Configuring Federated SSO ⚡ 

Use your identity provider to bring users into Imagen

Introduction

Configuring ImagenWeb to be a service provider

Required attributes

Adding your IDP to ImagenWeb

Glossary of terms


Introduction

This is a guide on configuring Imagen to work as a service provider, using your Identity provider - Microsoft Active Directory as an example - to import your existing users into Imagen. This will simplify your migration and adoption of Imagen, lowering overheads and providing a seamless experience for your users


Configuring ImagenWeb to be a service provider

You can go to the following URL and fill out the config form with the correct information. You must generate a public/private key pair using OpenSSL:

https://you_imagen_fqdn/ssoserviceprovider/admin

 

SimpleSAMLphp uses this key pair to encrypt and decrypt the SP and IDP communication. Assuming everything has been completed, you must share your SP's metadata XML file with the IDP to establish a trust relationship between the two. This can be found under the "Singlesign-on metadata URL" field.


Required attributes

 

urn:oid:1.3.6.1.4.1.5923.1.1.1.10(eduPersonTargetedID)

urn:oid:0.9.2342.19200300.100.1.3(mail): 

 


Adding your IDP to ImagenWeb

Just as we need to share our SP metadata with the IDP, the IDP will need to share their metadata with us. They should also provide you with an XML metadata file. Once you have this, create an Imagen Organisation, select the "Single sign-on" login type, and paste the given XML into the "IdP XML metadata" field. Save the Organisation. Assuming everything worked, a string should be under their Organisation's "Entity ID of identity provider" field.

💡Pro Tip: A Microsoft Entity ID will look like this; "https://sts.windows.net/750d4c11-644a-4d38-a3a9-3fa2467baad7/


Glossary of terms

  • SP/Service Provider: This is your ImagenWeb instance providing the Service
  • IDP/Identity Provider: The service providing the user's idenity, e.g. Microsoft, Google, etc
  • Organisation: An user's Organisation stores the IDP’s-configuration details. When users initiate the login process the IDP's-configuration their Organisation, which will direct them to the IDP’s login form.
  • Departments: Departments are Imagen Roles that sit beneath an Imagen Organisation (one Organisation to many departments). Specific SSO attributes can be mapped to a Department, and Departments can be associated with Imagen Groups, making it possible to configure ACLs per Department
  • Attributes: When a user is sent from their IDP back to ImagenWeb, we can use attributes released by their IDP that uniquely identify that user. The following qualities are the most important:
    urn:oid:1.3.6.1.4.1.5923.1.1.1.10(eduPersonTargetedID): 
    This attribute be a unique ID (i.e. this is a user ID). This is a required attribute. If it ever changes, see the User account merging point below. 
    urn:oid:0.9.2342.19200300.100.1.3(mail): 
    The above will import the user's email address, pre-populating their registration form the user's first visit ImagenWeb. The user can opt to use a different email address 
  • User account merging: If the user’s eduPersonTargetedID changes, users must merge their accounts to regain access to their previous account. The previous email address will be sent a message containing a link that initiates the merge and transfers the previous user’s content (collections, etc.)before deleting the user's previous account
  • WAYFless URLs: Shareable URLs that will sign a user into a specific IDP before redirecting to the target, for example, 
    https://your_imagen_domain/start-session?entityID=YOUR_IdP&target=https://yourimagen_domain.com
    where YOUR_IdP is the Entity ID of an IDP
  • Entity ID: The service provider and IDP have an Entity ID. The SP’s entity ID can be found on the https://imagenweb/ssoservice SP's entity admin page, whilst each IDP’s Entity ID can be found on the Organisation ad IDP's page.
  • Federations: A federation is a collection of IDPs. Adding a Federation to ImagenWeb is a quick way of trusting dozens of IDPs simultaneously. In Imagen’scase, we can subscribe to a Federation containing dozeImagen'scaseversities