SSO Integration - SAML - Technical documentation

Introduction

The Career Center is the new online Career platform of your university. It’s a website where the students can find information about firms, find internship and job offers. To allow a targeted population to access the Career Center, JobTeaser supports multiple SSO integration. Using a SSO integration means that is your authentication server that authorizes the student to use Jobteaser.

Integration SSO ADFS / SAML

Description

SAML is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a XML-based protocol.

   +------------+           +------------+          +-----------+
   |   Service  |           |  Student   |          |   Auth    |
   |  Provider  |           |            |          |  Server   |
   +------------+           +------------+          +-----------+
         |                        |                       |
         | <-  request resource --|                       |
         | --  redirect to IDP -->|                       |
         |                        |                       |
         |                        |----- request IDP ---->|
         |                        |<-- Get SAML payload --|
         |                        |                       |
         |<-- send SAML payload --|                       |
         | redirect to resource ->|                       |

Configuration of your platform

Here are the details needed for the implementation on your side:

  • Issuer URL: https://university-permalink.jobteaser.com/users/auth/university_permalink_saml/metadata
  • Callback URL: https://university-permalink.jobteaser.com/users/auth/university_permalink_saml/callback
  • Sign-in URL: https://university-permalink.jobteaser.com/

Note: the permalink is the subdomain used to access to your Career Center.

Technical Environments

The following IP addresses have to be authorized to request your authentication server:

  • Development: 84.14.204.224 to 84.14.204.239
  • Production: 34.247.150.89, 52.48.69.13 and 34.242.136.182
  • Pre Production: 34.248.34.73, 52.209.6.99 and 52.31.86.10

JobTeaser Configuration

Requirements

  • URL of the SAML metadata of your IDentity Provider (IDP)
  • Test user account for end-to-end validation
  • NameID (must have a persistent format and must not be an email)

User attributes

The following attributes should be transferred to JobTeaser:

  • last name
  • first name
  • email

If you use a Microsoft service or equivalent, you can use these attributes:

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Note: The NameID is the unique key (uid) that allows Jobteaser to identify the user. This attribute is included by SAML protocol, so it’s not necessary to add it to the user attributes

Example :

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_6a594969-3bb5-4cb5-b282-a3bbef28596f" Version="2.0" IssueInstant="2017-09-26T13:36:11.599Z" Destination="https://university-test.jobteaser.com/users/auth/university_test_saml/callback" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_89a8d0d0-84ed-0135-a6ff-784f4377ec3a">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://university-test.com/adfs/services/trust</Issuer>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f7f62832-87a9-4e4d-84c4-b32896426771" IssueInstant="2017-09-26T13:36:11.598Z" Version="2.0">
      <Issuer>http://university-test.com/adfs.luiss.it/adfs/services/trust</Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_f7f62832-87a9-4e4d-84c4-b32896426771">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
               <ds:DigestValue>xLPchzLCcPyeg5f+b86alx/5qF/vfWL1rOcM3CMwa5o=</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>BnxIWEu5z3vrIJSINwi2yVJdXNOW4aHNevOYh7C+Z/6k4wpnER2Yrq8p3ZwFYQrQzj1JpubLNLVnf5k1TIbyFDiRyPTn049Fw0vE/6Mr8ymwnqysA4yp9nfm7s3bIiEf9C2rErNaHtAb1CyAeFrus1MqdBy5RhiXLPSSzcq4SPy+y+bsONZcfBhcvm4CGRLviye737arxf+KI4bKLzWRdwc1Inx5IlH1BJnFS7c9fJ+5xTjtF/N670VXo2/RMTA3lv3T93e7Mvu0/MnPCbNgvjekCFdqjMZc02y5YPgXZMnPtNmV4zfAGxmILipmleZWudzkepgmdOAvJrawLVjU/A==</ds:SignatureValue>
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
               <ds:X509Certificate>MIIC1jCCAb6gAwIBAgIQYiu3Ar7taK5J5cwduzsPVjANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDExxBREZTIFNpZ25pbmcgLSBhZGZzLmx1aXNzLml0MB4XDTE3MDEyODIxMDg0OFoXDTE4MDEyODIxMDg0OFowJzElMCMGA1UEAxMcQURGUyBTaWduaW5nIC0gYWRmcy5sdWlzcy5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMaAMMC+osNrNe58H6vWChnWa221XWeZGCnB9U4ItYzxkcj1OaHKRDZu+WxkIj7riQVecodA/CXLTeVbvVdMLxAytbXNz1GgFl+LSkVLlA1MxiErcEQsrekdt5eMAcj1HabflwcL2rJzXXjMn+jcRr4MYmzWnrWHr2dFU8AuxMNu49C6TeSJMFx5bAMA7I+qZbO/CqPcksRsIKNTrHaKhAM1aT6674Y+TmkQd3Hc/t6MyyJKTn7D+DG2fGZNu2Ig1zHdjV206Tq24TXRwr+2hRWxtbkwFxbxBQtXwGyVDvf+mrN+0+v7i909bnFqwnLbnWgQKI9X1FiEtmUxutXHp20CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcCoUFgrNvNrLPzCvTPczAVQqoEccLEyV0LGv/xj4eXiNOW7AiJoi17aqQmdAFqal3Jkz8aPj7CkD1rZ81S5VZ1NYO5k0NYyoUQH0UKz2JpITmAstg5FCTzChxI59ZPfpLcA3JsJUwQOYqdRTbZichyJvVvApkkeyIAAIqtV3liMGQknbKHAhhrEdS8X/0ARO8j037gt1ItWmLs49Px8Mc4jR3oeu+VUsGKm5Brpq0JcAoXCSOQd0WCsGhD/BaUZaKu7HF1gHt2TiLkkO3qBUq6KsN8aiKoTt3kN81NrPNLgqQ4VPWOK/ZbP8rud8lNGT5cR1wKI3Pji2tfRvRQ5d4A==</ds:X509Certificate>
            </ds:X509Data>
         </KeyInfo>
      </ds:Signature>
      <Subject>
         <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">YT8kKonm3A5sVMOcvWjavJBhi</NameID>
         <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData InResponseTo="_89a8d0d0-84ed-0135-a6ff-784f4377ec3a" NotOnOrAfter="2017-09-26T13:41:11.599Z" Recipient="https://university-test.com/users/auth/university_test_saml/callback" />
         </SubjectConfirmation>
      </Subject>
      <Conditions NotBefore="2017-09-26T13:36:09.087Z" NotOnOrAfter="2017-09-26T14:36:09.087Z">
         <AudienceRestriction>
            <Audience>https://university-test.com/users/auth/university_test_saml/metadata</Audience>
         </AudienceRestriction>
      </Conditions>
      <AttributeStatement>
         <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
            <AttributeValue>John</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
            <AttributeValue>Doe</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
            <AttributeValue>john.doe@university-test.com</AttributeValue>
         </Attribute>
      </AttributeStatement>
      <AuthnStatement AuthnInstant="2017-09-26T13:36:09.022Z" SessionIndex="_f7f62832-87a9-4e4d-84c4-b32896426771">
         <AuthnContext>
            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
         </AuthnContext>
      </AuthnStatement>
   </Assertion>
</samlp:Response>
Was this article helpful?
0 out of 0 found this helpful

Comments

1 comment
  • Hey there. Your tutorial on SSO integration using SAML is super helpful. The step-by-step breakdown makes it less intimidating, even for someone like me who's not a tech genius.

    I've had my fair share of struggles with SSO setups in the past, but your guide seems to simplify things. Kudos for that! The visual representation with the diagrams is a nice touch. It gives a quick overview without drowning in technicalities.

    One thing I'd suggest for improvement is maybe a troubleshooting section. You know, common hiccups people might face and how to tackle them. I found that including those can save a ton of time for folks scratching their heads over unexpected errors. An example from personal experience, I had a strange error on this page: https://andersenlab.com/find-developers/golang, but I contacted their troubleshooting department and everything worked quickly! So, it can save your image in the eyes of your customers.

    By the way, have you considered sharing a real-world scenario from your experience? It's always cool to hear about how others have tackled similar challenges.

    0
    Comment actions Permalink

Article is closed for comments.