Versions Compared

Old Version 7

changes.mady.by.user Klári Németh

Saved on

compared with

New Version 8

changes.mady.by.user Klári Németh

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

...

Establishing connection

Antavo’s single sign-on (SSO) solution is implemented through the communication of three different servers.

...

The following is an example of metadata for a SAML 2.0 system entity acting as a service provider. This XML is exportable from the IdP side and these data need to be sent over to Antavo’s administrator – they will Antavo to import it to Keycloak’s server for you.

Code Block
<EntityDescriptor
    xmlns="urn:oasis:names:tc:SAML:2.0:metadata"
    entityID="loadbalancer-3.example.com">
    <IDPSSODescriptor
        WantAuthnRequestsSigned="false"
        protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
        <KeyDescriptor use="signing">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
                    <X509Certificate>
MIICZDCCAg6gAwIBAgICBr8wDQYJKoZIhvcNAQEEBQAwgZIxCzAJBgNVBAYTAlVTMRMwEQYDVQQI
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNzAzMDcyMTUwMDVaFw0xMDEyMDEyMTUwMDVaMDsxFDASBgNVBAoTC2V4
YW1wbGUuY29tMSMwIQYDVQQDExpMb2FkQmFsYW5jZXItMy5leGFtcGxlLmNvbTCBnzANBgkqhkiG
9w0BAQEFAAOBjQAwgYkCgYEAlOhN9HddLMpE3kCjkPSOFpCkDxTNuhMhcgBkYmSEF/iJcQsLX/ga
pO+W1SIpwqfsjzR5ZvEdtc/8hGumRHqcX3r6XrU0dESM6MW5AbNNJsBnwIV6xZ5QozB4wL4zREhw
zwwYejDVQ/x+8NRESI3ym17tDLEuAKyQBueubgjfic0CAwEAAaNgMF4wEQYJYIZIAYb4QgEBBAQD
AgZAMA4GA1UdDwEB/wQEAwIE8DAfBgNVHSMEGDAWgBQ7oCE35Uwn7FsjS01w5e3DA1CrrjAYBgNV
HREEETAPgQ1tYWxsYUBzdW4uY29tMA0GCSqGSIb3DQEBBAUAA0EAGhJhep7X2hqWJWQoXFcdU7eQ
        </KeyDescriptor>
        <KeyDescriptor use="encryption">
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
                <X509Data>
EwpDYWxpZm9ybmlhMRQwEgYDVQQHEwtTYW50YSBDbGFyYTEeMBwGA1UEChMVU3VuIE1pY3Jvc3lz
dGVtcyBJbmMuMRowGAYDVQQLExFJZGVudGl0eSBTZXJ2aWNlczEcMBoGA1UEAxMTQ2VydGlmaWNh
dGUgTWFuYWdlcjAeFw0wNzAzMDcyMjAxMTVaFw0xMDEyMDEyMjAxMTVaMDsxFDASBgNVBAoTC2V4
YW1wbGUuY29tMSMwIQYDVQQDExpMb2FkQmFsYW5jZXItMy5leGFtcGxlLmNvbTCBnzANBgkqhkiG
HREEETAPgQ1tYWxsYUBzdW4uY29tMA0GCSqGSIb3DQEBBAUAA0EAEgbmnOz2Rvpj9bludb9lEeVa
OA46zRiyt4BPlbgIaFyG6P7GWSddMi/14EimQjjDbr4ZfvlEdPJmimHExZY3KQ==
            </KeyInfo>
            </EncryptionMethod>
        </KeyDescriptor>
        <ArtifactResolutionService
            index="0"
            isDefault="1"/>
        <SingleLogoutService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
        <SingleLogoutService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
        <ManageNameIDService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            ResponseLocation="https://LoadBalancer-3.example.com:9443/
               amserver/IDPMniRedirect/metaAlias/idp"/>
        <ManageNameIDService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
            Location="https://LoadBalancer-3.example.com:9443/amserver/
               IDPMniSoap/metaAlias/idp"/>
        <NameIDFormat>
            urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
        </NameIDFormat>
        <NameIDFormat>
            urn:oasis:names:tc:SAML:2.0:nameid-format:transient
        </NameIDFormat>
        <SingleSignOnService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
            Location="https://LoadBalancer-3.example.com:9443/amserver/
                SSORedirect/metaAlias/idp"/>
        <SingleSignOnService
            Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
            Location="https://LoadBalancer-3.example.com:9443/amserver/
                SSOSoap/metaAlias/idp"/>
    </IDPSSODescriptor>
</EntityDescriptor>

SAML 2’s metadata specification’s Chapter 2 offers details on the nature of these this metadata.

...

Configuring the SSO module

Next, a connection needs to be established The next step is to establish the connection between the Antavo platform and the Keycloak server .
The platform and the Keycloak are connected through the configuration of the SSO module in the Backoffice. This can be accessed from the Modules page by typing Single Sign-On or SSO into the search fieldFind the configuration page of the SSO module by clicking on the (blue star) icon in the sidebar and typing 'SSO' into the search bar of the Modules menu.

...

The following use case illustrates setting up the SSO provider on a demonstration account. This is configured by the Antavo administrators.page provides the interface to set up the connection with the following fields:

  • URL

  • Realm

  • Client ID - platform

  • Client secret
    This is generated during the Keycloak configuration.

  • Federation field - default value is uid(default)Scopes - openid profile email

  • Scopes

Info

Please contact the Antavo Service Desk before you start configuring the module or want to make changes in the settings.

...

...

Setting up SSO login for Backoffice users
Anchor
user-login
user-login

The SSO Source and SSO ID of Backoffice users have to be added on the user editor interface to enable SSO login. Please note, that SSO login is enforced for all users by default, meaning users can log in to the Backoffice through SSO unless you turn off this restriction.
Please find instructions on the configuration of these settings here and here.