Authentication Single Sign-On via ADFS - Version 7.18 - Creatio Academy
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Authentication Single Sign-On via ADFS Version 7.18
This documentation is provided under restrictions on use and are protected by intellectual property laws. Except as expressly permitted in your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast, modify, license, transmit, distribute, exhibit, perform, publish or display any part, in any form, or by any means. Reverse engineering, disassembly, or decompilation of this documentation, unless required by law for interoperability, is prohibited. The information contained herein is subject to change without notice and is not warranted to be error-free. If you find any errors, please report them to us in writing. © 2021 Creatio. All rights reserved.
Table of Contents | 3 Table of Contents Single Sign-On via ADFS 4 Settings on ADFS's end 4 Settings on Creatio's end 11 © 2021 Creatio. All rights reserved.
Single Sign-On via ADFS | 4
Single Sign-On via ADFS
PRODUCTS: ALL CREATIO PRODUCTS
You can integrate your Active Directory Federation Services (ADFS) instance to help manage seamless single
sign-on for your members. For this, you need to configure a number of settings both in ADFS and Creatio.
Attention. In the setup example below, https://site01.creatio.com/Demo_161215/ is the Creatio website
and http://adfs01.mysite.com/adfs/ is the ADFS site. Replace these addresses with the corresponding
addresses of your sites when you perform the actual setup.
Settings on ADFS's end
1. Add a new Relying Party Trust to ADFS (Fig. 1).
Fig. 1 The Relying Party Trust menu
2. Select the “Enter data about the relying party manually” option, as shown on the Fig. 2.
Fig. 2 The “Enter data about the relying party manually” option
© 2021 Creatio. All rights reserved.Single Sign-On via ADFS | 5
3. Enter the name of the Relying Party in the [ Display name ] field. This name is needed to make it easier to
navigate the list of trusted applications in ADFS and does not affect the actual setup.
4. Keep the default ADFS profile. Click the [ Next ] button.
5. Click [ Next ] on the “Configure Certificate” step.
6. Enable SAML 2.0 protocol support. Specify the site address and add
“/ServiceModel/AuthService.svc/SsoLogin” to it (Fig. 3).
Fig. 3 The SAML 2.0 protocol support option
© 2021 Creatio. All rights reserved.Single Sign-On via ADFS | 6
7. Specify the full site address in the identifier settings and click the [ Add ] button, as shown on the Fig. 4.
Fig. 4 The identifier
© 2021 Creatio. All rights reserved.Single Sign-On via ADFS | 7
Attention. The identifier is used when verifying the authenticity of a source that requests
authentication. The URL must match verbatim, including the “/” at the end.
8. Set up the rest of the parameters according to your security requirements. You can leave default values for
test purposes.
9. Click [ Finish ]. Click [ Add Rule ] and add a new SAML Assertion to SAML Response rule (Fig. 5) in the newly-
opened window.
Fig. 5 The “Add rule” button
© 2021 Creatio. All rights reserved.Single Sign-On via ADFS | 8
Note. Creatio will use the data generated according to the new rule to search for users, as well as to
update their profiles and roles.
10.Keep the default settings and click [ Next ] on the first step of the rule wizard. Set up a set of parameters that
will be received from the user's data (Fig. 6). In this example, the user's name and a list of domain groups will
be passed to SAML Assertion.
Fig. 6 The rule parameters
© 2021 Creatio. All rights reserved.Single Sign-On via ADFS | 9
11.Click the [ Save ] button.
12.Open the Trusted Relay settings and specify SHA-1 encryption according to the website certificate algorithm
on the [ Advanced ] tab.
13.Add the public certificate key on the [ Encryption ] tab to set up the SAML encryption (Fig. 7).
Note. If you are using Creatio cloud, get the public certificate key from the Creatio support service.
Fig. 7 The [ Encryption ] tab
© 2021 Creatio. All rights reserved.Single Sign-On via ADFS | 10
14.Add the logout endpoint and set the following parameters (Fig. 8) on the [ Endpoints ] tab:
Endpoint type: SAML Logout.
Binding: Redirect.
Trusted URL: https://site01.creatio.com/Demo_161215/ServiceModel/AuthService.svc/SsoLogout.
Fig. 8 The Endpoint parameters
15.Add the Logout Request certificate on the [ Signature ] tab, as specified on the Fig. 9.
© 2021 Creatio. All rights reserved.Single Sign-On via ADFS | 11
Fig. 9 The Logout Request certificate
Attention. Single Sign-Out will not work without a certificate.
Settings on Creatio's end
If you use Creatio cloud, prepare the setup information according to the instructions below and contact Creatio
support to apply the settings.
The single sign-on setup instructions below are intended for Creatio on-site customers. We strongly
recommend granting Creatio support temporary access to Creatio configuration or performing setup under the
guidance of a Creatio support specialist.
Follow these steps to set up single sign-on on Creatio's end:
1. Enter the SAML provider settings.
2. Set up the SSO authentication parameters.
3. Test the basic SSO scenarios.
4. Set up Just-In-Time User Provisioning (JIT).
5. Set SSO as the default option.
Certain settings are different for Creatio .NET Framework and Creatio .NET Core. This guide provides instructions
for both platforms.
.NET Framework
1. Fill out the SAML provider settings by specifying the data of the SAML identification provider in the
© 2021 Creatio. All rights reserved.Single Sign-On via ADFS | 12
saml.config file.
a. Specify your website's FQDN in the Name parameter.
Attention. The value of the ServiceProvider Name parameter must be identical to the Identifier
value specified on the ADFS identity provider's end. This is how it verifies that the SAML Assertion
was issued specifically for your application. We recommend using the FQDN of your website. For
example, https://site01.creatio.com/Demo_161215/. The URL must match verbatim, including the
“/” at the end.
b. Specify the IdP settings in the Partner Identity Provider section. You can view these settings in the
metadata file.
WantAssertionSigned="false" – if no encryption certificate will be used for SAML Assertion.
SingleSignOnServiceUrl – URL of the identity provider's single sign-on. For ADFS, this is usually
https://site01.creatio.com/Demo_161215/adfs/ls.
SingleLogoutServiceUrl – URL of the identity provider's single sign-off. For ADFS, this is usually
https://site01.creatio.com/Demo_161215/adfs/ls.
PartnerCertificateFile – path to the *.cer security certificate in the file system of the Creatio
application server. Specify this parameter if WantAssertionSigned=“true.”
SignLogoutRequest=“true” – specify for ADFS, since the LogoutRequest must be signed. If set
to “true,” specify the certificate for signature generation in the LocalCertificateFile parameter.
SignLogoutResponse=“true” – specify for ADFS, since the LogoutResponse must be signed. If
set to “true,” specify the certificate for signature generation in the LocalCertificateFile parameter.
OverridePendingAuthnRequest=“true” – if enabled, Creatio will not check whether the IdP
response matches the earlier Auth Request.
Example of the saml.config file for ADFS:Single Sign-On via ADFS | 13
WantAssertionEncrypted="false"
SingleSignOnServiceUrl="https://adfs01.mysite.com/adfs/ls"
SingleLogoutServiceUrl="https://adfs01.mysite.com/adfs/ls"
PartnerCertificateFile="Certificates\idp.cer"/>
j. If you select the SignLogoutRequest or SignLogoutResponse checkboxes, add the *.pfx private
encryption certificate key to the same file system as your Creatio application. Specify the file path and
the password in the saml.config configuration files and make sure that the user who runs the
application has permission to read the file. Make sure that the certificate file is available in the
Terrasoft.WebApp folder and in the website root.
LocalCertificateFile="sp.pfx"
LocalCertificatePassword="password"
Fig. 10 The SAML packet encryption settings
2. Enable the SSO provider in Creatio. Enable the SAML SSO in Creatio after specifying the SAML provider
settings. Modify the web.config file in the website root folder:
a. Enable using the SSO Auth providers on login:
SsoAuthProvider – identity provider for the main application.
SSPSsoAuthProvider – identity provider for the customer portal.
You can enable one or both providers.Single Sign-On via ADFS | 14
... .
3. Test the Identity Provider (IdP) initiated SSO basic scenario to make sure the settings are correct:
a. Navigate to the trusted IdP applications page. The default link is
https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx.
b. Authorize.
c. Navigate to Creatio with the IdP authorization results.
Test the settings in the IdP initiated scenario before setting SSO as the default option on Creatio's end.
Make sure Creatio has an active user account whose login matches the NameId passed by the Identity
Provider before starting the test. If there is no such account, the SSO setup process will not finish since
it will be impossible to match the domain user to a Creatio user. After you successfully log in via SSO,
proceed to further setup.
4. Set up Just-In-Time User Provisioning (JIT) The Just-In-Time User Provisioning functionality
complements the single sign-on technology. It enables not only creating a user on the first login to Creatio,
but also updating the contact page data with the data received from the identification provider on every
login. Learn more: Just-In-Time User Provisioning.
a. Add the JIT settings to the web.config file in the Creatio root folder.
The user type is defined by the page they use to log in. If the “Identity initiated” scenario is used to log
in, specify the DefUserType value:
General – general user.
SSP – portal user.
d. Map the SAML Assertion fields to Creatio columns using the [ SAML field name converter to contact field
name ] lookup. You need this to ensure Creatio populates the contact fields correctly when creating new
users via Just-In-Time User Provisioning. If the field is empty or disabled in the identity provider data,
you can fill it out with the value specified in the [ Default value ] field of the lookup. Upon the next login,
Creatio will populate the contact fields specified in the lookup with either the values received from the
provider or with the current default values.
Note. If the lookup is missing from the lookup list, register it.
5. Set SSO as the default option upon login. We recommend following this step only after you finished
the previous steps successfully and made sure the SSO works correctly. This step will enable the Service
Provider (SP) initiated SSO.
The standard Service Provider (SP) initiated scenario is as follows:
a. The user navigates to Creatio, they have no active sessions on the site.
© 2021 Creatio. All rights reserved.Single Sign-On via ADFS | 15
b. They are redirected to the IdP where they authorize.
c. They are redirected back to Creatio with the IdP authorization results.
To set the SSO provider as the default option:
a. Specify the NuiLogin.aspx?use_sso=true default resource in \Terrasoft.WebApp\Web.config.
Note. Users will still be able to log in with Creatio credentials via a direct link:
https://site01.creatio.com/Login/NuiLogin.aspx?
Use the following link to test the SSO before setting it as default:
https://site01.creatio.com/NuiLogin.aspx?use_sso=true
Enable redirection to the identity provider when going to the website root:Single Sign-On via ADFS | 16
"SingleSignOnServiceUrl":"https://adfs.sandbox.local/adfs/ls"
SingleLogoutServiceUrl – URL of the identity provider's single sign-off. For ADFS, this is usually
https://site01.creatio.com/Demo_161215/adfs/ls.
"SingleLogoutServiceUrl":"https://adfs.sandbox.local/adfs/ls"
PartnerCertificates – path to the *.cer security certificate in the file system of the Creatio
application server. Specify this parameter if WantAssertionSigned=“true.”
"PartnerCertificates":[
{
"FileName":"adfs_sandbox.cer"
}
SignLogoutRequest – specify “true” for ADFS, since the LogoutRequest must be signed. If set to
“true,” specify the certificate for signature generation in the LocalCertificateFile parameter.
"SignLogoutRequest":true
SignLogoutResponse – specify “true” for ADFS, since the LogoutResponse must be signed. If set
to “true,” specify the certificate for signature generation in the LocalCertificateFile parameter.
"SignLogoutResponse":true
i. If you select the SignLogoutRequest or SignLogoutResponse checkboxes, add the *.pfx private
encryption certificate key to the same file system as your Creatio application. Specify the file path and
the password in the saml.config configuration files and make sure that the user who runs the
application has permission to read the file. Make sure that the certificate file is available in the
Terrasoft.WebApp folder and in the website root.
"...""LocalCertificates":[
{
"FileName":"sp.pfx",
"Password":"password"}
]"..."
2. Enable the SSO provider in Creatio. Enable the SAML SSO in Creatio after specifying the SAML provider
© 2021 Creatio. All rights reserved.Single Sign-On via ADFS | 17
settings. Modify the app.config file (for Creatio .NET Core) in the website root folder:
a. Enable using the SSO Auth providers on login:
SsoAuthProvider – identity provider for the main application.
SSPSsoAuthProvider – identity provider for the customer portal.
You can enable one or both of the providers.
"...Single Sign-On via ADFS | 18
...
The user type is defined by the page they use to log in. If the “Identity initiated” scenario is used to log
in, specify the DefUserType value:
General – general user.
SSP – portal user.
d. Map the SAML Assertion fields to Creatio columns using the [ SAML field name converter to contact field
name ] lookup. You need this to ensure Creatio populates the contact fields correctly when creating new
users via Just-In-Time User Provisioning. If the field is empty or disabled in the identity provider data,
you can fill it out with the value specified in the [ Default value ] field of the lookup. Upon the next login,
Creatio will populate the contact fields specified in the lookup with either the values received from the
provider or with the current default values.
Note. If the lookup is missing from the lookup list, register it.
5. Set SSO as the default option upon login. We recommend following this step only after you finished
the previous steps successfully and made sure the SSO works correctly. This step will enable the Service
Provider (SP) initiated SSO.
The standard Service Provider (SP) initiated scenario is as follows:
a. The user navigates to Creatio, they have no active sessions on the site.
b. They are redirected to the IdP where they authorize.
c. They are redirected back to Creatio with the IdP authorization results.
To set the SSO provider as the default option:
a. Specify the NuiLogin.aspx?use_sso=true default resource in \Terrasoft.WebApp\Web.config.
For Creatio .NET Core, perform the setup in the saml.json file. “UseSsoByDefault”: "false."
Note. Users will still be able to log in with Creatio credentials via a direct link:
https://site01.creatio.com/Login/NuiLogin.aspx?
Use the following link to test the SSO before setting it as the default option:
https://site01.creatio.com/NuiLogin.aspx?use_sso=true
b. Enable Single Log Out in the web.config file in the Terrasoft.WebApp folder:
© 2021 Creatio. All rights reserved.Single Sign-On via ADFS | 19
/Terrasoft.WebApp/web.config
c. Select the [ Default value ] checkbox in the “SSO in mobile application” (“MobileUseSSO”) system setting
to use the Single Sign-On in the mobile application.
© 2021 Creatio. All rights reserved.You can also read
