In this section we will discuss the SAML integration of OVIO. With this section we can easily integrate our application into your current identity provider. This leads to an automatic import, user maintenance and assignment of authorizations in company-based groups / departments.
1. SAML Providers
Amazon AWS Identity
Google Identity
Microsoft Entra
OCTA
Every other provider that supports SAML 2.0.
2. SAML Requirements
This example is based on a Microsoft Entra integration.
2.1. SAML Configuration
|
Attribut |
Wert |
|
Identifier (Entity ID) |
https://serverurl.domin.de/something |
|
Reply URL (Assertion Consumer Service URL) |
https://serverurl.domin.de/something |
|
Logout URL |
https://serverurl.domin.de/something/something |
2.2. SAML Attribute
| OVIO Parameter | Example Microsoft Entra |
| user_assignedroles | user.assignedroles |
| user_givenname | user.givenname |
| user_isEnabled | user.accountenabled |
| user_language | user.preferredlanguage |
| user_mail | user.mail |
| user_phone | user.mobilephone |
| user_surname | user.surname |
| user_groups | user.groups |
| Unique User Identifier | user.userprincipalname |
2.3. SAML Certificate
The support department requires a Federation Metadata XML file with an integrated certificate from you at the setup appointment. You can see an example of what this looks like here:
<?xml version=“1.0” encoding=“utf-8”?><EntityDescriptor ID=“_171ef52486” entityID=“https://sts.windows.net/” xmlns=“urn:oasis:names:tc:SAML:2.0:metadata”>
<Signature xmlns=“http://www.w3.org/2000/09/xmldsig#”>
<SignedInfo><CanonicalizationMethod Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#” />
<SignatureMethod Algorithm=“http://www.w3.org/2001/04/xmldsig-more#rsa-sha256” />
<Reference URI=“#_171ef597-486”><Transforms>
<Transform Algorithm=“http://www.w3.org/2000/09/xmldsig#enveloped-signature” />
<Transform Algorithm=“http://www.w3.org/2001/10/xml-exc-c14n#” /></Transforms>
<DigestMethod Algorithm=“http://www.w3.org/2001/04/xmlenc#sha256” />
<DigestValue></DigestValue>
</Reference></SignedInfo><SignatureValue></SignatureValue>
<KeyInfo><X509Data><X509Certificate></X509Certificate>
</X509Data></KeyInfo></Signature>
<RoleDescriptor xsi:type=“fed:SecurityTokenServiceType” protocolSupportEnumeration=“http://docs.oasis-open.org/wsfed/federation/200706” xmlns:xsi=“http://www.w3.org/2001/XMLSchema-instance” xmlns:fed=“http://docs.oasis-open.org/wsfed/federation/200706”>
<KeyDescriptor use=“signing”><KeyInfo xmlns=“http://www.w3.org/2000/09/xmldsig#”>
<X509Data><X509Certificate></X509Certificate></X509Data>
</KeyInfo></KeyDescriptor><fed:ClaimTypesOffered>
2.4. SAML Group Import
To be able to use the internal company groups, you should export the AD groups you want to import once to a .CSV file and import them into OVIO in the administration. The desired authorizations per department are then maintained here once. The user assignments are then made automatically when logging in via the SAML SSO and the group memberships are resolved and saved. This ensures that your OVIO Cloud always remains clean and free of imported “garbage” such as inactive users, Exchange mailboxes, private groups, etc.
An example of the fields OVIO expects for a group import. The separator should be a ;.
|
id |
displayName |
groupType |
membershipType |
source |
|
|
securityEnabled |
mailEnabled |
isAssignableToRole |
onPremisesSyncEnabled |