Magento ADMIN SAML Extension User Guide€¦ · Magento ADMIN SAML Extension User Guide 1Introduction Magento ADMIN SAML extension adds SAML Single Sign On support on the admin login

Magento ADMIN SAML Extension User Guide

Magento ADMIN SAML ExtensionUser Guide


Table of Contents1 Introduction ................................................................................................... 42 How does it work? ......................................................................................... 5

2.1 Single Sign On ........................................................................................ 52.1.1 The normal usage (SP-SSO initiated) ....................................................................... 52.1.2 The alternative usage (IdP-SSO initiated) ................................................................ 6

2.2 Single Log Out ....................................................................................... 72.2.1 SP-SLO initiated ....................................................................................................... 72.2.2 IdP-SLO initiated ...................................................................................................... 8

3 Magento ADMIN SAML Settings ..................................................................... 93.1 Status ................................................................................................... 103.2 Identity Provider Settings .................................................................... 103.3 OPTIONS .............................................................................................. 113.4 ATTRIBUTE MAPPING ............................................................................ 113.5 ROLE MAPPING ..................................................................................... 123.6 CUSTOM MESSAGES ............................................................................. 123.7 ADVANCED SETTINGS .......................................................................... 12

4 How to configure the Identity Provider ....................................................... 154.1 Onelogin .............................................................................................. 154.2 Okta ..................................................................................................... 154.3 Ping Identity ......................................................................................... 154.4 ADFS 2.0 .............................................................................................. 154.5 ADFS 3.0 .............................................................................................. 154.6 Salesforce ............................................................................................ 154.7 Google ................................................................................................. 164.8 Forgerock ............................................................................................. 164.9 ServiceNow .......................................................................................... 164.10 Auth0 ................................................................................................. 164.11 Shibboleth .......................................................................................... 164.12 simpleSAMLphp .................................................................................. 164.13 secureAuth ......................................................................................... 16


4.14 clearlogin ........................................................................... 164.15 Identacor ............................................................................................ 164.16 Centrify .............................................................................................. 174.17 Bitium ................................................................................................ 174.18 CA Technologies ................................................................................. 17

5 Warranty ..................................................................................................... 18


1 Introduction Magento ADMIN SAML extension adds SAML Single Sign On support on the admin login page.

If you are working with a partner that has implemented a SAML identityprovider, you can use this extension to interoperate with it, thereby enablingSSO for customers. It works with any IDP providers, including OneLogin,Okta, Ping Identity, ADFS, Salesforce, ...

Has the following features:

• Enable SAML Single Sign On to the backend with this extension simply.

• Connect a Magento instance with any SAML Identity Provider.• Allow to Login via Identity Provider.• Possible to single sign on/ log out service Url.• Easily switch On/Off the Admin SAML Module.• Provisioning/Auto-update user data.• Single Sign On (IdP & SP initiated).• Single Log Out (IdP & SP initiated).• Just-In-Time Provisioning (user data + roles).• Auto-provisioning: allow to create a new user with the data provided by

the IdP.• Auto-update: update the account of the user with the data provided by

the IdP and Review the Mapping section.• Possibly set the mapping between IdP fields and Magento fields.• Roles supported.• Customizable workflow.• Easily install and use.


2 How does it work?In order to perform SSO/SLO, the Identity Provider and the Service Provider may set a circle of trust by exchange its metadata. A metadata is a XML that describes the EntityID, a value that identifies the entity, the endpoints (usingon the SSO/SLO process and a certificate, that allow the other part to validate the signature of the SAML message. Once set we will be able to execute SSO and SLO flows. Let's explain them.

2.1 Single Sign On

2.1.1The normal usage (SP-SSO initiated)

Extension adds a link "Login via Identity provider" at the admin (backend)login form.

The Title and the text of the link is customizable (See Custom Messagesection).

Following the “Login via SAML link” initiates the SP-SSO initiated flow.

The Service Provider (Magento) will send an Authentication Request usingthe HTTP-Redirect binding, the Identity Provider (if there is not an active usersession will a login form in order to allow the user to insert it credentials andafter authenticate the user, the IdP may send a SAMLResponse to the ServiceProvider's Assertion Consumer endpoint (HTTP-POST binding).

https://en.wikipedia.org/wiki/SAML_2.0#HTTP_POST_Bindinghttps://en.wikipedia.org/wiki/SAML_2.0#HTTP_Redirect_Binding


The SAMLResponse must contains the user data that Magento needs in orderto log the user (an email) or to provision on the fly an account (user, groupand address data).

The following diagram details this process.

2.1.2The alternative usage (IdP-SSO initiated)

Some IdPs like Onelogin or Okta offer a dashboard with the integrated apps.

When you click on the icon of the Magento app, a IdP-SSO initiated flow willhappens, this consists in directly send the SAMLResponse to the ServiceProvider's Assertion Consumer endpoint (HTTP-POST binding).

https://en.wikipedia.org/wiki/SAML_2.0#HTTP_POST_Binding


2.2 Single Log Out

The SAML extension also supports Single Log Out using the HTTP-Redirectbinding, but you will need to enable it on the SAML setting panel (Optionssection.

2.2.1SP-SLO initiated

In this scenario the Service Provider (Magento) initiates the Single LogoutProcess. It will send a LogoutRequest to the Identity Provider, the IdentityProvider will close the active sessions (including those SP that initiaited aSSO process before) and send a LogoutResponse to the Service Provider.After receive this LogoutResponse and validate it, the Magento session willbe closed.

https://en.wikipedia.org/wiki/SAML_2.0#HTTP_Redirect_Bindinghttps://en.wikipedia.org/wiki/SAML_2.0#HTTP_Redirect_Binding


2.2.2 IdP-SLO initiated

In this scenario the Identity Provider initiates the process, it will send aLogoutRequest to each Service Provider that initiated a SSO session and willwait for a LogoutResponse.

The Service Provider after validate the LogoutRequest, will close the Magentosession and reply the LogoutResponse to the IdP.


3 Magento ADMIN SAML SettingsThe Settings of the extension are available at System > Configuration. At theServices tab, the "SAML (Admin Panel)" link.

There you will be able to fill several sections:

• Status. To enable or disable the extension.

• Identity Provider. Set parameters related to the IdP that will be connected with our Magento.

• Options. The behavior of the extension.

• Attribute Mapping. Set the mapping between IdP fields and Magento user fields.

• Group Mapping. Set the mapping between IdP groups and Magento groups.

• Address Mapping. Set the mapping between IdP fields and Magento address fields.

• Custom messages. To handle what messages are showed in the login form.

• Advanced settings. Handle some other parameters related to customizations and security issues.

The metadata of the Magento Service Provider will be available at http:///sso/saml/metadata

If you access to this URL you will be able to “See the source of the page” andsee the XML and download it. You need to share this data with the administrator of the Identity Provider in order to let him register the SP metadata there (entityID, endpoints and public certificate if the SP is signing the Messages).

If you are using Magento Multi-site you will be able to configure/enable SAML in each store. Each store will have its own panel/settings.


3.1 StatusWhen the SAML settings are set, you may enable the SAML feature.The metadata of the SP url is important (you will need to share it with the IdPadministrator). Also I recommend to use the value of that URL as the SP EntityID (see advanced settings).

3.2 Identity Provider SettingsIn this section, you can set up some info related to the IdP that will beconnected with your Magento. You can find these values at the Onelogin’splatform in the Magento App at the Single Sign-On tab: IdP Entity Id, SingleSign On Service Url, and Single Log Out Service Url.


3.3 OPTIONSIn the “Options” section the behavior of the plugin is set, so you just select “Yes” for some improtant fields: Create user if not exists, Update user data,Sync role when updating user, default RoleId and Single Log Out.

3.4 ATTRIBUTE MAPPINGIn this section, we can set the mapping between IdP fields and Magentofields. Notice that this mapping could be also set at Onelogin's IdP. Note thatthe attribute that contains the group of the customer.


3.5 ROLE MAPPINGIn the “Role mapping” section, we can set the mapping between IdP Role values and Magento Roles. Example: admin, owner, super-user. There are 10 fields, the id means that Role id=1 will match the Magento role that has id=1if exists.

3.6 CUSTOM MESSAGES

3.7 ADVANCED SETTINGSIn this section, you can easily handle some other parameters related to customizations and security issues. If sign/encryption is enabled, then x509 cert and private key for the SP must be provided.

I recommend to set a SP EntityID to identify the SP and use as its value the metadata URL where the SP is published. This URL appears on the “Status” section.


If you are using multi-store, depending on the type of configuration is possible that this value appears wrong on the “Status” section, but you can calculate it by adding “/sso/saml/metadata“ to the URL where the store is published.


If you plan to support Encrypted Assertions or Sign the SAML Messages you will need a public certificate/private key. SAML protocol let you to use self-signed ones. If you don't know how generate them, use this tool:https://www.samltool.com/self_signed_certs.php

https://www.samltool.com/self_signed_certs.php


4 How to configure the Identity ProviderHere is a list of the main Identity Provider available with a link to a guide to configure them, some of them mention how to integrate with another ServiceProvider, but you will get an idea about how integrate it with Magento.

4.1 Oneloginhttps://support.onelogin.com/hc/en-us/articles/202673944-How-to-Use-the-OneLogin-SAML-Test-Connector

4.2 Oktahttp://developer.okta.com/docs/guides/setting_up_a_saml_application_in_okta.html

4.3 Ping Identityhttps://documentation.pingidentity.com/display/SLC10/Complete+Setup+of+SAML+SSO+to+Slack

4.4 ADFS 2.0http://support.talentlms.com/knowledgebase/articles/328229-how-to-configure-sso-with-microsoft-active-directo

4.5 ADFS 3.0http://wiki.servicenow.com/index.php?title=Configuring_ADFS_3.0_to_Communicate_with_SAML_2.0#gsc.tab=0

4.6 Salesforcehttps://help.salesforce.com/apex/HTViewHelpDoc?id=identity_provider_enable.htm

https://help.salesforce.com/HTViewHelpDoc?id=service_provider_define.htm&language=en_US

https://help.salesforce.com/HTViewHelpDoc?id=sso_saml.htm

https://help.salesforce.com/HTViewHelpDoc?id=sso_saml.htmhttps://help.salesforce.com/HTViewHelpDoc?id=service_provider_define.htm&language=en_UShttps://help.salesforce.com/HTViewHelpDoc?id=service_provider_define.htm&language=en_UShttps://help.salesforce.com/apex/HTViewHelpDoc?id=identity_provider_enable.htmhttps://help.salesforce.com/apex/HTViewHelpDoc?id=identity_provider_enable.htmhttp://wiki.servicenow.com/index.php?title=Configuring_ADFS_3.0_to_Communicate_with_SAML_2.0#gsc.tab=0http://wiki.servicenow.com/index.php?title=Configuring_ADFS_3.0_to_Communicate_with_SAML_2.0#gsc.tab=0http://support.talentlms.com/knowledgebase/articles/328229-how-to-configure-sso-with-microsoft-active-directohttp://support.talentlms.com/knowledgebase/articles/328229-how-to-configure-sso-with-microsoft-active-directohttps://documentation.pingidentity.com/display/SLC10/Complete+Setup+of+SAML+SSO+to+Slackhttps://documentation.pingidentity.com/display/SLC10/Complete+Setup+of+SAML+SSO+to+Slackhttp://developer.okta.com/docs/guides/setting_up_a_saml_application_in_okta.htmlhttp://developer.okta.com/docs/guides/setting_up_a_saml_application_in_okta.htmlhttps://support.onelogin.com/hc/en-us/articles/202673944-How-to-Use-the-OneLogin-SAML-Test-Connectorhttps://support.onelogin.com/hc/en-us/articles/202673944-How-to-Use-the-OneLogin-SAML-Test-Connector


4.7 Googlehttps://support.google.com/a/answer/6087519?hl=en

4.8 Forgerockhttps://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide/chap-federation #configure-cot

4.9 ServiceNowhttp://wiki.servicenow.com/index.php?title=SAML_2.0_Setup#gsc.tab=0

4.10 Auth0https://auth0.com/docs/samlsso-auth0-to-auth0

4.11 Shibbolethhttps://wiki.shibboleth.net/confluence/display/SHIB2/IdPSPCommunicate

4.12 simpleSAMLphphttps://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_7

4.13 secureAuthhttps://www.pagerduty.com/docs/guides/secureauth-integration-guide/

4.14 clearloginhttps://clearlogin.zendesk.com/hc/en-us/articles/208168156-SAML-App-Connections

4.15 Identacorhttps://identacor.zendesk.com/hc/en-us/articles/202023743-How-to-Add-A-Custom-App-Using-Secure-Auto-Login

https://identacor.zendesk.com/hc/en-us/articles/202023743-How-to-Add-A-Custom-App-Using-Secure-Auto-Loginhttps://identacor.zendesk.com/hc/en-us/articles/202023743-How-to-Add-A-Custom-App-Using-Secure-Auto-Loginhttps://clearlogin.zendesk.com/hc/en-us/articles/208168156-SAML-App-Connectionshttps://clearlogin.zendesk.com/hc/en-us/articles/208168156-SAML-App-Connectionshttps://www.pagerduty.com/docs/guides/secureauth-integration-guide/https://simplesamlphp.org/docs/stable/simplesamlphp-idp#section_7https://wiki.shibboleth.net/confluence/display/SHIB2/IdPSPCommunicatehttps://auth0.com/docs/samlsso-auth0-to-auth0http://wiki.servicenow.com/index.php?title=SAML_2.0_Setup#gsc.tab=0https://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide/chap-federation%23configure-cothttps://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide/chap-federationhttps://backstage.forgerock.com/#!/docs/openam/12.0.0/admin-guide/chap-federationhttps://support.google.com/a/answer/6087519?hl=en


4.16 Centrifyhttps://www.centrify.com/downloads/public/sdk/knox/HTML_Doc/Implementation_Guide/Mobile_SDK_SAML_scripting.14.4.html

4.17 Bitiumhttps://support.bitium.com/customer/portal/articles/2093598-how-to-add-saml-to-a-custom-app-?b_id=4928

4.18 CA Technologieshttps://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/legacy-federation/configure-a-saml-2-0-service-provider

https://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/legacy-federation/configure-a-saml-2-0-service-providerhttps://docops.ca.com/ca-single-sign-on-12-52-sp1/en/configuring/legacy-federation/configure-a-saml-2-0-service-providerhttps://support.bitium.com/customer/portal/articles/2093598-how-to-add-saml-to-a-custom-app-?b_id=4928https://support.bitium.com/customer/portal/articles/2093598-how-to-add-saml-to-a-custom-app-?b_id=4928https://www.centrify.com/downloads/public/sdk/knox/HTML_Doc/Implementation_Guide/Mobile_SDK_SAML_scripting.14.4.htmlhttps://www.centrify.com/downloads/public/sdk/knox/HTML_Doc/Implementation_Guide/Mobile_SDK_SAML_scripting.14.4.html


5 Warranty

Support by mail guaranteed. Get a replyin less than 48h (business day).

2.1 Single Sign On 52.2 Single Log Out 73.1 Status 103.2 Identity Provider Settings 103.3 OPTIONS 113.4 ATTRIBUTE MAPPING 113.5 ROLE MAPPING 123.6 CUSTOM MESSAGES 123.7 ADVANCED SETTINGS 124.1 Onelogin 154.2 Okta 154.3 Ping Identity 154.4 ADFS 2.0 154.5 ADFS 3.0 154.6 Salesforce 154.7 Google 164.8 Forgerock 164.9 ServiceNow 164.10 Auth0 164.11 Shibboleth 164.12 simpleSAMLphp 164.13 secureAuth 164.14 clearlogin 164.15 Identacor 164.16 Centrify 174.17 Bitium 174.18 CA Technologies 171 Introduction2 How does it work?2.1 Single Sign On2.1.1 The normal usage (SP-SSO initiated)2.1.2 The alternative usage (IdP-SSO initiated)

2.2 Single Log Out2.2.1 SP-SLO initiated2.2.2 IdP-SLO initiated

3 Magento ADMIN SAML Settings3.1 Status3.2 Identity Provider Settings3.3 OPTIONS3.4 ATTRIBUTE MAPPING3.5 ROLE MAPPING3.6 CUSTOM MESSAGES3.7 ADVANCED SETTINGS

4 How to configure the Identity Provider4.1 Onelogin4.2 Okta4.3 Ping Identity4.4 ADFS 2.04.5 ADFS 3.04.6 Salesforce4.7 Google4.8 Forgerock4.9 ServiceNow4.10 Auth04.11 Shibboleth4.12 simpleSAMLphp4.13 secureAuth4.14 clearlogin4.15 Identacor4.16 Centrify4.17 Bitium4.18 CA Technologies

5 Warranty

Documents

Magento ADMIN SAML Extension User Guide€¦ · Magento ADMIN SAML Extension User Guide 1Introduction Magento ADMIN SAML extension adds SAML Single Sign On support on the admin login