SSO Integration - SAML - Technical documentation

Introduction

The Career Center is the new online Career platform of your university. It’s a website where the students can find information about firms, find internship and job offers. To allow a targeted population to access the Career Center, JobTeaser supports multiple SSO integration. Using a SSO integration means that is your authentication server that authorizes the student to use Jobteaser.

Integration SSO ADFS / SAML

Description

SAML is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is a XML-based protocol.

   +------------+           +------------+          +-----------+
   |   Service  |           |  Student   |          |   Auth    |
   |  Provider  |           |            |          |  Server   |
   +------------+           +------------+          +-----------+
         |                        |                       |
         | <-  request resource --|                       |
         | --  redirect to IDP -->|                       |
         |                        |                       |
         |                        |----- request IDP ---->|
         |                        |<-- Get SAML payload --|
         |                        |                       |
         |<-- send SAML payload --|                       |
         | redirect to resource ->|                       |

Configuration of your platform

Here are the details needed for the implementation on your side:

  • Issuer URL: https://university-permalink.jobteaser.com/users/auth/university_permalink_saml/metadata
  • Callback URL: https://university-permalink.jobteaser.com/users/auth/university_permalink_saml/callback
  • Sign-in URL: https://university-permalink.jobteaser.com/

Note: the permalink is the subdomain used to access to your Career Center.

Technical Enviromments

The following IP addresses have to be authorized to request your authentication server:

  • Development: 84.14.204.224 to 84.14.204.239
  • Production: 34.247.150.89, 52.48.69.13 and 34.242.136.182
  • Pre Production: 34.248.34.73, 52.209.6.99 and 52.31.86.10

JobTeaser Configuration

Requirements

  • URL of the SAML metadata of your IDentity Provider (IDP)
  • Test user account for end-to-end validation
  • NameID (must have a persistent format and must not be an email)

User attributes

The following attributes should be transferred to JobTeaser:

  • last name
  • first name
  • email

If you use a microsoft service or equivalent, you can use this attributes:

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Note: The NameID is the unique key (uid) that allows Jobteaser to identify the user.This attribute is included by SAML protocol, so it’s not necessary to add it to the user attributes

Example :

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_6a594969-3bb5-4cb5-b282-a3bbef28596f" Version="2.0" IssueInstant="2017-09-26T13:36:11.599Z" Destination="https://university-test.jobteaser.com/users/auth/university_test_saml/callback" Consent="urn:oasis:names:tc:SAML:2.0:consent:unspecified" InResponseTo="_89a8d0d0-84ed-0135-a6ff-784f4377ec3a">
   <Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">http://university-test.com/adfs/services/trust</Issuer>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f7f62832-87a9-4e4d-84c4-b32896426771" IssueInstant="2017-09-26T13:36:11.598Z" Version="2.0">
      <Issuer>http://university-test.com/adfs.luiss.it/adfs/services/trust</Issuer>
      <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
         <ds:SignedInfo>
            <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
            <ds:SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
            <ds:Reference URI="#_f7f62832-87a9-4e4d-84c4-b32896426771">
               <ds:Transforms>
                  <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
                  <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
               </ds:Transforms>
               <ds:DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
               <ds:DigestValue>xLPchzLCcPyeg5f+b86alx/5qF/vfWL1rOcM3CMwa5o=</ds:DigestValue>
            </ds:Reference>
         </ds:SignedInfo>
         <ds:SignatureValue>BnxIWEu5z3vrIJSINwi2yVJdXNOW4aHNevOYh7C+Z/6k4wpnER2Yrq8p3ZwFYQrQzj1JpubLNLVnf5k1TIbyFDiRyPTn049Fw0vE/6Mr8ymwnqysA4yp9nfm7s3bIiEf9C2rErNaHtAb1CyAeFrus1MqdBy5RhiXLPSSzcq4SPy+y+bsONZcfBhcvm4CGRLviye737arxf+KI4bKLzWRdwc1Inx5IlH1BJnFS7c9fJ+5xTjtF/N670VXo2/RMTA3lv3T93e7Mvu0/MnPCbNgvjekCFdqjMZc02y5YPgXZMnPtNmV4zfAGxmILipmleZWudzkepgmdOAvJrawLVjU/A==</ds:SignatureValue>
         <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
            <ds:X509Data>
               <ds:X509Certificate>MIIC1jCCAb6gAwIBAgIQYiu3Ar7taK5J5cwduzsPVjANBgkqhkiG9w0BAQsFADAnMSUwIwYDVQQDExxBREZTIFNpZ25pbmcgLSBhZGZzLmx1aXNzLml0MB4XDTE3MDEyODIxMDg0OFoXDTE4MDEyODIxMDg0OFowJzElMCMGA1UEAxMcQURGUyBTaWduaW5nIC0gYWRmcy5sdWlzcy5pdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMaAMMC+osNrNe58H6vWChnWa221XWeZGCnB9U4ItYzxkcj1OaHKRDZu+WxkIj7riQVecodA/CXLTeVbvVdMLxAytbXNz1GgFl+LSkVLlA1MxiErcEQsrekdt5eMAcj1HabflwcL2rJzXXjMn+jcRr4MYmzWnrWHr2dFU8AuxMNu49C6TeSJMFx5bAMA7I+qZbO/CqPcksRsIKNTrHaKhAM1aT6674Y+TmkQd3Hc/t6MyyJKTn7D+DG2fGZNu2Ig1zHdjV206Tq24TXRwr+2hRWxtbkwFxbxBQtXwGyVDvf+mrN+0+v7i909bnFqwnLbnWgQKI9X1FiEtmUxutXHp20CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAcCoUFgrNvNrLPzCvTPczAVQqoEccLEyV0LGv/xj4eXiNOW7AiJoi17aqQmdAFqal3Jkz8aPj7CkD1rZ81S5VZ1NYO5k0NYyoUQH0UKz2JpITmAstg5FCTzChxI59ZPfpLcA3JsJUwQOYqdRTbZichyJvVvApkkeyIAAIqtV3liMGQknbKHAhhrEdS8X/0ARO8j037gt1ItWmLs49Px8Mc4jR3oeu+VUsGKm5Brpq0JcAoXCSOQd0WCsGhD/BaUZaKu7HF1gHt2TiLkkO3qBUq6KsN8aiKoTt3kN81NrPNLgqQ4VPWOK/ZbP8rud8lNGT5cR1wKI3Pji2tfRvRQ5d4A==</ds:X509Certificate>
            </ds:X509Data>
         </KeyInfo>
      </ds:Signature>
      <Subject>
         <NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">YT8kKonm3A5sVMOcvWjavJBhi</NameID>
         <SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <SubjectConfirmationData InResponseTo="_89a8d0d0-84ed-0135-a6ff-784f4377ec3a" NotOnOrAfter="2017-09-26T13:41:11.599Z" Recipient="https://university-test.com/users/auth/university_test_saml/callback" />
         </SubjectConfirmation>
      </Subject>
      <Conditions NotBefore="2017-09-26T13:36:09.087Z" NotOnOrAfter="2017-09-26T14:36:09.087Z">
         <AudienceRestriction>
            <Audience>https://university-test.com/users/auth/university_test_saml/metadata</Audience>
         </AudienceRestriction>
      </Conditions>
      <AttributeStatement>
         <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">
            <AttributeValue>John</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">
            <AttributeValue>Doe</AttributeValue>
         </Attribute>
         <Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress">
            <AttributeValue>john.doe@university-test.com</AttributeValue>
         </Attribute>
      </AttributeStatement>
      <AuthnStatement AuthnInstant="2017-09-26T13:36:09.022Z" SessionIndex="_f7f62832-87a9-4e4d-84c4-b32896426771">
         <AuthnContext>
            <AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</AuthnContextClassRef>
         </AuthnContext>
      </AuthnStatement>
   </Assertion>
</samlp:Response>
Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.