This article describes the steps required to setup SAML2 authentication on Orcanos server
Note: You can use SMAL only or SAML and Orcanos authentication
- SSL must be setup in Orcanos server
- Make sure that AD users exist as Orcanos users, matching at least email or user name
- Goto Admin -> System Settings
- Select SAML in the Authentication Method > Type
- Set the SAML IDP URL (entity id URL) to the Login URL of your site (where authentication will be performed) – the Active Directory URL.
- Force SSO – if that option is checked – the only way to login is via SSO
- Open the web folder (the path is ~\qpackweb_new)
- Put the IDP.cer (certificate files) in the IIS Orcanos root account. The customer will provide these files (This step will be performed by Orcanos).
Note: the file name can vary. So if file name is different – update the saml.config
- Orcanos will put the file sp.pfx
- The customer might need to get the sp.pfx file from Orcanos
- Open the SAML.config and set the return URL – the request that will return after the SAML authentication (will be performed by Orcanos, usually not change):
- Set the SingleSignOnServiceUrl and SingleLogoutServiceUrl in the SAML.config. Customer will provide these URLs or can get from the metadata.xml.
- The Customer needs to send the email or user name in the NameID in the SAML response
<saml:NameID Format=”urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”> [email protected]</saml:NameID>
- If Customer’s ADFS settings support the SingleLogoutServiceUrl (SLO) call back, then customer have to set the Orcnaos URL in the SLO call back. URL would be like CustomerBaseURL/web/SAML/SLOService for example: https://alm.orcanos.com/CustomerName/web/SAML/SLOService
Now lets setup partner identity information (provided by the customer)
<!– MVC example –>
Note: If customer provides Orcanos with the Metadata file (an Identity Provider) we can step the above ourselves
HOW THE SAML AUTHENTICATION WORKS
When the user opens Orcanos Login page, he will b redirected to the configured URL (a SAML log in page). When User enters credentials, it will be validated on customer AD server with SAML protocol.
Once user credentials validate successfully, the user will be redirected to the Orcanos site with a username (email or Orcanos username) in the response. We will use that username to login users in our system.
Note: User must exist both in Orcanos and Active Directory