Info | |
---|---|
Contents:
|
How to setup Kiuwan with a Local Authentication system
You can integrate Kiuwan with a Local Authentication system.
...
By integrating Kiuwan with your Local Auth service, you will make Kiuwan authentication to delegate on your own system, avoiding the need to use/maintain other credentials.
Local Authentication scenarios
Depending on your infrastructure, there are at least two possible scenarios:
...
If your organization is using a centralized credentials repository that does not support SAML (the most widely adopted SSO standard), you can configure Kiuwan to use it as described in section “Delegated Authentication Single Sign-On”
Instead, if you organization is using a SAML-compliant repository (e.g. Active Directory FS, Azure AD, CA Single Sign-On, etc), you can configure Kiuwan to use SAML (as described in section “Single Sign-On (SSO) with SAML 2.0”
Delegated Authentication Single Sign-On
Centralized authentication is also known as “delegated authentication”.
...
You can find details on how to set up here
Single Sign-on (SSO) with SAML 2.0
As you have seen during the explanation of Centralized Authentication scenario, you need to provide some authentication service application that generates the auth token based on kiuwan’s provided secret key. Therefore, to use this scenario you must setup this specific app.
...
In summary, if your organization is using some kind of centralized users’ credentials repository implementing SAML and you want to use those enterprise credentials to authenticate in Kiuwan, this document provides you with information on how to set up Kiuwan to participate in a SSO-SAML environment.
What is SAML?
SAML stands for Security Assertion Markup Language and it’s an open standard for exchanging authentication and authorization data between parties.
...
TLS 1.0+ for transport-level security
XML Signature and XML Encryption for message-level security
Web Browser Single Sign-On
The user (usually a trough a web browser) requests a resource to a Service Provider (SP)
If a valid security context does not exist, the SP redirects the user agent to the Identity Provider’s (IdP) SSO Service
The user agent issues a request to the IdP’s SSO Service to identify the user (if there’s not a previous security context)
IdP validates the request and responds to the user agent
The user agent sends the “authentication” assertion to the SP
The SP processes the assertion and redirects the user agent to the requested resource
The user agent requests SP for the requested resource
Finally, SP returns the resource to the user agent.
SAML 2.0 Metadata
In the Web Browser SSO workflow above, there are some interactions between the IdP and the SP that are based on mutual trust, for example:
...
SSO Service metadata (description of IdP’s SSO endpoint)
Assertion Consumer Service (desc of SP’s service to send assertions from the IdP)
How to configure Kiuwan to work with SSO - SAML
As explained before, Kiuwan plays the role of Service Provider (SP) in a SSO - SAML context.
...
As seen above, to set up a Web SSO environment, SAML agents (idP and SP) need to be identified and let each other know of their existence. This step is accomplished by exchanging each other’s metadata.
Kiuwan configuration : How to configure your IdP in Kiuwan
Kiuwan provides an administration page to configure your IdP metadata.
...
Email, Name and Lastname fields are descriptive data about the user.
IdP configuration : How to configure Kiuwan as Service Provider
You must configure your IdP (Identity Provider) so it can recognize Kiuwan as a SP (Service Provider).
...
We provide a detailed example on how to configure Active Directory Federation Services (ADFS). For other IdPs please refer to you sysadmins or product documentation.
Active Directory Federation Services (ADFS) configuration
You can use ADFS’s Add Relying Party Trust wizard
...
After finishing, apply changes
SSO login vs username-password login
When a Kiuwan account is converted to SSO-enabled, all existing users are disabled to access Kiuwan using username-password. From now on, all the users will have to login through SSO.
Nevertheless, the Kiuwan admin can always access using both mechanisms, i.e. through SSO and username-password. The Kiuwan admin can also enable username-password access to any user through User Administration page, enabling selected users to login using any of both methods.
How to login at Kiuwan in a Web SSO scenario
First time you login at Kiuwan in SSO-mode, you need to specify the full URL such as:
...
Just select the site (the Display Name defined at your IdP) , you will be asked for your credentials and will be redirected to Kiuwan dashboard!!
How to configure Kiuwan clients to work with SSO - SAML
After configuring SSO, you web users can immediately login to Kiuwan website using the new login URL.
But, Kiuwan “clients” (i.e. Kiuwan Local Analyzer, Kiuwan 4 Developers, and any custom program using Kiuwan REST-API) need to be configured to use SSO.
Kiuwan Local Analyzer (KLA) : SSO configuration
Once SSO is configured, it's mandatory to configure KLA with the SSO Domain ID. Otherwise KLA will stop to work!!
...
Additionally, if you are using KLA CLI you can also specify domain.id property as a command line parameter.
Kiuwan for Developers (K4D) : SSO configuration
Similarly to KLA SSO configuration, K4D also needs to be configured with Domain ID.
Go to you IDE’s Kiuwan configuration, select Connection Properties >> Single Sign-On section/tab and enter your Domain ID.
REST-API : SSO configuration
For custom programs using Kiuwan REST-API calls, you have to add a new header (X-KW-CORPORATE-DOMAIN-ID) to indicate the Domain ID to pass the BASIC authentication.
...