This guide explains how to integrate SSO with SAML 2.0 and Kiuwan.
In a SAML-based SSO environment, we can define the following actors or participants:
- User: Request access to a resource or service
- Service Provider (SP): Provides access to the service or resource (Kiuwan acts as a SP)
- Identity Provider (IdP): Authenticates the user and confirms their identity
SSO can be implemented through different protocols, with SAML and OpenId Connect being the most widely used.
Kiuwan currently supports SAML. This document serves as a how-to for using Kiuwan in an SSO-SAML environment.
If your organization uses a centralized user credential system based on SAML, you can integrate it with Kiuwan for seamless authentication.
What is SAML?
SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between an IdP and an SP.
SAML assertions contain three types of statements:
-
Authentication statements
- Example: User U has been successfully authenticated at time T using method M of authentication
-
Attribute statements
- Example: User U contains value V for attribute A
-
Authorization statements
- Example: User U is permitted to perform action A on resource R
Besides assertions, SAML defines SAML protocols, i.e., the processing rules to use assertions between SPs and IdPs.
Examples of such protocols are :
- Assertion Query and Request Protocol
- Authentication Request Protocol
- etc.
These SAML protocols can be mapped to standard messaging formats. This mapping is called a SAML binding. Examples of such bindings include:
- SAML SOAP Binding
- HTTP Redirect (GET) Binding
- HTTP POST Binding
- etc.
Finally, SAML profiles describe in detail how SAML assertions, protocols, and bindings combine to support a defined use case.
SAML 2.0 provides support for many profiles such as:
- Web Browser SSO Profile
- Identity Provider Discovery Profile
- Assertion Query/Request Profile
- etc
The most important SAML 2.0 profile is the Web Browser SSO Profile, and it’s fully supported by Kiuwan.
SAML Security Requirements
The SAML specifications recommend:
- TLS 1.0+ for transport-level security
- XML Signature and XML Encryption for message-level security
Web Browser Single Sign-On
The following image describes how Single Sign-On works:
- The user (usually through a web browser) requests a resource from a Service Provider (SP)
- If a valid security context does not exist, the SP redirects the user agent to the Identity Provider’s (IdP) SSO Service
- The user agent issues a request to the IdP’s SSO Service to identify the user (if there’s no previous security context)
- IdP validates the request and responds to the user agent
- The user agent sends the “authentication” assertion to the SP
- The SP processes the assertion and redirects the user agent to the requested resource
- The user agent requests SP for the requested resource
- Finally, the SP returns the resource to the user agent.
SAML 2.0 Metadata
In the Web Browser SSO workflow above, some interactions between the IdP and the SP are based on mutual trust, for example:
- How does the SP know the IDP is authentic? And in turn, how does the IdP know the SP is authentic?
- How does the SP know where to send the user agent with the auth request? And how does the IDP know where to send the user agent with the auth response?
- How does the IdP encrypt the SAML assertion so that the trusted SP (and only the trusted SP) can decrypt the assertion?
- How does the service provider know that the auth response is coming from a trusted IDP?
These and other similar trust conditions are based on the use of SAML 2.0 Metadata.
Metadata ensures a secure transaction between an IDP and an SP through the sharing of trusted information.
SAML 2.0 provides a well-defined, interoperable metadata format that entities can leverage to bootstrap the trust process.
Regarding SSO SAML actor’s identity, metadata are defined for:
- Identity Provider metadata (to publish identifying information about the IdP itself)
- Service Provider metadata (to publish identifying information about the SP itself)
Also, the endpoints of communication are defined by metadata, such as:
- SSO Service metadata (description of IdP’s SSO endpoint)
- Assertion Consumer Service (desc of SP’s service to send assertions from the IDP)
Configure Kiuwan for SSO - SAML
As explained before, Kiuwan is a Service Provider (SP) in an SSO - SAML context.
To configure SSO in Kiuwan, first, rely on an existing Identity Provider (IdP). There are many available IDP systems, sharing SAML concepts (more or less adapted to their terminology).
As seen above, to set up a Web SSO environment, SAML agents (idP and SP) need to be identified and let each other know of their existence. This step is accomplished by exchanging each other’s metadata.
Kiuwan configuration: How to configure your IDP in Kiuwan
- Go to Account Management > Organization and select Configure SSO.Read the notes shown in the window carefully.
- Click Continue to upload your IdP Metadata XML.
In a typical ADFS installation, you can commonly get it at https://<your_idp_domainname>/FederationMetadata/2007-06/FederationMetadata.xml - If your IdP is Azure AD, check the checkbox My IdP is Azure AD. After loading click Continue.
- Activate SSO, using the activation code from Kiuwan's email. This email also includes the Domain ID and Login URL
- If you want to avoid currently existing Kiuwan users login using former credentials (username and password), check Disable login with password for all my users. By checking this option, all the users will be forced to log in through SSO (using the provided URL).
-
If you don’t check that option, existing users can still log in using user/password, but using the new URL. The older Kiuwan URL will not work anymore because all the users have been migrated to SSO.
Admin users can ALWAYS log in both ways. Also, can always modify which Kiuwan users are allowed to log in using Kiuwan credentials (see User Management).
-
After SSO activation, you will get the URL you need to configure Kiuwan as an SP in your IdP.
Update existing metadata
If you need to update existing metadata with new IdP metadata, follow these steps:
- Go to the SSO initial configuration page and click Upload a new IdP Metadata. Click Save to complete the update.
- The wizard displays a message indicating that the update was successful.
After metadata configuration, go to Account Management > Profile and you will see the following data in your Kiuwan account.
Domain ID only appears when your Kiuwan account is configured to use SSO.
- This ID is needed to log in to your Kiuwan account. It is shared by all users of a Kiuwan account, but unique for every Kiuwan account.
Username field contains your Kiuwan username. It matches the Claim mapping (Name ID) defined in your IDP when you defined Kiuwan as a Service Provider (see image above for ADFS).
IdP configuration: How to configure Kiuwan as Service Provider
The IdP (Identity Provider) must be configured to recognize Kiuwan as an SP (Service Provider).
Any SAML-compliant IdP (Active Directory FS, Azure AD, CA Single Sign-On, etc) follows its configuration method, although the steps are similar.
We provide a detailed example of how to configure Active Directory Federation Services (ADFS). For other IdPs please refer to your sysadmins or product documentation.
Active Directory Federation Services (ADFS) configuration
- Open ADFS’s Add Relying Party Trust wizard
- Select Claims aware and click Start.
-
Then, ADFS will ask you about Kiuwan’s identity metadata.
Ideally, if your ADFS can reach Kiuwan servers, you will select the first option (Import data .. online).
Then you must provide the address that can be found at your Kiuwan website at Account Management > Organization page.
If your ADFS cannot reach the Kiuwan server, upload the XML metadata document by selecting Import data... from a file.
In this case, you must previously download the XML document from the KIuwan URL above. Just paste the URL in a browser that can access the Kiuwan server
- Provide a Display name for Kiuwan (It doesn’t have to be a domain hostname.)
- Choose the Access Control Policy that will govern the access rules of your organization’s users to Kiuwan. Click Next to confirm.
- Review the information from the SP (relying party) and click Next to finish the SP configuration in ADFS.
- Notice that Configure claims issuance policy.. is checked. When checked, you will define how to map/transform your organization’s users to Kiuwan users.
Click Close and Edit Claim Issuance Policy dialog will pop up. - Click Add Rule to open Add Transform Claim Rule Wizard.
-
Select the template rule most adequate for your organization. In the example, we select to map an LDAP attribute.
- You can select whatever LDAP attribute that it’s unique to every user (i.e. the user’s email address) and map that attribute to the Name ID claim type. Do not select any other claim type, Kiuwan will only use Name ID. Kiuwan will store as a username the selected attribute value. Click Finish.
- Click Apply to apply changes.
How to log into Kiuwan in a Web SSO scenario
The first time you log in at Kiuwan in SSO mode, you need to specify the full URL such as:
- sso=on Kiuwan authenticates against the configured IdP
- sso=off Kiuwan authenticates locally, so login page will ask for credentials and will check them against kiuwan database (obviously this process will only work for users that are allowed to log in with kiuwan passwords, see SSO login vs username-passwordlogin)
Most commonly, in an SSO environment, you will access Kiuwan from an existing link in a corporate intranet page, so the Kiuwan URL should be changed to it and you will not need to type the URL manually. Regardless, once you have successfully accessed Kiuwan for the first time, your browser will store the domain ID, so you can just type https://www.kiuwan.com and everything will work.
Then, the Kiuwan SSO Login page will be displayed.
Just click Log In and the SSO-SAML protocol will be activated.
- If you were already successfully authenticated, you will log in to Kiuwan.
- If not, you will be redirected to your organizational authentication page. Once authenticated, you will be redirected to the Kiuwan dashboard.
An alternative method to login to Kiuwan is from your IdP.
If you are using ADF, you will find a URL like this: https://<your_idp_hostname>/adfs/ls/idpInitiatedsignon.htm
Just select the site (the Display Name defined at your IDP). Provide your credentials to be redirected to the Kiuwan dashboard.
Configuring Kiuwan clients for SSO -SAML
After configuring SSO, your web users can immediately log in to the Kiuwan website using the new login URL.
But Kiuwan “clients” (i.e. Kiuwan Local Analyzer, Kiuwan 4 Developers, and any custom program using Kiuwan REST-API) need to be configured to use SSO.
Kiuwan Local Analyzer (KLA): SSO configuration
Kiuwan for Developers (K4D): SSO configuration
K4D needs to be configured with the Domain ID of your account.
Go to your IDE’s Kiuwan configuration, select Connection Properties > Single Sign-On, and enter your Domain ID.
REST-API: SSO configuration
For custom programs using Kiuwan REST-API calls, you have to add a new header (X-KW-CORPORATE-DOMAIN-ID) to indicate the Domain ID to pass the BASIC authentication.
For example:
curl -H "X-KW-CORPORATE-DOMAIN-ID: {domain.id}" -u {username}:{password} https://api.kiuwan.com/info
SSO login vs username-password login
When a Kiuwan account is converted to SSO-enabled, by default:
-
All existing users must use the new login URL (see How to login at Kiuwan in a Web SSO scenario )
- Previous URL login (https://www.kiuwan.com/saas/web/login.html) will not work anymore
-
Usernames and permissions are entirely preserved
- Only the authentication mechanism has changed. Usernames, assigned roles, permissions, user groups, etc are maintained.
-
Existing users (not admins) are not allowed to log in to Kiuwan using former Kiuwan password
- They will be authenticated by the configured identity provider (IdP), not by Kiuwan.
Nevertheless, you might want certain users to continue to be authenticated by Kiuwan, i,e, some user might choose to authenticate either by SSO or by Kiuwan.
The Kiuwan admin can enable username/password access through the User Administration page, enabling Login with password enabled to selected users
Users with privilege Login with password enabled can then login to Kiuwan in two ways:
- Authenticated by SSO
- https://www.kiuwan.com/saas/web/login.html?sso=on&domain=<my_domain_id>
- Authenticated by Kiuwan (by password)
- https://www.kiuwan.com/saas/web/login.html?sso=off&domain=<my_domain_id>
Adding new users to an SSO-enabled account
In an SSO-enabled account, when you create a new user, you can decide if that user can access Kiuwan with a password (besides SSO).
Just check the Enable login with password option on the New User page and click on Generate password to let him/her know.