Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Single Sign On (SSO) allows clients to login through their identity provider. Instead of having to type in their Domain Name, User Name and Password, users will instead be redirected to their identity provider associated with their domain.


Usually we do the following to setup SSO:

  1. Create a test copy account.

  2. Obtain client metadata.xml and make the config in the test account.

  3. Send our metadata.xml to be imported into IdP.

  4. Test how it works on a copy account.

  5. Move settings to production on a designated day.


The entire process is managed by IT personnel in Melbourne, AUS.

Users can be imported from a list using User Data Import Tool (in Settings under User Access) or via
Self-Registration.

Import Tool

To import using a list, go to Settings < User Access < User Data Import/Export. NOTE: This process is managed by CW AUS IT Department. The customer will need to be connected with our IT team to import their User Data.


Self-Registration

To self-register, have the user login via https://jr.chemwatch.net/chemwatch.web. The system will connect to their identity provider, the user will have to provide login user/password. If this is the first time they have logged in a user will be created in CW using their credentials. An Administrator will need to assign them products and permissions before their account is active and ready for use.

Once SSO is enabled in a Chemwatch account, manual logins will no longer be allowed. Outside of SSO, only the domain administrator user will be allowed to login via an auto login link.


The following describes what login looks like when a user logs into their Chemwatch account via SSO:

  1. Service provider redirects call for authentication to Identity Provider (Federation Service). Federation server does not receive any information from Chemwatch. This is just a redirect.

  2. User authenticates into Identity Provider (IDP) with generic login and password. It happens outside of Chemwatch system completely.

  3. IDP redirects call back to Chemwatch with a message containing user name, Assertion of user login, and security token to be used for future calls to IDP. Chemwatch only knows SSO users by login names. No additional information is ever sent back by IDP.

  4. Chemwatch authenticates user only if successfully validated by the IDP. Chemwatch can be configured to enable self-registration and assign a default role for self-registered users. This removes the need to import users before SSO is enabled on an account. It happens automatically on a new user login.

  5. The token will stay valid for a specific time, as configured per the IDP.

  6. If token is invalidated, the user will need to authenticate with the IDP anew.


The following protocols are supported:

  • SAML

  • OAuth2

  • WS-Federation

The following are the possible assertions/claims expected by the Chemwatch application during login:

<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account name"/>

The metadata.xml from the Chemwatch side that will be used to configure your IDP looks like the following:

<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_b5284f77-1b41-466a-bca1-5f10169e8e64" entityID="https://jr.chemwatch.net/chemwatch.web">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
  <KeyInfo xmlns="<http://www.w3.org/2000/09/xmldsig#">>
    <X509Data>
      <X509Certificate>MIIGMzCCBRugAwIBAgIJAPecTEjSsbLeMA0GCSqGSIb3DQEBCwUAMIG0MQswCQYDVQQGEwJVUzEQMA4GA1UECBMHQXJpem9uYTETMBEGA1UEBxMKU2NvdHRzZGFsZTEaMBgGA1UEChMRR29EYWRkeS5jb20sIEluYy4xLTArBgNVBAsTJGh0dHA6Ly9jZXJ0cy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzEzMDEGA1UEAxMqR28gRGFkZHkgU2VjdXJlIENlcnRpZmljYXRlIEF1dGhvcml0eSAtIEcyMB4XDTE3MTAxNTIzMjcwMFoXDTIwMDgyNzIzMTIwMFowPTEhMB8GA1UECxMYRG9tYWluIENvbnRyb2wgVmFsaWRhdGVkMRgwFgYDVQQDDA8qLmNoZW13YXRjaC5uZXQwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDEVkPpwuzLsHJqPGtZl4JnLu0uDlFwLRjuPa8Y8G/zj5pa85CiEgQIaGlBbgBTRaiMsoiGlK0csQO2/yYRQUH+Rfd7h+kAoZt9SEqqsJuVFVVhL6LJ8n0DhtrF9NR74cWWVWYB2YZF/qYCnNcpvX0nEyYMVBW899ua0wPE9uoWomNIJ7h6he2Ab0pYrzr066qHv03i2Jkz8iBYDlvYSVIsgx2Yp+IVokMnCNlAk0yB+xRM6sPHzOvzdsDZKDke++yDdbXokKUidzuDbEyvEyy3KDf4CNijUdqnuTdU3a6RTRbTm6EqjFOmz5T7kfzIxYr99PTy7BruytlB2h+c4IeXfCNdcQOA8FKAp9uT5nGL/fWNJNN2yPvwmeQf79vxIK7csuaj9CCsDkgun76nXxFFxVOp3fwliQAZoyyEdjNi5H4cfJ2SYpc3u28PMZ4eUQeRoHYqm12b2WtPaXoH9gldLYk2YDw5dvcswCtZWnmS5imK9qDgoJsAQ+cRAj9m3md0ezePFYdD3jBWF0NqmXu4z+zm2hdQp54slbL7c/gDzSumonz1uksf4UeeqiZ5HsA+eyvQ3DXqJT6ALStHyKEKIVOYpmHgueqiw3CYx9O/a4l9brert8MP+GT8xJ9xCDxGxAQcohFWy4f55D8YzTjvnceVL7hBLcccKK9/d6KoYwIDAQABo4IBvDCCAbgwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDgYDVR0PAQH/BAQDAgWgMDcGA1UdHwQwMC4wLKAqoCiGJmh0dHA6Ly9jcmwuZ29kYWRkeS5jb20vZ2RpZzJzMS03NDYuY3JsMF0GA1UdIARWMFQwSAYLYIZIAYb9bQEHFwEwOTA3BggrBgEFBQcCARYraHR0cDovL2NlcnRpZmljYXRlcy5nb2RhZGR5LmNvbS9yZXBvc2l0b3J5LzAIBgZngQwBAgEwdgYIKwYBBQUHAQEEajBoMCQGCCsGAQUFBzABhhhodHRwOi8vb2NzcC5nb2RhZGR5LmNvbS8wQAYIKwYBBQUHMAKGNGh0dHA6Ly9jZXJ0aWZpY2F0ZXMuZ29kYWRkeS5jb20vcmVwb3NpdG9yeS9nZGlnMi5jcnQwHwYDVR0jBBgwFoAUQMK9J47MNIMwojPX+2yz8LQsgM4wKQYDVR0RBCIwIIIPKi5jaGVtd2F0Y2gubmV0gg1jaGVtd2F0Y2gubmV0MB0GA1UdDgQWBBQHITmmg4yB0C+67zTIezlvZe4IkDANBgkqhkiG9w0BAQsFAAOCAQEAOIIcNMRF221BQbbJIv8JAVTv+HVS2ROUYtHRlOAjO5CFoh0ZyXLH1+blaXFxQy1TlxgUMFBGmMmy6/P6HN9RbsbAmy02CPC02BMfoCEF3bxhXw5w7ra5xkFnba2/TayBr49U3ni9++hG98AgBjggwlU8JAof5eYYDdrfRUhsbskXeFUsJ0UHFi+Mmfo/77PSofVp766EvxA5nmeIKoRRYAQS1ni6GUDDPYPgpx7lgq6NCTFhCzO/cHfctUJcehbR+26Na0VzdW8cfKVhaBCsl2ITVMXl6OnGJVfaT+/q+inohnmOcYQc2yRY0V7DLAshVxsWcnZR4clh1gFigwvctQ==</X509Certificate>
    </X509Data>
  </KeyInfo>
</KeyDescriptor>

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<https://jr.chemwatch.net/chemwatch.web/sso/login/"xxxxx""> index="0" isDefault="true" />

<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="<http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account name"/>

</SPSSODescriptor>
</EntityDescriptor>

  • No labels