Versions Compared

Old Version 1

changes.mady.by.user Kiuwan Editor User

Saved on

compared with

New Version 2

changes.mady.by.user Kiuwan Editor User

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Info

Contents:

Table of Contents

 

 


How to setup Kiuwan with a Local Authentication system


You can integrate Kiuwan with a Local Authentication system.

...

By integrating Kiuwan with your Local Auth service, you will make Kiuwan authentication to delegate on your own system, avoiding the need to use/maintain other credentials.


Local Authentication scenarios

Depending on your infrastructure, there are at least two possible scenarios:

...

  1. If your organization is using a centralized credentials repository that does not support SAML (the most widely adopted SSO standard), you can configure Kiuwan to use it as described in section “Delegated Authentication Single Sign-On

  2. Instead, if you organization is using a SAML-compliant repository (e.g. Active Directory FS, Azure AD, CA Single Sign-On, etc), you can configure Kiuwan to use SAML (as described in section “Single Sign-On (SSO) with SAML 2.0



Delegated Authentication Single Sign-On

Centralized authentication is also known as “delegated authentication”.

...

You can find details on how to set up here 


Single Sign-on (SSO) with SAML 2.0


As you have seen during the explanation of Centralized Authentication scenario, you need to provide some authentication service application that generates the auth token based on kiuwan’s provided secret key. Therefore, to use this scenario you must setup this specific app.

...

In summary, if your organization is using some kind of centralized users’ credentials repository implementing SAML and you want to use those enterprise credentials to authenticate in Kiuwan, this document provides you with information on how to set up Kiuwan to participate in a SSO-SAML environment.


What is SAML?


SAML stands for Security Assertion Markup Language and it’s an open standard for exchanging authentication and authorization data between parties.

...

  • TLS 1.0+ for transport-level security

  • XML Signature and XML Encryption for message-level security



Web Browser Single Sign-On


  1. The user (usually a trough a web browser) requests a resource to a Service Provider (SP)

  2. If a valid security context does not exist, the SP redirects the user agent to the  Identity Provider’s (IdP) SSO Service

  3. The user agent issues a request to the IdP’s SSO Service to identify the user (if there’s not a previous security context)

  4. IdP validates the request and responds to the user agent

  5. The user agent sends the “authentication” assertion to the SP

  6. The SP processes the assertion and redirects the user agent to the requested resource

  7. The user agent requests SP for the requested resource

  8. Finally, SP returns the resource to the user agent.

















SAML 2.0 Metadata


In the Web Browser SSO workflow above, there are some interactions between the IdP and the SP that are based on mutual trust, for example:

...

  • SSO Service metadata (description of IdP’s SSO endpoint)

  • Assertion Consumer Service (desc of SP’s service to send assertions from the IdP)


How to configure Kiuwan to work with SSO - SAML


As explained before, Kiuwan plays the role of Service Provider (SP) in a SSO - SAML context.

...

As seen above, to set up a Web SSO environment, SAML agents (idP and SP) need to be identified and let each other know of their existence. This step is accomplished by exchanging each other’s metadata.



Kiuwan configuration : How to configure your IdP in Kiuwan

Kiuwan provides an administration page to configure your IdP metadata.

...

Email, Name and Lastname fields are descriptive data about the user.



IdP configuration : How to configure Kiuwan as Service Provider


You must configure your IdP (Identity Provider) so it can recognize Kiuwan as a SP (Service Provider).

...

We provide a detailed example on how to configure Active Directory Federation Services (ADFS). For other IdPs please refer to you sysadmins or product documentation.



Active Directory Federation Services (ADFS) configuration


You can use ADFS’s Add Relying Party Trust wizard

...

After finishing, apply changes
























SSO login vs username-password login


When a Kiuwan account is converted to SSO-enabled, all existing users are disabled to access Kiuwan using username-password. From now on, all the users will have to login through SSO.

Nevertheless, the Kiuwan admin can always access using both mechanisms, i.e. through SSO and username-password. The Kiuwan admin can also enable username-password access to any user through User Administration page, enabling selected users to login using any of both methods.


How to login at Kiuwan in a Web SSO scenario


First time you login at Kiuwan in SSO-mode, you need to specify the full URL such as:

...

Just select the site (the Display Name defined at your IdP) , you will be asked for your credentials and will be redirected to Kiuwan dashboard!!





How to configure Kiuwan clients to work with SSO - SAML


After configuring SSO, you web users can immediately login to Kiuwan website using the new login URL.

But, Kiuwan “clients” (i.e. Kiuwan Local Analyzer, Kiuwan 4 Developers, and any custom program using Kiuwan REST-API) need to be configured to use SSO.


Kiuwan Local Analyzer (KLA) : SSO configuration

Once SSO is configured, it's mandatory to configure KLA with the SSO Domain ID. Otherwise KLA will stop to work!!

...

Additionally, if you are using KLA CLI you can also specify domain.id property as a command line parameter.


Kiuwan for Developers (K4D) : SSO configuration

Similarly to KLA SSO configuration, K4D also needs to be configured with Domain ID.

Go to you IDE’s Kiuwan configuration, select Connection Properties >> Single Sign-On section/tab and enter your Domain ID.




REST-API : SSO configuration

For custom programs using Kiuwan REST-API calls, you have to add a new header (X-KW-CORPORATE-DOMAIN-ID) to indicate the Domain ID to pass the BASIC authentication.

...