Versions Compared

Old Version 17

changes.mady.by.user Becca Cook

Saved on

compared with

New Version 18

changes.mady.by.user Becca Cook

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

  1. The user navigates to Deem
    The user navigates to Deem using either the Deem Domain URL (https://<domain>).deem.com or the Deem Domain Start SSO URL (https://<domain>.deem.com/rc/ssoStart.do). The user is redirected to the enterprise services with a SAML request.
  2. The enterprise services authenticates the user
    The user is authenticated using the existing security framework, such as a web access management system, authentication to an LDAP directory, or integration with Windows via Kerberos. After the user is authenticated, the system constructs a SAML assertion (see below), digitally signs the assertion, and returns it over a secure link to the browser, embedded as a hidden form field in a HTTP form. At this step, the SAML assertion may optionally include additional provisioning information about the user (see "Provisioning with SAML").

IdP-initiated

...

  1. The user logs into and accesses the corporate intranet.
    The user logs into the corporate intranet and is authenticated using the existing security framework, such as a web access management system, authentication to an LDAP directory, or integration with Windows via Kerberos. The SAML-enabled intranet is aware of this authentication. Having validated the user, the user's browser session with the intranet is created, and the user can browse the intranet.

...

  1. The user clicks the link to use Deem services.

...


...

  1. The corporate intranet provides a link, and the user clicks it to access Deem services. When the user clicks the link, the system constructs a SAML assertion (see below), digitally signs the assertion, and returns it over a secure link to the browser, embedded as a hidden form field in a HTTP form. At this step, the SAML assertion may optionally include additional provisioning information about the user (see "Provisioning with SAML").

    Both

...


  2. The SAML assertion is sent to Deem. 

...

  1. Using JavaScript, the HTTP form is sent to Deem over a secure link, thus passing the embedded SAML assertion. The user does not need to be prompted again for a username and password or another credential.

...

  1. The user's session with Deem begins.
    Deem receives the assertion, and validates its signature using the X509v3 certificate that was provided by the enterprise when the federated trust relationship was originally established and configured. Having validated the integrity of the assertion, Deem is able to trust the identity of the user as specified in the SAML Subject attribute of the token. Based on this trusted assertion, a new user session is created and the SSO is complete. Optionally, at this point, the user may be simultaneously provisioned as part of this process, if additional user provisioning data has been provided with the token. (For more information see "Provisioning with SAML").

Anchor
user
user
The User's SSO Experience

...

  1. Enter a support case to configure SSO. See Entering a Support Case for details.
  2. Coordinate with your Deem Activations Manager and Deem Integrations Manager. Configuring SSO is performed with a team of technical resources. Your Deem Activations Manager will coordinate the necessary resources to guide you through each step of the project.

  3. Configure your SAML service for testing in your test environment along with our test environmentproduction access

    Expand

    As SAML is a well-established standard, chances are you already have technology you can use. If not, you may need to deploy a SAML-capable service. SAML capabilities are provided by almost all of the major identity management and platform technology vendors, and you may use any of these standards-based software packages. There are also a number of open source SAML projects that you can leverage. 

    Once you've established your SAML-capable infrastructure, it should be configured to point to a Deem test platform. This may be within our test live environment, or in a special configuration in our live production platform. Coordinate with your Deem Integrations Manager and Activations Manager for specific details. For example, for the "rcpat1.com" test environment,  

    You need the following information is required to complete this steptask:

    • Target URL: a A unique URL for your Deem domain that should be included with all of your SAML requests. Your Deem Integrations Manager will provide provides this URL. This is the target "home page" that users want to access.
    • The Deem's SAML endpointend-point: "http://go.rcpat1deem.com/sp/ACS.saml2"
    • SAML Audience: You must also send an Audience restriction — the value is "https://go.rcpat1deem.com" (see "Sample SAML Assertion").

    Use this information to configure your SAML infrastructure. 
    Note: The time configured on your server should be accurate, as SAML is a time-sensitive protocol. You might want to set up the Network Time Protocol.


  4. Provide information about your SSO infrastructure. 

    Expand

    Once you've configured your SAML service, the following information is required for Deem to complete the configuration. Please provide the following to Deem:

    • Issuer: A unique identifier that represents you as a customer in the SAML assertion. Typically, this is a string or a URL. You may already have an issuer name set up — in which case you can tell Deem what it is. As best practice, the unique identifier should correspond to the domain name used for your Deem instance.
    • The X509 Certificate that is used to digitally sign your SAML assertions. This will be used by Deem to validate the SAML assertions you send.


  5. Configure the desired user experience. 

    Expand

    Since the user experience is a primary facet of SSO, you'll want to configure various aspects of this experience as follows:

    • Type of access: direct-access link, "Token Not Present" failover endpoint for deep-link access, or the hybrid model. For details, see above.
    • Logout and other errors: Deem provides flexible behavior for logout, session timeouts, and various error conditions. Users can either be redirected to a specified URL, or be shown a custom message. See the section on "Customizing your SSO Configuration" for more information, and work with your Deem Integrations Manager to configure the desired behavior.
  6. Test in the test environment. Work with your Deem Integrations and Activations Managers to establish a test of SSO as configured for your test environment. If there are any issues, diagnose and correct collaboratively .

  7. Reconfigure your SAML service for production access. 

    Expand

    Once you've tested SSO in your test environment and received the go-ahead from your Deem Integrations Manager, you may need to reconfigure your SAML service to point to Deem's production environment. You need the following information to complete this task:

    • Target URL: A unique URL for your Deem domain that should be included with all of your SAML requests. Your Deem Integrations Manager provides this URL.
    • Deem's SAML end-point: "http://go.deem.com/sp/ACS.saml2"
    • SAML Audience: You must also send an Audience restriction — the value is "https://go.deem.com".
    Use this information to configure your SAML infrastructure. Remember that it is important for the time configured on your server to be accurate (ideally using Network Time Protocol)


  8. Test in the production environment. Work with your Deem Integrations and Activations Managers to establish a test of SSO as configured for your production environment. If there are any issues, collaboratively diagnose and correct.

...

Code Block
languagexml
themeConfluence
titleSample SAML Assertion
collapsetrue
<saml:Assertion ID="uuid-5D036492-5000-0DA1-02BF-68B5583580A1" IssueInstant="2013-03-16T00:02:54Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>${parterProvidedIssuerName}</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">bob.barker@thepriceisright.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData Recipient="https://go.rcpat1deem.com/sp/ACS.saml2" NotOnOrAfter="2013-03-16T00:12:54Z"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2013-03-16T00:02:54Z" NotOnOrAfter="2013-03-16T00:12:54Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://go.rcpat1deem.com/sp/ACS.saml2</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2013-03-16T00:02:54Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
</saml:Assertion>

Customizing your SSO Configuration

Deem services for enterprises can be configured to support a wide variety of custom behaviors. You must provide the following data to your Deem Activations Manager to support a custom configuration.

...

Code Block
languagexml
themeConfluence
titleSample SAML Assertion for Simple Provisioning
collapsetrue
<saml:Assertion ID="uuid-5D036492-5000-0DA1-02BF-68B5583580A1" IssueInstant="2013-03-16T00:02:54Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>${parterProvidedIssuerName}</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">bob.barker@thepriceisright.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData Recipient="https://go.rcpat1deem.com/sp/ACS.saml2" NotOnOrAfter="2013-03-16T00:12:54Z"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2013-03-16T00:02:54Z" NotOnOrAfter="2013-03-16T00:12:54Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://go.rcpat1deem.com/sp/ACS.saml2</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2013-03-16T00:02:54Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
    <saml:AttributeStatement>
      <saml:Attribute Name="firstName">
        <saml:AttributeValue>Bob</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="lastName">
        <saml:AttributeValue>Barker</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="email">
        <saml:AttributeValue>bob.barker@thepriceisright.com</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="companyName">
        <saml:AttributeValue>The Price Is Right</saml:AttributeValue>
      </saml:Attribute>
      <saml:Attribute Name="zipCode">
        <saml:AttributeValue>90210</saml:AttributeValue>
      </saml:Attribute>
    </saml:AttributeStatement>
</saml:Assertion>

...