SAML Platform Authentication Plugin

Stable Version 1.0.2 (O11)
Also available for 10
Published on 21 February 2019 by 
OutSystems Lab
OutSystems Lab
Created on 11 September 2018

SAML Platform Authentication Plugin

Documentation

Architecture

The solution is composed of 2 applications, the SAML Platform Authentication and the SAML Platform Authentication Plugin, both in the OutSystems Forge. These applications are mandatory to enable this SAML 2.0 Platform 2-factor Authentication mode in Lifetime.

The first application, SAML Platform Authentication, must be installed exclusively in the Lifetime environment and is composed of two modules, one end-user module, SAMLAuthentication, and a foundation module, LifetimeIdPClient.

The second application, SAML Platform Authentication Plugin, must be installed in all environments, including the Lifetime environment.

The figure below shows the processes occurring on the OutSystems Platform Services, the user browser, and the SSO IdP.

With this integration setup for a given IdP when the OutSystems Platform users access the SAMLAuthentication module, they are redirected to a web page (known as the enterprise's login manager) where they are prompted to enter their enterprise username and password. Upon verification of the user’s credentials, the user is redirected back to the SAMLAuthentication module.

The platform user is logged in, and a token is generated and presented on the screen so it can be used to access Service Studio, Integration Studio, Service Center, and Lifetime as shown in the figure below.


OutSystems Platform application authentication

As an example, let’s consider a login attempt in Service Studio, one of the Outsystems Platform applications, to the OutSystems Platform Development environment. The figure below shows the processes occurring between the OutSystems Platform applications.

  1. The user opens the Service Studio application and enters the development environment server, the enterprise username and the token copied from the SAMLAuthentication module.
  2. The enterprise username and token reach the Service Center which hands these credentials to the SAML Auth Provider module (this communication is done when SAML Auth Provider is the module configured in Lifetime as the external authentication provider).
  3. The SAML Auth Provider module infers the authentication validity by communicating with the Lifetime IdP Client module present in the Lifetime environment, and the validation result reaches back the Service Studio with either an effective login or an invalid user or password message.


Configuring the Service Center
In the Service Center of every environment (including the LIFETIME_SERVER), where the “SAML Platform Authentication Plugin” application was installed, perform the following steps:

  1. In the menu, click the Factory option. A submenu is shown.
  2. Click the eSpaces option.
  3. Select the SAMLAuthProvider eSpace.
  4. In the Integrations tab go to the Consumed REST APIs section and click on the “AuthValidation” link as shown in the figure below to set the Effective URL to https://LIFETIME_SERVER/LifetimeIdPClient/rest/AuthValidation


Configuring SAML 2.0 between Lifetime IdP Client and IdP Server

To access the configuration screen the user needs to have LifetimeIdPClient_Administrator privileges. Lifetime Administrators have this privilege automatically.

Configure the following from the SAML SSO:´

  • the URL of the SAML Identity Provider (IdP) that handles the user sign-in requests
  • the fingerprint of the SAML certificate which the IdP Server uses to sign the SAML assertions sent to this IdP Client (SP)
  • the issuer sent by the IdP Server in SAML messages (IdP Server issuer)
  • the SP (IdP Client) issuer sent in the SAML messages from this IdP Client


Optionally, only when required, configure:

  • the Idp Server Single-Logout URL (in case of the IdP Server support Single Logout initiated by SP through SAML messages)
  • the PFX/PKCS12 Keystore with the key to sign messages from SPand to decrypt assertions, in case the IdP SSO server is configured to encrypt the assertions
  • the Keystore password to read the keys
  • the Site property 'Session_Cookie': this variable holds the cookie name that contains the SessionId on the Lifetime IdP Client OS server.
    The usual name is 'ASP.NET_SessionId' on the .Net


Configuring your IdP Server to use the Lifetime IdP Client

https://success.outsystems.com/Documentation/How-to_Guides/Integrations/How_to_configure_OutSystems_to_use_identity_providers_using_SAML#Configure_Identity_Provider_-_Examples

Support Options
This component is not supported by OutSystems. You may use the discussion forums to leave suggestions or obtain best-effort support from the community, including from OutSystems Lab who created this component.
Dependencies
SAML Platform Authentication Plugin has no dependencies.