OverviewOverview The Single Sign On capability in QCommission lets the users arriving at your support portal login with their social media login credentials. This saves them the time and effort involved in creating a separate account for your support portal. You can configure QCommission to provide SAML Single Sign On for your users. This way, they do not have to provide separate login credentials for QCommission. The authentication of the user is done by any SAML provider you configure on your side and the user attributes like Email address are sent back to QCommission.
Security Assertion Markup Language (SAML) is a mechanism used for communicating identities between two web applications. It enables web-based Single-Sign-On and hence eliminates the need for maintaining various credentials for various applications and reduces identity theft. A user requests for a SAML SSO to access a resource that is protected by a service provider. The service provider requests the identity provider to authenticate the user. The identity provider checks the existence of the user and sends back an assertion to the service provider that may or may not include the user information.
The communication between the identity and service providers happens in the SAML data format. SAML single sign-on works by transferring the user's identity from one place (the identity provider) to another (the service provider). This is done through an exchange of digitally signed XML documents. Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context. This single sign-on (SSO) login standard has significant advantages over logging in using a username/password:
• No need to type in credentials
• No need to remember and renew passwords
• No weak passwords
Most organizations already know the identity of users because they are logged in to their Active Directory domain or intranet. It makes sense to use this information to log users in to other applications, such as web-based applications, and one of the more elegant ways of doing this is by using SAML. SAML is very powerful and flexible, but the specification can be quite a handful.
How SAML Works
• The user accesses the remote application using a link on an intranet, a bookmark, or similar and the application loads.
• The application identifies the user’s origin (by application subdomain, user IP address, or similar) and redirects the user back to the identity provider, asking for authentication. This is the authentication request.
• The user either has an existing active browser session with the identity provider or establishes one by logging into the identity provider.
• The identity provider builds the authentication response in the form of an XML-document containing the user’s username or email address, signs it is using an X.509 certificate, and posts this information to the service provider.
• The service provider, which already knows the identity provider and has a certificate fingerprint, retrieves the authentication response and validates it using the certificate fingerprint.
• The identity of the user is established, and the user is provided with app access.
Architecture of SSO in QCommission
Credential Collector: A system object that collects user credentials to authenticate with the associated Authentication Authority, Attribute Authority, and Policy Decision Point.
Authentication Authority: A system entity that produces authentication assertions.
Session Authority: A system entity (for example, identity provider) that plays the role of maintaining the state related to the session.
Attribute Authority: A system entity that produces attribute assertions.
Attribute Repository: A repository where attribute assertions are stored.
Policy Repository (or Policy): A repository where policies are stored.
Policy Decision Point: A system entity that makes authorization decisions for itself or for other system entities that request authorization.
Policy Enforcement Point: A system entity that enforces the security policy of granting or revoking the access of resources to the service requester.
Policy Administration Point: A system entity where policies (for example, access control rules about a resource) are defined and maintained.