BlueJeans SPinitiated Single’Sign On · 2. Configurations*! 2.1TurningonSAMLSSO*Login*!...
27
BlueJeans SP initiated Single Sign On with PingFederate® Message Flows and Configuration
Transcript of BlueJeans SPinitiated Single’Sign On · 2. Configurations*! 2.1TurningonSAMLSSO*Login*!...
BlueJeans -‐ SP initiated Single Sign On with PingFederate®
Message Flows and Configuration
1. Purpose This document describes enterprise group settings on BlueJeans (service provider) and necessary configurations at PingFederate (identity provider) to setup single sign on (SSO) using SAML 2.0. The SAML message flows including auth-‐request, response and few other important parameters are shown to provide in-‐depth understanding of how the 3 entities -‐ Browser, SP (BlueJeans) and IdP (PingFed) interact with each other. Tools such as SAML tracer, Fiddler, etc. could be used in your setup to corroborate the messages with the working scenario. Also provided are the screen shots of the BlueJeans admin group settings and PingFed configuration summary of a working setup for comparison purpose.
2. Configurations
2.1 Turning on SAML SSO Login The SSO login is enabled by the group administrator for the entire enterprise through BlueJeans settings as shown below; BlueJeans Settings
2.2 Auto Provisioning User Account
The auto provisioning feature allows the user account to be created dynamically when the user login through SSO for the first time. The enterprise group admin has to explicitly turn-‐on this option through BlueJeans settings. BlueJeans Settings
2.3 XML Metadata
The SAML 2.0 standards define a metadata exchange schema for conveying XML-‐formatted information between two SAML entities. Metadata includes endpoint URLs, binding types, attributes, and security-‐policy information that service provider gives to identity provider.
The metadata info is published at BlueJeans -‐ http://bluejeans.com/support/saml-‐metadata.xml. Please refer to chapter 5, sec. ‘Importing Metadata’ in PingFederate Admin Manual for how to import the xml metadata on PingFederate. Ensure the metadata is correctly mapped to ‘base url’ and ‘ACS Endpoint URL’ in PingFed’s connection settings. Metadata XML
PingFed Settings
<md:AssertionConsumerService isDefault="true" Binding="urn:oasis:names:tc:SAML:2.0: bindings:HTTP-POST" Location="https://bluejeans.com/sso/saml2/" index="0"/> <md:RequestedAttribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" Name="Email" isRequired="true"> </md:RequestedAttribute>
General Info
Base URL https://bluejeans.com
Assertion Consumer Service URL
Endpoint URL: /sso/saml2/ (POST)
Allowable SAML Bindings
POST true
Attribute Contract
Attribute Email
2.4 Importing IdP provided certificate for SAML signed assertions As the assertion passes through intermediary (such as user’s browser) BlueJeans mandates the SAML assertions to be always signed. Enable the always sign option under Protocol Settings (PingFed Admin Manual – Chapter 5, section ‘Configuring Signature Policy’) PingFed Settings:
Download the certificate from PingFed by following the steps listed in the Admin Manual – Chapter 4, section ‘Digital Signing and Decryption Keys& Certificates’. Import the certificate into BlueJeans through Group Setting as shown below;
BlueJeans Settings
2.5 Configuring Remote IdP URLs
The IdP (PingFederate) allows default or customized URL settings for signing, error page and logout. The application integration setting allows configuring IdP adapters and defining URLs for this purpose. Refer to chapter 5 of PingFed Admin Manual for more information.
After noting these URLs from PingFed settings summary, configure it through BlueJeans admin security page.
BlueJeans Settings
2.6 SAML Attribute Contracts
This is one of the most important steps of the provisioning process. An attribute contract represents an agreement between an SP and an IdP about user attributes sent in a SAML assertion. The contract is a list of case-‐sensitive attribute names. IdPs and SPs must configure attribute contracts to match.
For BlueJeans the ‘Email’ attribute is mandatory. The other used attribute is ‘User Id’. Please note the ‘Auto-‐Configure’ option does not work. The admin has to manually match these two attribute names at both PingFed and BlueJeans end.
PingFed Settings
PingFed Settings Summary
BlueJeans Group Admin Settings:
3. SAML Message Flows The user initiates the SSO login through custom login page, which triggers series of messages between the 3 entities – Browser, BlueJeans (SP), and PingFederate (IdP). The following diagram depicts the end-‐end flow.
In the example above, the user belongs to beta (z2) partition just to illustrate the fact that all SSO requests, responses and assertion are always handled by the live (z1) partition. Each step is discussed in greater detail including sample messages.
bluejeans.com
z2.bluejeans.com
Service Provider Identity Provider
PingFederate
sso.equinix.com
equinix.bluejeans.com CLP
1 2 3 4 5 6
7 8 9
5
10
SP Initiated SSO Processing Flow
BlueJeans Scheduling
Page
User initiates SSO Login from Custom Login Page
1. User clicks the ‘Login’ button on the BlueJeans custom landing page Browser launches the auth request by sending HTTP-‐POST request to the Service Provider (BlueJeans custom landing site; URL: equinix.bluejeans.com) E.g. POST https://equinix.bluejeans.com/sso/saml2/auth_request/?enterpriseId=1853&mode=auth HTTP/1.1
2. Service Provider initiates SAML request for user authentication BlueJeans initiates SAML request by redirecting the browser to IdP’s signing URL. Note the ‘RelayState’ parameter that acts as an opaque token to the state information at BlueJeans end. It is expected that same ‘RelayState’ value be returned back in SAML response. E.g. HTTP/1.1 200 OK Date: Thu, 16 Jan 2014 01:39:06 GMT Server: Apache/2.2.22 (Ubuntu) ..... {"redirectURL": "http://sso.equinix.com/idp/SSO.saml2?SAMLRequest=fZHRTsIwFIbvfYqm99vaMdfRsBHQGDGIBIYX3phuVJlu7ezp0Md3Y5DADZdN%2FvP1%2FN8Zjf%2BqEu2lgUKrGFOXYCRVrreF%2BozxJn1wIjxObkYgqtKv%2BaSxO7WSP40EiyYA0th27k4raCpp1tLsi1xuVvMY76ytgXteVjbySwoFbq4rD0B7B5SH0ew%2Bxu9hGGQ%2BYdktzcIoYCRgWZSRbcgo%2ByAsYMOcChENB20coJEzBVYoG2Of0MAh1KFhSigfDDlhLqH0DaOl0VbnupwWqi%2FRGMW1gAK4EpUEbnO%2BnjzPue8SnvUh4I9punSWL%2Bv0ANgXW2kWbTrG03Z%2F9NQVQAtpf7X5xuj1pMvvdLUCFfBe0PXf6uNqOOl98kMnc064DhAn4zjp%2FLZ6uyGo3QvLI%2B%2Bcnhyfl8dL%2FgE%3D&RelayState=eyJncm91cCI6ICIxODUzIiwgIm1vZGUiOiAiYXV0aCJ9", "message": null,"success": true}
3. Browser sends a SAML request to IdP Browser triggers SAML request on instruction from BlueJeans. The URL content and other parameters are same as received in HTTP response of step 2. E.g. GET http://sso.equinix.com/idp/SSO.saml2?SAMLRequest=fZHRTsIwFIbvfYqm99vaMdfRsBHQGDGIBIYX3phuVJlu7ezp0Md3Y5DADZdN%2FvP1%2FN8Zjf%2BqEu2lgUKrGFOXYCRVrreF%2BozxJn1wIjxObkYgqtKv%2BaSxO7WSP40EiyYA0th27k4raCpp1tLsi1xuVvMY76ytgXteVjbySwoFbq4rD0B7B5SH0ew%2Bxu9hGGQ%2BYdktzcIoYCRgWZSRbcgo%2ByAsYMOcChENB20coJEzBVYoG2Of0MAh1KFhSigfDDlhLqH0DaOl0VbnupwWqi%2FRGMW1gAK4EpUEbnO%2BnjzPue8SnvUh4I9punSWL%2Bv0ANgXW2kWbTrG03Z%2F9NQVQAtpf7X5xuj1pMvvdLUCFfBe0PXf6uNqOOl98kMnc064DhAn4zjp%2FLZ6uyGo3QvLI%2B%2Bcnhyfl8dL%2FgE%3D&RelayState=eyJncm91cCI6ICIxODUzIiwgIm1vZGUiOiAiYXV0aCJ9 HTTP/1.1
4. IdP challenges the user for authentication The PingFederate runtime engine challenges user to provide credentials. A pop-‐up is seen on the browser to enter username and password E.g. HTTP/1.1 401 Unauthorized
5. Browser provides user credentials On the user entering username and password, the browser sends it in authorization header to PingFederate. E.g. GET https://sso.equinix.com/idp/SWQE2/resumeSAML20/idp/SSO.ping HTTP/1.1 ....... Connection: Keep-‐Alive Cookie: JSESSIONID=17w3gkm2m4cce1qoigzwznta2x; PF=grXTPmFEdtVClEFfAysFovJ4qkQ49hR5wdD7wr92Aoi0 Authorization: NTLM TlRMTVNTUAADAAAAGAAYAIYAAAAeAR4BngAAAAwADABYAAAADAAMAGQAAAAWABYAcAAAAAAAAAC8AQAABYKIIgYBsR0AAAAPLph1mEGap9wZd+9XgSgN7kcATABPAEIAQQBMAHIAcwBlAHQAaABpAFUAUwBMAFAAMwBHAFIAWQA0AFEAMQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC55oBfZ0s9jjbemAaeQdt7AQEAAAAAAABWHdjCWxLPAe5vMw5mXsjzAAAAAAIADABHAEwATwBCAEEATAABABIAUABJAE4ARwBBAEcARQBOAFQABAAkAGcAbABvAGIAYQBsAC4AZQBxAHUAaQBuAGkAeAAuAGMAbwBtAAMAFABTAFYAMgBQAEcARgBFAEQAMAAxAAgAMAAwAAAAAAAAAAAAAAAAMAAAnwuKqYRp8Cm8TmsXNr9E9ZkQWLfg7JWkC4dmy95a1g4GAAQABAAAAAoAEAA4nfB9tKN0m+HCMcymx1GeCQAwAEgAVABUAFAALwBzAHMAbwAuAHcAaQBwAC4AZQBxAHUAaQBuAGkAeAAuAGMAbwBtAAAAAAAAAAAA Host: sso.equinix.com
6. IdP authenticates and sends back SAML Response Once the user is authenticated, the PingFederate generates a signed SAML assertion to the SP’s (BlueJeans) Assertion Consumer Service (ACS) endpoint (https://bluejeans.com/sso/saml2/ as given in metadata). [Note: It was found in some instances, the ACS URL was missing ‘/’ at the end in the configuration. It could be the PingFederate is dropping it while importing the metadata. This might lead to parameters such as ‘RelayState’ not to be appended correctly in the SAML response leading to login failure] E.g. HTTP/1.1 200 OK ....... <!-‐-‐ template name: form.autopost.template.html -‐-‐> <html> <head> <title>Submit Form</title> </head> <body onload="javascript:document.forms[0].submit()"> <noscript> <p> <strong>Note:</strong> Since your browser does not support JavaScript, you must press the Resume button once to proceed. </p> </noscript> <form method="post" action="https://bluejeans.com/sso/saml2/"> <input type="hidden" name="SAMLResponse" value="PHNhbWxwOlJlc3BvbnNlIEluUmVzcG9uc2VUbz0iXzY2NGIyMDdiNTFiNjg0NzA0N2I4YjBkNjcxN2YwNzQ3OWMxYWE4OTMiIElzc3VlSW5zdGFudD0iMjAxNC0wMS0xNlQwMTozOToxMS44MDhaIiBJRD0iTnlxNWpkWmZaRTFNYlFUbGwtdS40YmVuQmdLIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5FcXVpbml4U1NPPC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDEtMTZUMDE6Mzk6MTIuNTU4WiIgSUQ9ImhQUVpha1BoXzkxU3FIaVF5dXA5aTRrV2tUNSIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI+PHNhbWw6SXNzdWVyPkVxdWluaXhTU088L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0d HA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5mbz4
KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgo8ZHM6UmVmZXJlbmNlIFVSST0iI2hQUVpha1BoXzkxU3FIaVF5dXA5aTRrV2tUNSI+CjxkczpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8L2RzOlRyYW5zZm9ybXM+CjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPgo8ZHM6RGlnZXN0VmFsdWU+ajlpbjRTMmw0RTlrbml0OUhJQ042d3NXTFlRPTwvZHM6RGlnZXN0VmFsdWU+CjwvZHM6UmVmZXJlbmNlPgo8L2RzOlNpZ25lZEluZm8+CjxkczpTaWduYXR1cmVWYWx1ZT4KVWJmQ0dlQUhROFRGKytRb2JSYTNBSzdpRXlOMVJzNktybGFLOWp1TFN3THlPT2dUNXR4cVRMODFGQm8wdkRrVm1KNFJ6M01xa3JWZQptRGtkaWY4OHV3ZjVOSFJRbi9iNG1HMW0rc3JuQkpFVE5ZWFkxV2ZzQm9GY3NnWTdkREtMYjBrcDVYWlo3azRGL1lVamJCbVRZaVV3ClNpTzFZb1lkWmFSbzZoSW9qL3ZzRGg0NU8weHNXL3g2cXVPYnIxdDB5eW9MQnovZkZjNHgxV0FwOXVIODR5K2JGbm40NWN2WjFscWUKN3gyUVVIeDlBVjhVV1BhL0ZzVHFXbzRlaTFOZTBha3ZsUTBGRE9kUjZqcjM5OW1jb1E5U2pOUVh4Qy8wSG82YkdjUkJsYTZMTWVtVgpWWWNRT1kwdE05QWZJSWhMSnM3SE1ER2E2ZWx1aTA0MXVGQUkxQT09CjwvZHM6U2lnbmF0dXJlVmFsdWU+CjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPnJzZXRoaTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iXzY2NGIyMDdiNTFiNjg0NzA0N2I4YjBkNjcxN2YwNzQ3OWMxYWE4OTMiIE5vdE9uT3JBZnRlcj0iMjAxNC0wMS0xNlQwMTo0NDoxMi41NThaIiBSZWNpcGllbnQ9Imh0dHBzOi8vYmx1ZWplYW5zLmNvbS9zc28vc2FtbDIvIi8+PC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24+PC9zYW1sOlN1YmplY3Q+PHNhbWw6Q29uZGl0aW9ucyBOb3RPbk9yQWZ0ZXI9IjIwMTQtMDEtMTZUMDE6NDQ6MTIuNTU4WiIgTm90QmVmb3JlPSIyMDE0LTAxLTE2VDAxOjM0OjEyLjU1OFoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24+PHNhbWw6QXVkaWVuY2U+aHR0cDovL3NhbWxzcC5ibHVlamVhbnMuY29tPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wMS0xNlQwMTozOToxMi41NThaIiBTZXNzaW9uSW5kZXg9ImhQUVpha1BoXzkxU3FIaVF5dXA5aTRrV2tUNSI+PHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ+PC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudCB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJVc2VyIElkIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj5yc2V0aGk8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyIgTmFtZT0iRW1haWwiPjxzYW1s
OkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiPnJzZXRoaUBlcXVpbml4LmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg=="/> <input type="hidden" name="RelayState" value="eyJncm91cCI6ICIxODUzIiwgIm1vZGUiOiAiYXV0aCJ9"/> <noscript><input type="submit" value="Resume"/></noscript> </form> </body> </html>
7. Browser posts the SAML response to the SP The browser constructs the HTTP-‐POST request including the SAML Response as the body. It sends request to action URL given in the previous step (https://bluejeans.com/sso/saml2/ in our case). Please observe if the ‘RelayState’ parameter is appended appropriately at the end of the SAML Response. E.g. POST https://bluejeans.com/sso/saml2/ HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: https://sso.equinix.com/idp/SWQE2/resumeSAML20/idp/SSO.ping User-‐Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Content-‐Type: application/x-‐www-‐form-‐urlencoded …….. SAMLResponse=PHNhbWxwOlJlc3BvbnNlIEluUmVzcG9uc2VUbz0iXzY2NGIyMDdiNTFiNjg0NzA0N2I4YjBkNjcxN2YwNzQ3OWMxYWE4OTMiIElzc3VlSW5zdGFudD0iMjAxNC0wMS0xNlQwMTozOToxMS44MDhaIiBJRD0iTnlxNWpkWmZaRTFNYlFUbGwtdS40YmVuQmdLIiBWZXJzaW9uPSIyLjAiIHhtbG5zOnNhbWxwPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6cHJvdG9jb2wiPjxzYW1sOklzc3VlciB4bWxuczpzYW1sPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXNzZXJ0aW9uIj5FcXVpbml4U1NPPC9zYW1sOklzc3Vlcj48c2FtbHA6U3RhdHVzPjxzYW1scDpTdGF0dXNDb2RlIFZhbHVlPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6c3RhdHVzOlN1Y2Nlc3MiLz48L3NhbWxwOlN0YXR1cz48c2FtbDpBc3NlcnRpb24gVmVyc2lvbj0iMi4wIiBJc3N1ZUluc3RhbnQ9IjIwMTQtMDEtMTZUMDE6Mzk6MTIuNTU4WiIgSUQ9ImhQUVpha1BoXzkxU3FIaVF5dXA5aTRrV2tUNSIgeG1sbnM6c2FtbD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiI%2BPHNhbWw6SXNzdWVyPkVxdWluaXhTU088L3NhbWw6SXNzdWVyPjxkczpTaWduYXR1cmUgeG1sbnM6ZHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyMiPgo8ZHM6U2lnbmVkSW5mbz4KPGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz4KPGRzOlNpZ25hdHVyZU1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNyc2Etc2hhMSIvPgo8ZHM6UmVmZXJlbmNlIFVSST0iI2hQUVpha1BoXzkxU3FIaVF5dXA5aTRrV2tUNSI%2BCjxkczpUcmFuc2Zvcm1zPgo8ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz4KPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPgo8L2RzOlRyYW5zZm9ybXM%2BCjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPgo8ZHM6RGlnZXN0VmFsdWU%2BajlpbjRTMmw0RTlrbml0OUhJQ042d3NXTFlRPTwvZHM6RGlnZXN0VmFsdWU%2BCjwvZHM6UmVmZXJlbmNlPgo8L2RzOlNpZ25lZEluZm8%2BCjxkczpTaWduYXR1cmVWYWx1ZT4KVWJmQ0dlQUhROFRGKytRb2JSYTNBSzdpRXlOMVJzNktybGFLOWp1TFN3THlPT2dUNXR4cVRMODFGQm8wdkRrVm1KNFJ6M01xa3JWZQptRGtkaWY4OHV3ZjVOSFJRbi9iNG1HMW0rc3JuQkpFVE5ZWFkxV2ZzQm9GY3NnWTdkREtM
YjBrcDVYWlo3azRGL1lVamJCbVRZaVV3ClNpTzFZb1lkWmFSbzZoSW9qL3ZzRGg0NU8weHNXL3g2cXVPYnIxdDB5eW9MQnovZkZjNHgxV0FwOXVIODR5K2JGbm40NWN2WjFscWUKN3gyUVVIeDlBVjhVV1BhL0ZzVHFXbzRlaTFOZTBha3ZsUTBGRE9kUjZqcjM5OW1jb1E5U2pOUVh4Qy8wSG82YkdjUkJsYTZMTWVtVgpWWWNRT1kwdE05QWZJSWhMSnM3SE1ER2E2ZWx1aTA0MXVGQUkxQT09CjwvZHM6U2lnbmF0dXJlVmFsdWU%2BCjwvZHM6U2lnbmF0dXJlPjxzYW1sOlN1YmplY3Q%2BPHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6dW5zcGVjaWZpZWQiPnJzZXRoaTwvc2FtbDpOYW1lSUQ%2BPHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iXzY2NGIyMDdiNTFiNjg0NzA0N2I4YjBkNjcxN2YwNzQ3OWMxYWE4OTMiIE5vdE9uT3JBZnRlcj0iMjAxNC0wMS0xNlQwMTo0NDoxMi41NThaIiBSZWNpcGllbnQ9Imh0dHBzOi8vYmx1ZWplYW5zLmNvbS9zc28vc2FtbDIvIi8%2BPC9zYW1sOlN1YmplY3RDb25maXJtYXRpb24%2BPC9zYW1sOlN1YmplY3Q%2BPHNhbWw6Q29uZGl0aW9ucyBOb3RPbk9yQWZ0ZXI9IjIwMTQtMDEtMTZUMDE6NDQ6MTIuNTU4WiIgTm90QmVmb3JlPSIyMDE0LTAxLTE2VDAxOjM0OjEyLjU1OFoiPjxzYW1sOkF1ZGllbmNlUmVzdHJpY3Rpb24%2BPHNhbWw6QXVkaWVuY2U%2BaHR0cDovL3NhbWxzcC5ibHVlamVhbnMuY29tPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNC0wMS0xNlQwMTozOToxMi41NThaIiBTZXNzaW9uSW5kZXg9ImhQUVpha1BoXzkxU3FIaVF5dXA5aTRrV2tUNSI%2BPHNhbWw6QXV0aG5Db250ZXh0PjxzYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPnVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphYzpjbGFzc2VzOnVuc3BlY2lmaWVkPC9zYW1sOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDpBdXRobkNvbnRleHQ%2BPC9zYW1sOkF1dGhuU3RhdGVtZW50PjxzYW1sOkF0dHJpYnV0ZVN0YXRlbWVudCB4bWxuczp4cz0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEiPjxzYW1sOkF0dHJpYnV0ZSBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIiBOYW1lPSJVc2VyIElkIj48c2FtbDpBdHRyaWJ1dGVWYWx1ZSB4c2k6dHlwZT0ieHM6c3RyaW5nIiB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIj5yc2V0aGk8L3NhbWw6QXR0cmlidXRlVmFsdWU+PC9zYW1sOkF0dHJpYnV0ZT48c2FtbDpBdHRyaWJ1dGUgTmFtZUZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmF0dHJuYW1lLWZvcm1hdDpiYXNpYyIgTmFtZT0iRW1haWwiPjxzYW1sOkF0dHJpYnV0ZVZhbHVlIHhzaTp0eXBlPSJ4czpzdHJpbmciIHhtbG5zOnhzaT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS9YTUxTY2hlbWEtaW5zdGFuY2UiPnJzZXRoaUBlcXVpbml4LmNvbTwvc2FtbDpBdHRyaWJ1dGVWYWx1ZT48L3NhbWw6QXR0cmlidXRlPjwvc2FtbDpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sOkFzc2VydGlvbj48L3NhbWxwOlJlc3BvbnNlPg%3D%3D&RelayState=eyJncm91cCI6ICIxODUzIiwgIm1vZGUiOiAiYXV0aCJ9
8. SP validates the assertion and accepts user login. SSO flow is complete The SAML response comes back to live partition (z1) of blueJeans.com. On decoding the SAML response, it looks for the attributes of interest (mapped previously). In this case ‘Email’ and ‘User Id’. The signed assertion is validated and login is allowed. E.g. Decoded SAML Response <samlp:Response InResponseTo="_d684b9a68631aa191ae193197afa9acbc7146cac" IssueInstant="2014-‐01-‐15T23:35:44.959Z" ID="H-‐Ffase7vMRsSxGN6Mpb2Iq5-‐O-‐" Version="2.0> …. <saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-‐format:basic" Name="User Id"> <saml:AttributeValue xsi:type="xs:string">rsethi</saml:AttributeValue></saml:Attribute><saml:Attribute NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-‐format:basic" Name="Email"><saml:AttributeValue xsi:type="xs:string">[email protected]</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion></samlp:Response> In the call flow shown above the user belongs to beta partition (z2), thus redirects the browser to z2.bluejeans.com. E.g. Redirecting user to appropriate partition HTTP/1.1 302 FOUND Date: Thu, 16 Jan 2014 01:39:13 GMT Server: Apache/2.2.22 (Ubuntu) Vary: Cookie,Accept-‐Encoding Location: https://z2.bluejeans.com/scheduling?auth_token=01402f827e4f11e3aadc00266cf42948 Cache-‐Control: no-‐cache, no-‐store, must-‐revalidate, max-‐age=0 P3P: CP="IDC DSP COR ADM DEVi TAIi PSA PSD IVAi IVDi CONi HIS OUR IND CNT" Set-‐Cookie: sessionid=dfd48092be3ee734f1bfece82bff16da; httponly; Path=/;HttpOnly; secure Set-‐Cookie: xd_sessionid=cc655f29bcf58343c0afe7485c2e36c6; Domain=.bluejeans.com; expires=Thu, 16-‐Jan-‐2014 01:41:13 GMT; httponly; Max-‐Age=120; Path=/;HttpOnly; secure Content-‐Length: 0 Keep-‐Alive: timeout=15, max=98 Connection: Keep-‐Alive Content-‐Type: text/html; charset=utf-‐8
9, 10. Browser sends request to beta partition and scheduling page is rendered This step is optional and depends on if the user is located in live or beta partition. If the user is in live partition, the scheduling page is rendered at step 8 itself. At this point the SSO flow is already complete. E.g. GET https://z2.bluejeans.com/scheduling/?auth_token=01402f827e4f11e3aadc00266cf42948 HTTP/1.1 Accept: text/html, application/xhtml+xml, */* Referer: https://sso.equinix.com/idp/SWQE2/resumeSAML20/idp/SSO.ping Accept-‐Language: en-‐US User-‐Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Accept-‐Encoding: gzip, deflate Host: z2.bluejeans.com Cookie: sessionid=dfd48092be3ee734f1bfece82bff16da; xd_sessionid=cc655f29bcf58343c0afe7485c2e36c6 Connection: Keep-‐Alive Cache-‐Control: no-‐cache Scheduling page is rendered HTTP/1.1 200 OK ... <!DOCTYPE html PUBLIC "-‐//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-‐transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" class="snowy "><head> <meta name="viewport" content="width=device-‐width, initial-‐scale=1.0, maximum-‐scale=1.0"> <meta name="robots" content="noindex, nofollow"> <title>Meetings -‐ Blue Jeans Network | Video Collaboration in the Cloud </title>
4. BlueJeans SSO Settings Summary
5. PingFederate Settings Summary
6. Reference [1] PingFederate 6.1 Administrator’s Manual – https://www.pingidentity.com/support-‐and-‐downloads/product-‐documentation/pingfederate/6-‐1/loader.cfm?csModule=security/getfile&PageID=5395
