This settings page allows additional login options to be enabled for your Connections Online site. The Facebook and Twitter buttons show up on the login screen but only work for users on your site if you enable them here. The Single Sign-On button only shows up after the user has visited your unique SSO login URL at least once.
Facebook & Twitter Login Options
Users may authorize their Facebook or Twitter accounts to be used to log in to Connections Online. This is mainly helpful on mobile devices where the user is already logged in to one of those other services. The Facebook and Twitter login buttons appear on the main Login screen. This authorization is only used for login purposes and Connections Online does not post or share information on the user's Facebook or Twitter profiles.
Single Sign-On
Single Sign-On (SSO) allows users to sign in to Connections Online using credentials from other sources. We offer two SSO formats:
- JSON Web Tokens (JWT)
- Security Assertion Markup Language (SAML)
Enabled with JWT
Single Sign-On with JWT allows sites to validate users securely via their own mechanism, including, but not limited to, Microsoft Windows® and Active Directory. When users visit Connections Online, they will automatically be logged in.
To use JWT with Connections Online, you must implement an HTTP remote login service that provides the required Access Token to Connections Online. Access tokens must be returned in the form of a JSON Web Token. Most common languages provide JWT libraries to facilitate this process. More information about setting up a remote login service for use with JWT can be found in our community post: Single Sign-on Authentication (SSO) with JWT.
There are only three settings required: site nickname, remote login server URL, and a shared secret key:
- Your site nickname is used as part of your Connections Online SSO entry point. Your users can use this link to skip the login page and gain access via SSO. For example, if your organization name is Sample Credit Union, you could set use a site nickname of SampleCU, and your JWT SSO entry point URL would then be https://col.connectionsonline.net/site/SampleCU.
- The remote login server URL is the location where Connections Online will ask for user authentication. If your users are only allowed to use SSO while at work or connected over a VPN, this can be a local URL like
https://servername/page
. Otherwise, this should be a valid Web URL likehttps://yourdomain.org/page
. We don't require that you use a secured HTTPS connection here, but it is highly recommended, even for local URLs. Non-HTTPS URLs should only be used for testing. - The shared secret key is what your remote login server uses to identify itself when communicating with Connections Online.
Additional info. taken from Zendesk's SSO JWT documentation:
JWT is a recent open standard that is being driven by the international standards body IETF and has top-level backers from the technology sector (for example, Microsoft, Facebook, and Google).
The fundamental building blocks of JWT are very well understood components and the result of this is a fairly simple spec, which is available here. There are a lot of open source implementations of the JWT spec that cover most modern technologies. This means that you can get JWT single sign-on set up without much difficulty.
Since the JWT payload is merely encoded and signed, not encrypted, the only information we transmit through JWT is your account name. JWT works by serializing the JSON that is being transmitted to a string. It then base-64 encodes that string and then makes an HMAC of the base-64 string which depends on the shared secret. This produces a signature that the recipient side can use to validate the user.
Enabled with SAML
SAML for Connections Online works the way SAML does with all other service providers. The typical use case is that your users belong to a corporation and all user authentication is managed by your corporate authentication system (for example, Active Directory or LDAP), which is referred to generically as an identity provider (IdP). The service provider (SP), in this case Connections Online, establishes a trust relationship with IdP and allows that external IdP to authenticate users and then seamlessly sign them in to Connections Online. In other words, a user signs in at work and then has automatic access to the many other corporate applications such as email, your CRM, and so on without having to sign-in separately to those services. Aside from the convenience this provides to users, all user authentication is handled internally by a system that you have complete control over.
After you've enabled SAML as the type of single sign-on for Connections Online, your users can use your unique SSO entry point URL to log in. Your users' identities can be stored either on the SAML server or can be validated by an identity directory such as Microsoft Active Directory or LDAP. Once authenticated, users are redirected back to Connections Online and automatically signed in.
Like the JWT option, there are only three required settings, but SAML also offers twelve optional settings.
Required Settings
- Your site nickname is used as part of your Connections Online SSO entry point. Your users can use this link to skip the login page and gain access via SSO. For example, if your organization name is Sample Credit Union, you could set use a site nickname of SampleCU, and your JWT SSO entry point URL would then be https://col.connectionsonline.net/saml2/SampleCU.
- Your identity provider's Entity ID uniquely identifies the provider. Most often, it is in URL format and begins with https://.
- Your identity provider's SSO URL (also known as a login URL or service URL) is where Connections Online makes its authentication request.
Optional Settings
- The logout response URL is called when a user logs out of Connections Online.
- The digest method, signature method, and service binding can all be set if your provider requires specific ones.
- The additional flags for assertion encrypted, assertion signed, logout request signed, logout response signed, and SAML response signed can also be set if your provider requires them.
- A public certificate (and two alternates) may be entered to force Connections Online to only work with your server when the certificate used matches what is entered here. Otherwise, our server will request an embedded certificate.
Setting Up Your Identity Provider
Your IdP needs to know a little about Connections Online when it is set up.
- ACS URL: https://col.connectionsonline.net/saml2/{ Your Site Nickname }/login
- Entity ID: https://col.connectionsonline.net/saml2/{ Your Site Nickname }
- Name ID / User ID: The user's Connections Online username. This is normally set to their email address.
- Additional Attributes: none. We only use SAML to authenticate the user
Comments
0 comments
Please sign in to leave a comment.