Cloudmore Single Sign-On
by Niklas Högset, on Apr 10, 2019 1:30:29 PM
Why do this...
Single sign-on (SSO) is a centralized session and user authentication service in which one set of login credentials can be used to access multiple applications. SSO can be great for productivity, IT monitoring and management and security control. Using one security token (a username and password pair), user access can be enabled and disabled for multiple systems, platforms, apps and other resources. This reduces the risk of lost, forgotten or weak passwords.
SSO can be used from the login page or to bypass the login page, and from another page or system.
The Cloudmore platform supports Single Sign-On (SSO) using SAML 2.0 protocol, allowing Cloud Broker administrators to log into Cloudmore using the authentication protocol in their own system. Once authenticated, the user does not need to re-enter details to log into Cloudmore.
Configuration for Cloud Service Brokers
Please follow these steps to set up SSO:
1. The Cloud Broker needs to have an Identity Provider (IdP) system working to support the SAML 2.0 protocol.
2. The Cloud Broker can then input their IdP system’s metadata in Cloudmore.
3. Cloudmore will provide the Cloud Broker with ‘Service Provider’ metadata to input in the IdP system.
4. The SSO feature needs to be enabled in the Cloudmore Security Center.
4.1 ‘Enable SAML SSO’.
4.2 Enter the Identity Provider (IdP) URL in the ‘Identity Provider EntityID’ field. This URL is used to redirect users to the IdP system where the authentication happens.
5. To use SSO, administrators must have an existing user account in Cloudmore. This account is used to match the federated user with a Cloudmore account that will also determine user access and rights within Cloudmore. No accounts are created automatically during login for security reasons.
6. The federated user will be matched to a Cloudmore account through the “mail” attribute. This attribute should be a unique attribute and must be returned with the authentication response from the IdP.
7. For example, if the user in the customer’s system has a username (or email) such as; firstname.lastname@example.org, then the user created in the reseller/admin.aspx page must be the same, or be easily identified as related/connected. See below.
8. Once the configuration is complete, a user can initiate the SSO authentication on their login page using the ‘Single Sign-On (SSO)’ option.
If the Cloud Broker admin wants to automate the login process from a different system, they can specify the IdP to be used in the URL. A SSO token will automatically be generated and sent to the IdP by adding an ‘idp’ parameter that points to the IdP URL.
Example URL: https://www.company.com/default.aspx?idp=https://idp.unitedid.org/shibboleth
By using this method, the user can bypass the normal login page, and if already authenticated, access Cloudmore.