavaDoc of the mentioned classes and follow their references to get an overview of what you need to implement. Additionally there is an example implementation in the <code>examples/backend-samples</code> repository that targets WSO2 Identity Server as IdP. The according project is <code>com.openexchange.saml.wso2</code>, its packaging information is contained in <code>open-xchange-saml-wso2</code>.
 
SAML might replace the web login of OX App Suite but it cannot be used by non-web clients that make use of the HTTP API directly. Therefore it uses sepcial login/logout calls instead of changing the behavior of the calls from the login module. While those calls are based on an installed authentication service (i.e. a package that provides <code>open-xchange-authentication</code>), SAML is not. Nevertheless an authentication service must always be provided. If you want SAML as your only login mechanims, you can simply register an instance of <code>com.openexchange.saml.spi.DisabledAuthenticationService</code> as OSGi service and let your package provide <code>open-xchange-authentication</code>. You can also decide to implement an own authentication service that takes care of authentication for other clients. It is also possible to install one of the existing <code>open-xchange-authentication</code> providers to allow e.g. IMAP or LDAP authentication.
 
== Operators Guide ==
 
=== Installation ===
 
After development of the SAML backend is done you can setup OX App Suite as usual. Additionally you need to install <code>open-xchange-saml-core</code> and a package that provides <code>open-xchange-saml-backend</code> and contains your custom SAML backend. It is also necessary that a package providing <code>open-xchange-authentication</code> is installed. For your convenience you can install the metapackage <code>open-xchange-saml</code> which depends on a core and backend package. Finally the package for SAML support within App Suite UI is needed: <code>open-xchange-appsuite-saml</code>.
 
<pre>
$ apt-get install open-xchange-saml open-xchange-appsuite-saml
</pre>
 
=== Configuration ===
 
==== Backend Configuration ====
The main configuration takes place in <code>/opt/open-xchange/etc/saml.properties</code>. Step through this file and set the property values in accordance to their explanation.
 
As the lifetime of user sessions is under control of the SAML IdP, you must not activate autologin. It's currently not supported anyway. Make sure that <code>com.openexchange.sessiond.autologin</code> in <code>/opt/open-xchange/etc/sessiond.properties</code> is set to <code>false</code>. Also have a look at the other properties within that file. Its noteworthy that every refresh (e.g. closing the App Suite browser tab and opening it again at a later point) will create a new user session. So the lifetime of App Suite sessions should be short while a user should be able to acquire quite some sessions in parallel.
 
Note that session fail-over is currently not possible, because the central session storage only works with autologin enabled.
 
SAML sessions will not contain the users password. Thus it cannot be used to encrypt/decrypt secrets for external services (e.g. OAuth token). Configure <code>/opt/open-xchange/etc/secret.properties</code> to support other encryption/decryption mechanisms (e.g. "<list>").
 
The same problem exists for the primary mail account. Therefore the IMAP accounts must be accessible with a global master password. You need to configure this in <code>/opt/open-xchange/etc/mail.properties</code>
 
==== Frontend Configuration ====
The frontend plugin <code>open-xchange-appsuite-saml</code> is deactivated by default. In order to enable the special SAML login handling, enable a samlLogin flag in <code>/opt/open-xchange/etc/as-config.yml</code>:
<pre>
default:
    host: all
    samlLogin: true
</pre>
 
'''Please note:''' Make sure to use spaces not tabs to indent!

Latest revision as of 09:39, 18 May 2021

SAML SSO Integration

The content on this page has moved to https://documentation.open-xchange.com/7.10.5/middleware/login_and_sessions/saml_2.0_sso.html

Optional: Univention Corporate Server SAML-SSO Configuration with OX App Suite

Further information on the optional Univention Corporate Server SAML-SSO Configuration with OX App Suite, can be found here: https://oxpedia.org/wiki/index.php?title=AppSuite:UCS_SAML_SSO_with_OX_App_Suite