Configure Cora SeQuence for SAML 2.0 Authentication

Overview

SAML 2.0 is an XML-based protocol that uses security tokens containing assertions to pass information about a principal (usually an end user) between a SAML authority, named an Identity Provider, and a SAML consumer, named a Service Provider. SAML 2.0 enables web-based, cross-domain single sign-on (SSO), which helps reduce the administrative overhead of distributing multiple authentication tokens to the user.

When you use SAML authentication, Cora SeQuence supports single identity provider and service provider initiated sign in and sign out only.

Prerequisites

Make sure you complete all prerequisites and provide all necessary information before performing the configuration procedure.

  1. Name of identity provider
  2. Name of service provider
  3. SingleSignOnServiceUrl
  4. SingleSignOutServiceUrl
  5. Binding (POST or Redirect)
  6. Copy of the idp signing and encryption public certificate
  7. Claim type that uniquely identifies users (for claims configuration)
  8. Is the identity provider response signed?
  9. is the identity provider assertion signed?
  10. Does the service provider sign the request?
  11. Publicly signed certificate (if necessary)

Supported Bindings

  • You can send Authentication Requests using HTTP-REDIRECT or HTTP-POST.
  • Consumer Assertion Service endpoint only supports HTTP-POST binding.
  • HTTP-Artifact is not supported.

Identity Provider and Token-Related Configuration

IIS Configuration

  • Enable only Anonymous Authentication for the Administration site and Flowtime site.
  • Enable claims-based authentication in the web.config file.

Add Configuration Sections to the web.config File

Add the following section under the <configuration><configSections> elements.

<configSections>
... 
 <sectionGroup name="sequence.engine" type="PNMsoft.Sequence.Configuration.WorkflowEngineConfigurationSectionGroup, PNMsoft.Sequence, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1">
 ... 
 <sectionGroup name="identity" type="PNMsoft.Sequence.Configuration.IdentityConfiguration,PNMsoft.Sequence.IdentityModel.v8, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1">
   <section name="saml" type="PNMsoft.Sequence.IdentityModel.Configuration.SamlConfigurationSection, PNMsoft.Sequence.IdentityModel.Saml2, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1"/>
 </sectionGroup>
 ... 
 </sectionGroup>
... 
 <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
 <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
...
</configSections>

Add HttpModules to the web.config File

Add the following section under the <system.webServer> <modules> elements. Make sure these modules are list in the list.

<system.webServer>
... 
  <modules>
    <!-- Other modules already configured in web.config should be here -->
    <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" preCondition="managedHandler" />
    <add name="SamlAuthenticationModule" type="PNMsoft.Sequence.IdentityModel.Services.SamlAuthenticationModule, PNMsoft.Sequence.IdentityModel.Saml2, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1" preCondition="managedHandler" />
  </modules>
...
</system.webServer>

Add SAML 2.0 Configurations to the web.config File

Add the following section under the <configuration><sequence.engine> elements.

<identity>
     <saml>
       <serviceProvider name="https://mydomain.com/myapplication"
             description="Sequence Service Provider"
             assertionConsumerServiceUrl="/AuthServices/acs"/>
       <partnerIdentityProviders>
         <add name="https://sts.windows.net/1eb2d3db-45bd-67a8-91a2-3456ab78be9f/"
             description="Azure"
             singleSignOnServiceUrl="https://login.microsoftonline.com/1eb2d3db-45bd-67a8-91a2-3456ab78be9f/saml2"
             singleLogoutServiceUrl="https://login.microsoftonline.com/1eb2d3db-45bd-67a8-91a2-3456ab78be9f/saml2"
             singleSignOnServiceBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"/>
       </partnerIdentityProviders>
     </saml>
</identity>

SAML Configuration Attributes

Name
Description
Required
Default Value
modulePath
Relative path of SAML authentication endpoint.
Yes
/AuthServices
samlCommandFactoryType
Extension point to enable creation of your own commands to handle sign in and sign out.
Yes
PNMsoft.Sequence.IdentityModel.Commands.CommandFactory, PNMsoft.Sequence.IdentityModel.Saml2, Version=8.0.0.0, Culture=neutral, PublicKeyToken=0a1a1b90c1c5dca1
returnUrl
Absolute URL the user is redirected to after sign in.
No
Cora SeQuence Flowtime URL

serviceProvider Configuration Attributes

Name
Description
Required
Default Value
assertionConsumerServiceUrl
Assertion Consumer Service URL.
Yes
/AuthServices/acs
name
Generally, the application's URL.
Yes
-
description
Service Provider description.
No
-
localCertificateFile
Specifies the X.509 certificate file for this service provider. The certificate file name can be an absolute path or a path relative to the application folder.
No
-
localCertificatePassword
Specifies the password with the X.509 certificate file for this service provider. Certificate files (.pfx) that include the private key should be protected by password. Certificate files (.cer) that do not include a private key are not password protected. The certificate password must be kept secure. In a test environment using a test certificate, specifying the password using the LocalCertificatePassword attribute is acceptable. For a production certificate, the password should be stored encrypted in the web.config file. Refer to the LocalCertificatePasswordKey attribute for more details.
No
-
localCertificatePasswordKey
Specifies the web.config file's appSettings key for the certificate file password. For example, if the LocalCertificatePasswordKey attribute value is localCertificatePassword, then under the web.config file's appSettings section, an entry with the name localCertificatePassword is expected, and the entry value is used as the password. By encrypting the appSettings section using the aspnet_regiis utility, the certificate file password is secured.
No
-
localCertificateStoreLocation
Specifies the X.509 certificate store (LocalMachine or CurrentUser).
No
LocalMachine
localCertificateSerialNumber
Specifies the X.509 certificate by serial number for this service provider.
No
-
localCertificateThumbprint
Specifies the X.509 certificate by thumbprint for this service provider. The certificate is retrieved from the local computer's X.509 certificate store.
No
-
localCertificateSubject
Specifies the X.509 certificate by subject name for this service provider. The certificate is retrieved from the local computer's X.509 certificate store.
No
-

partnerIdentityProviders Configuration Attributes

Name
Description
Required
Default Value
name
Generally, the identity provider's URL or STS.
Yes
-
description
Description of the identity provider.
No
-
singleSignOnServiceUrl
Specifies the application's single sign-on service URL. SAML authentication requests will be received at this URL.
Yes
-
singleSignOnServiceBinding
Specifies the transport binding to use when sending authentication requests to the partner identity provider's SSO service.
No
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
signAuthnRequest
Specifies whether authentication requests sent to the partner identity provider should be signed.
No
false
wantSAMLResponseSigned
Specifies whether the SAML response from the partner identity provider should be signed.
No
false
wantAssertionSigned
Specifies whether the SAML assertion from the partner identity provider should be signed.
No
false
wantAssertionEncrypted
Specifies whether the SAML assertion from the partner identity provider should be encrypted.
No
false
partnerCertificateFile
Specifies the X.509 certificate file for this identity provider. The certificate file name can be an absolute path or a path relative to the application folder.
No
-
partnerCertificateStoreLocation
Specifies the X.509 certificate store (LocalMachine or CurrentUser).
No
LocalMachine
partnerCertificateSerialNumber
Specifies the X.509 serial number for this provider. The certificate is retrieved from the local computer's X.509 certificate store.
No
-
partnerCertificateThumbprint
Specifies the X.509 certificate by thumbprint for this identity provider. The certificate is retrieved from the local computer's X.509 certificate store.
No
-
partnerCertificateSubject
Specifies the X.509 certificate by subject name for this identity provider. The certificate is retrieved from the local computer's X.509 certificate store.
No
-
secondaryPartnerCertificateFile
Specifies the X.509 certificate file for this provider. The certificate file name may be an absolute path or a path relative to the application folder.
No
-
secondaryPartnerCertificateStoreLocation
Specifies the X.509 certificate store (LocalMachine or CurrentUser).
No
LocalMachine
secondaryPartnerCertificateSerialNumber
Specifies the X.509 certificate by serial number for this provider. The certificate is retrieved from the local computer’s X.509 certificate store.
No
-
secondaryPartnerCertificateThumbprint
Specifies the X.509 certificate by thumbprint for this provider. The certificate is retrieved from the local computer’s X.509 certificate store.
No
-
secondaryPartnerCertificateSubject
Specifies the X.509 certificate by subject name for this provider. The certificate is retrieved from the local computer’s X.509 certificate store.
No
-
tertiaryPartnerCertificateFile
Specifies the X.509 certificate file for this provider. The certificate file name may be an absolute path or a path relative to the application folder.
No

tertiaryPartnerCertificateStoreLocation
Specifies the X.509 certificate store (LocalMachine or CurrentUser).
No
LocalMachine
tertiaryPartnerCertificateSerialNumber
Specifies the X.509 certificate by serial number for this provider. The certificate is retrieved from the local computer’s X.509 certificate store.
No
-
tertiaryPartnerCertificateThumbprint
Specifies the X.509 certificate by thumbprint for this provider. The certificate is retrieved from the local computer’s X.509 certificate store.
No
-
tertiaryPartnerCertificateSubject
Specifies the X.509 certificate by subject name for this provider. The certificate is retrieved from the local computer’s X.509 certificate store.
No
-
singleLogoutServiceUrl
Specifies the partner provider's single logout (SLO) service URL. Logout requests will be sent to the SLO service.
Yes
-
singleLogoutServiceBinding
Specifies the transport binding to use when sending logout messages to the partner provider's SLO service.
No
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
logoutRequestLifeTime
Specifies the NotOnOrAfter time interval for the logout request. The format is hh:mm:ss.
No
3 minutes
disableOutboundLogout
Specifies whether logout requests sent to the partner provider are not supported.
No
false
disableInResponseToCheck
Specifies whether the SAML message’s InResponseTo should be checked. This attribute should only be set to true in test environments or to work around limitations in the partner provider.
No
false
signLogoutRequest
Specifies whether logout requests sent to the partner provider should be signed.
No
false
useEmbeddedCertificate
Specifies whether the certificate embedded in the XML signature should be used when verifying the signature. If false then a configured certificate retrieved from the certificate manager is used.
No
false
issuerFormat
Specifies the issuer format to include in SAML messages and assertions sent to the partner provider.
No
Format attribute is not included
digestMethod
Specifies the XML signature digest method.
No

signatureMethod
Specifies the XML signature method.
No

keyEncryptionMethod
Specifies the XML encryption key encryption method.
No

dataEncryptionMethod
Specifies the XML encryption data encryption method.
No

Supported Bindings

  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
  • urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

Secondary and Tertiary Certificates

For Partner Identity Providers, you can use secondary and tertiary certificates.

For example:

  • SecondaryLocalCertificateFile
  • TertiaryLocalCertificateFile

Configure IdentityModel Audience

In the web.config file, add the following section under <configuration>.

<system.identityModel>
  <identityConfiguration>
    <audienceUris>
      <add value="https://mydomain.com/application" />
    </audienceUris>
  </identityConfiguration>
</system.identityModel>

Configure the Cora SeQuence Authentication Provider

Add claims authentication under the <configuration> <sequence.engine> <authentication> sections.

<claims enabled="true" signoutFromSts="false" loginUrl="~/AuthServices/signin" logoutUrl="~/Logoff.aspx">
  <IdentityClaims>
    <add claimType="<claim type>" originalIssuer="<token issuer>" authenticationType="<sequence authentication type" />
  </IdentityClaims>
</claims>
About this Article
  • Created: 12/18/2017 2:09 am EST
  • Last updated: 01/16/2018 5:57 am EST
In This Article