For other versions, refer to Related Articles.
The following information is intended for a technical audience. It can be used to assist your organisation’s technical representatives with an understanding of how to set up your organisation’s single sign-on via SAML 2.0.
The PageUp web application
PageUp is an integrated talent management web based application hosted by PageUp.
SAML 2.0 background information
Security Assertion Markup Language 2.0 (SAML 2.0) is an XML-based open standard for exchanging authentication and authorization data between security domains, that is, between an identity provider (your organisation) and a service provider (PageUp). SAML 2.0 is a product of the OASIS Security Services Technical Committee.
Identity provider servers, hosted by your organisation, are able to access a variety of mechanisms to authenticate users (ADFS, SQL server etc...).
For more information about SAML 2.0 please consult the following recommended resources:
- https://www.oasis-open.org/standards#samlv2.0
- https://en.wikipedia.org/wiki/SAML_2.0
- https://support.google.com/a/answer/60224?hl=en
Single sign-on integrations via SAML 2.0
When a user clicks on a link to the PageUp web application:
- They'll be redirected to the relevant identity provider server via the HTTP Redirect Binding.
- They'll then be authenticated by the identity provider server.
- They're redirected back to PageUp via the HTTP POST Binding.
Note: This request must be signed so that PageUp can verify that it is authentic - see Sig. - PageUp identifies your organisation from the thumbprint of the certificate used to sign the request.
- The NameID is then queried in the PageUp application matching the username (Provider.sBadgeID) to an existing provider.
Your organisation’s details
Before single sign-on can occur, your organisation will need to provide PageUp with your SSO IdP's (Identity Provider) Metadata file/URL.
PageUp SAML 2.0 end point
The SAML end point will vary depending on the PageUp data centre being used.
Redacted
PageUp public key
Here is a Base64 version of the PageUp public key, please download this version.
You will need to rename the extension of the downloaded file from *.TXT to *.CER.
PageUp Metadata
For those Identity providers which may accept Metadata, the PageUp metadata may be accessed below.
The Metadata file will include the following
- X509Certificate (certificate details)
- validUntil (expiry date)
- protocolSupportEnumeration (protocol)
- entityID
- AssertionConsumerService (assertion endpoints)
Redacted
Redacted
Redacted
Signing and Encryption
The SAML response sent to PageUp must be signed using the signing certificate supplied to PageUp during the configuration of the SSO functionality.
Optionally, the "Assertion" within the SAML response can be signed. If the assertion is signed, it should be signed using the same signing certificate used to sign the overall response.
In both cases, the signature should utilize the SHA-1, SHA256 or SHA512 hash algorithm.
Encryption of the assertion is supported as of September 2015.
SAML SSO Overview
PageUp supports two workflows for single sign on using SAML 2.0.
- Service Provider (SP) initiated workflow
- Identity Provider (IDP) initiated workflow
Typically most clients choose to use the Service Provider initiated workflow as it allows more flexibility for linking to various parts of the PageUp system without requiring SAML changes on the client side.
Service provider initiated workflow
The following process explains how a user logs into the PageUp application using Service Provider (SP) initiated workflow.
More information on the above steps:
- The user attempts to reach the PageUp web application.
- PageUp generates a SAML authentication request. The SAML request is encoded and embedded into the URL for your organisation’s SSO service.
- PageUp sends a redirect to the user's browser. The redirect URL includes the encoded SAML authentication request that should be submitted to your organisation’s SSO service. The URL will be the address of your organisation’s ADFS server.
- The client decodes the SAML request and extracts the URL for PageUp's Auth Server before authenticating the user. You may elect to authenticate users by either asking for valid login credentials or by checking for valid session cookies.
- Your organisation generates a SAML response containing the authenticated user's username. In accordance with the SAML 2.0 specification, this response is digitally signed with your organisation’s public and private DSA/RSA keys.
Note: The algorithm to use for the encryption return is SHA-1, SHA256 or SHA512. - Your organisation uses PageUp's public key to generate an signed SSO token and returns that information to the user's browser along with that user's unique identifier.
Note: This may be the Employee number or login ID.
Your organisation provides a mechanism so that the browser can forward that information to PageUp's Auth Server.
For example: you could embed the SAML response and destination URL in a form and provide a button that the user can click to submit the form to PageUp. You could also include JavaScript on the page that automatically submits the form to PageUp. - PageUp's Auth Server verifies the SAML request using your organisation’s public key. If the response is successfully verified, PageUp’s Auth Server redirects the user to the destination URL.
- The user is logged in to the PageUp web application.
Identity provider initiated workflow
The following process explains how a user logs into the PageUp application using Identity Provider (IDP) initiated workflow
More information on the above steps:
- While logged into the your companies identity provider (IDP), a user clicks a link to access PageUp.
- Your organisations IDP verifies the user identity.
- Your organisation generates a SAML response containing the authenticated user's User ID.
Note: This may be the Employee number or login ID.
In accordance with the SAML 2.0 specification, this response is digitally signed with your organisation’s public and private DSA/RSA keys. You IDP sends the SAML response along with a PageUp provided RelayState value to the users browser. - The Browser posts the SAML form to PageUps auth server.
- PageUp's Auth Server verifies the SAML request using your organisation’s public key. If the response is successfully verified, PageUp’s Auth Server redirects the user to the destination URL and the user is logged in to the PageUp web application.
Note: In line with current best practices around Federated Identity, PageUp doesn't support Federated Logout at this time. By clicking the logout button - within the PageUp application - the user will be directed to a web page which confirms they've logged out of the PageUp application, and advising them to close their browser window to ensure that all application access ends.
Redacted
Redacted
Comments
Article is closed for comments.