1.0 Integration
Integration with Fluig Identity will be done through the SAML 2.0 - Security Assertion Markup Language protocol (http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language). The SAML Protocol is ideal for performing a SSO - Single Sign On through a Web-Based application.
The following figure details the activity flow in the scenario where the user accesses a Service Provider service/application (TOTVS Software) through the Identity Provider (Fluig Identity).
The next figure details the activity flow in the scenario where the user accesses a service/application directly in the Service Provider (TOTVS Software). This scenario will not be available for desktop applications (.exe).
2.0 Nomenclature
- SAML: Security Assertion Markup Language
Open standard of authentication and authorization for single sign-on
(SSO) for the web
http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
http://en.wikipedia.org/wiki/SAML_2.0
- IDP: Identy Provider (Fluig Identity)
Authenticates the user and generates the assertion
http://en.wikipedia.org/wiki/Identity_provider - SP: Service Provider (TOTVS Software)
Checks the assertion and provides the service
http://en.wikipedia.org/wiki/Service_provider - Assertion
XML with authentication security tokens
http://en.wikipedia.org/wiki/SAML_2.0#SAML_2.0_Assertions - Resource
Service Provider service or application - Metadata
XML with information on the Identity Provider or Service Provider to ensure communication between them
http://en.wikipedia.org/wiki/SAML_2.0#SAML_2.0_Metadata
3.0 Requirements
- Fluig Identity
- Address (URL) of XML metadata (example: https://www.fluigidentity.com/cloudpass/saml2/metadata)
- TOTVS Software
- UI in the system security policy for identity manager
configuration where the user will provide:
- IDP address;
- the address that TOTVS Software will respond as SP (example: http://myhostname:8080/spEntityID), it will be entityID of SP;
- list of addresses that can use SSO through SP (example: http://myhostname:8080/)
- digital certificate - HTTP configured to respond to the addresses below:
- SP metadata XML (example http://myhostname:8080/spEntityID/saml2/metadata);
- SP SAML service (example http://myhostname:8080/spEntityID/saml2/get);
- response to IDP assertion (example http://myhostname:8080/spEntityID/saml2/post);
- UI in the system security policy for identity manager
configuration where the user will provide: