{"id":1872,"date":"2019-03-21T09:49:23","date_gmt":"2019-03-21T08:49:23","guid":{"rendered":"https:\/\/help.cirrus-shield.com\/docs\/developer-guide\/sso-single-sign-on\/"},"modified":"2022-01-10T19:33:19","modified_gmt":"2022-01-10T18:33:19","slug":"sso-single-sign-on","status":"publish","type":"docs","link":"https:\/\/help.cirrus-shield.com\/en\/docs\/developer-guide\/sso-single-sign-on\/","title":{"rendered":"SSO Single Sign on"},"content":{"rendered":"<section class=\"fw-main-row \">\n<div class=\"fw-container\">\n<div class=\"fw-row\">\n<div class=\"fw-col-xs-12\">\n<p>Cirrus Shield will allow the user to add many SSO configurations per organization. For now we will use one SSO configuration per organization.<\/p>\n<p>The user can login using SAML authentication into Cirrus Shield.<\/p>\n<p>Each SSO configuration is a record of the SSO standard object.<\/p>\n<p>&nbsp;<\/p>\n<p><strong><span style=\"color: #ff9900\">SSO Standard Object:<\/span><\/strong><\/p>\n<ul>\n<li>This standard object will contains the following fields:\n<ul>\n<li><strong>Name<\/strong>: Name of the SSO configuration<\/li>\n<li><strong>Certificate File<\/strong>: the name of the certificate taken from the service provider\n<ul>\n<li>The\u00a0<strong>SAML certificate<\/strong>is a standard x509\u00a0<strong>certificate<\/strong>\u00a0in a Java keystore. It can be created using many different tools.\u00a0<\/li>\n<\/ul>\n<\/li>\n<li><strong>Assertion Consumer Service URL<\/strong>: The URL at which the SAML assertion should be received. <em><u>ex:<\/u><\/em> <a href=\"http:\/\/www.cirrus-shield.net\/acs.aspx\">http:\/\/www.cirrus-shield.net\/acs.aspx<\/a><\/li>\n<li><strong>SP Issuer\/Entity ID<\/strong>: is a URI given by the Service Provider (SP) that uniquely identifies it. It is recommended that the URI is a URL that contains the domain name of the entity. Some identity providers might need this to establish the identity of the service provider requesting the login. <em><u>ex:<\/u><\/em> saml-CirrusShield<\/li>\n<li><strong>IdP Issuer\/Entity ID<\/strong>: The URL to which the authentication request should be sent. This would be on the identity provider. <em><u>ex:<\/u><\/em> <a href=\"https:\/\/identity-infovista-sas.cs89.force.com\/customers\/idp\/endpoint\/HttpRedirect\">https:\/\/identity-infovista-sas.cs89.force.com\/customers\/idp\/endpoint\/HttpRedirect<\/a><\/li>\n<li><strong>Organization GUID<\/strong>: The organization ID<\/li>\n<li><strong>Single Sign-On Service URL<\/strong>: (provided by IdP) this is the IdP initiated login URL.<\/li>\n<li><strong>Single Logout Service URL<\/strong>: (provided by IdP) this is the URL that the user will be redirected to after logout from Cirrus shield.<\/li>\n<li><strong>Name ID Format<\/strong>: Defines the name identifier formats supported by the identity provider. Name identifiers are a way for providers to communicate with each other regarding a user.<\/li>\n<li>\n<p><em><u>Ex:<\/u><\/em> urn:oasis:names:tc:SAML:2.0:nameid-format:persistent<\/p>\n<\/li>\n<li>\n<p><strong>Update Existing User&#8217;s Attributes<\/strong>: (yes\/no)<\/p>\n<\/li>\n<li><strong>Allow To Create New User<\/strong>: (yes\/no)<\/li>\n<li><strong>Profile<\/strong>: it\u2019s a picklist that display the available profiles in the organization (if Auto create users is checked, this picklist will be enabled otherwise it\u2019s hidden).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #ff9900\"><strong>SSO Mapping Field Standard Object:<\/strong><\/span><\/p>\n<ul>\n<li>This standard object will contains the following fields:\n<ul>\n<li><strong>Name<\/strong>: the name of the Mapping field<\/li>\n<li><strong>Cirrus Shield Field<\/strong>: it\u2019s a picklist that display all the \u201cUser\u201d object fields excluding all the fields of type \u201cPassword\u201d.<\/li>\n<li><strong>Third Party Field<\/strong>: it\u2019s the field name of the external system.<\/li>\n<li><strong>Matching field: <\/strong>(yes\/no). It can be either the \u201cUsername\u201d either a field unique and required and set as External ID. Once the \u201cUsername\u201d field is selected, the \u201cMatching Field\u201d is checked.\n<ul>\n<li>We can have only one matching field.<\/li>\n<li>An error message is displayed, if we try to set a second matching field. &#8220;Another field is already defined as the matching field for this SSO configuration, please uncheck the &#8220;Matching Field&#8221; checkbox on the other field before enabling this field as the matching field.&#8221;<\/li>\n<li>If we try to set a field as matching field and it\u2019s not set as unique, required and External ID, an error message is displayed: &#8220;This field cannot be a &#8220;Matching Field&#8221; because it is not set as External ID, Unique and Required.&#8221;<\/li>\n<li>If we try to map a field that is already mapped, an error message is displayed: &#8220;This field is already mapped.&#8221;<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n<p><strong><span style=\"color: #ff9900\">SAML AUTHENTICATION FLOW:<\/span><\/strong><\/p>\n<p>Once we have a <strong>SAML Assertion Response<\/strong>, we will follow the SAML process as follow:<\/p>\n<ul>\n<li>If the username in the SAML response is not logged in Cirrus shield, then the system will do the following:\n<ol>\n<li>Get the related organization GUID of the user<\/li>\n<li>Get the correspondent SSO configuration (for now, we have only 1 per organization)<\/li>\n<li>If there is no SSO configuration, the user is redirect to Cirrus Shield login page and an error message will be displayed and\n<ol>\n<li>Error message: &#8220;There is no SSO Configuration in this User&#8217;s Organization.&#8221;<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<ul>\n<li>Cirrus Shield will check if the response is SAML authenticated\n<ol>\n<li>If yes, the user will login into Cirrus shield<\/li>\n<li>The user info will be updated based on the SAML Assertion Response attributes if we have the following conditions:\n<ol>\n<li>\u201c<strong>Update Existing User&#8217;s Attributes\u201d <\/strong>checkbox is checked<\/li>\n<li>There is a field set as matching field (it will be used to find the user and update it)<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<ul>\n<li>We have mapping fields (only the mapping fields will be updated)<\/li>\n<\/ul>\n<ol>\n<li>If the user doesn\u2019t exist in Cirrus shield (based on the \u201c<strong>Username<\/strong>\u201d), it will be created if the \u201c<strong>Allow To Create New User<\/strong>\u201d checkbox is checked (same as Joomla)\n<ol>\n<li>The newly created user will have the profile selected in the SSO configuration.<\/li>\n<\/ol>\n<\/li>\n<li>If the user doesn\u2019t exist in Cirrus shield, and the \u201c<strong>Allow To Create New User<\/strong>\u201d checkbox is unchecked, the user is redirect to Cirrus Shield login page and an error message is displayed.\n<ol>\n<li>Error message: &#8220;The LoggedIn User does not exist in Cirrus Shield.&#8221;<\/li>\n<\/ol>\n<\/li>\n<\/ol>\n<ul>\n<li>If the SAML response is not authenticated, the user is redirect to Cirrus Shield login page and an error message is displayed.\n<ol>\n<li>Error message: &#8220;SSO is failed! n Certificate is invalid.&#8221;<\/li>\n<\/ol>\n<\/li>\n<\/ul>\n<p><span style=\"color: #000000\">If there is no <strong>SAML Assertion Response<\/strong>, then the Cirrus Shield login page is displayed, and the user will follow the normal login steps.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/help.cirrus-shield.com\/wp-content\/uploads\/2019\/03\/SSO1-823x518.png\" alt=\"https:\/\/help.cirrus-shield.com\/wp-content\/uploads\/2019\/03\/SSO1-823x518.png\" width=\"823\" height=\"518\" \/><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/help.cirrus-shield.com\/wp-content\/uploads\/2019\/03\/SSO2-804x346.png\" alt=\"https:\/\/help.cirrus-shield.com\/wp-content\/uploads\/2019\/03\/SSO2-804x346.png\" width=\"804\" height=\"346\" \/><\/div>\n<\/div><\/div>\n<\/section>\n<p><!-- ed20ccd1d3545cc837fece52ebc3b477 --><\/p>\n","protected":false},"author":12,"featured_media":0,"parent":943,"menu_order":3,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_et_pb_use_builder":"","_et_pb_old_content":"","_et_gb_content_width":"","_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"footnotes":""},"doc_tag":[],"class_list":["post-1872","docs","type-docs","status-publish","hentry"],"comment_count":0,"_links":{"self":[{"href":"https:\/\/help.cirrus-shield.com\/en\/wp-json\/wp\/v2\/docs\/1872","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/help.cirrus-shield.com\/en\/wp-json\/wp\/v2\/docs"}],"about":[{"href":"https:\/\/help.cirrus-shield.com\/en\/wp-json\/wp\/v2\/types\/docs"}],"author":[{"embeddable":true,"href":"https:\/\/help.cirrus-shield.com\/en\/wp-json\/wp\/v2\/users\/12"}],"replies":[{"embeddable":true,"href":"https:\/\/help.cirrus-shield.com\/en\/wp-json\/wp\/v2\/comments?post=1872"}],"version-history":[{"count":5,"href":"https:\/\/help.cirrus-shield.com\/en\/wp-json\/wp\/v2\/docs\/1872\/revisions"}],"predecessor-version":[{"id":2056,"href":"https:\/\/help.cirrus-shield.com\/en\/wp-json\/wp\/v2\/docs\/1872\/revisions\/2056"}],"up":[{"embeddable":true,"href":"https:\/\/help.cirrus-shield.com\/en\/wp-json\/wp\/v2\/docs\/943"}],"prev":[{"title":"Data Manager","link":"https:\/\/help.cirrus-shield.com\/en\/docs\/developer-guide\/data-manager\/","href":"https:\/\/help.cirrus-shield.com\/en\/wp-json\/wp\/v2\/docs\/1144"}],"wp:attachment":[{"href":"https:\/\/help.cirrus-shield.com\/en\/wp-json\/wp\/v2\/media?parent=1872"}],"wp:term":[{"taxonomy":"doc_tag","embeddable":true,"href":"https:\/\/help.cirrus-shield.com\/en\/wp-json\/wp\/v2\/doc_tag?post=1872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}