SAML_Wikispaces
Transcript of SAML_Wikispaces
-
8/16/2019 SAML_Wikispaces
1/8
21212121
Chapter 85
WikispacesWikispacesWikispacesWikispaces
Wikispaces offers SP-initiated SAML SSO (for SSO access directly through the Wikispacesweb application). The following is an overview of the steps required to configure theWikispaces Web application for single sign-on (SSO) via SAML.
1111 Prepare Wikispaces for single sign-on (see Wikispaces requirements forSSO).
2222 In the Centrify Cloud Manager, add the application and configureapplication settings.
Once the application settings are configured, complete the user account mapping andassign the application to one or more roles. For details, see Configuring Wikispaces inCloud Manager.
3333 Configure the Wikispaces application for single sign-on.
To configure Wikispaces for SSO, contact Wikispaces customer support representativeand give them the downloaded Identity Provider SAML Metadata file available from theCloud Manager Application Settings page. For details, see Contacting Wikispaces toenable SSO.
After you are done configuring the application settings in the Cloud Manager and theWikispaces application, users are ready to authenticate using the Centrify cloud
directory.
-
8/16/2019 SAML_Wikispaces
2/8
Preparing for Wikispaces Configuration
Chapter 85Chapter 85Chapter 85Chapter 85 • 22222222
Preparing forPreparing forPreparing forPreparing for WikispacesWikispacesWikispacesWikispaces ConfigurationConfigurationConfigurationConfiguration
WikispacesWikispacesWikispacesWikispaces requirements for SSOrequirements for SSOrequirements for SSOrequirements for SSO
Before you configure the Wikispaces web application for SSO, you need the following: Identity Provider SAML Metadata downloaded from the Cloud Manager.
A signed certificate.
You can either download one from Cloud Manager or use your organization’s trustedcertificate.
Setting up the certificates for SSOSetting up the certificates for SSOSetting up the certificates for SSOSetting up the certificates for SSO
To establish a trusted connection between the web application and the cloud service, youneed to have the same signing certificate in both the application and the application settingsin Cloud Manager.
If you use your own certificate, you upload the signing certificate and its private key in a.pfx or .p12 file to the application settings in Cloud Manager. You also upload the publickey certificate in a .cer or .pem file to the web application.
What you need to know aboutWhat you need to know aboutWhat you need to know aboutWhat you need to know about WikispacesWikispacesWikispacesWikispaces
Each SAML application is different. The following table lists features and functionalityspecific to Wikispaces.
CapabilityCapabilityCapabilityCapability Supported?Supported?Supported?Supported? Support detailsSupport detailsSupport detailsSupport details
Web browser client Yes
Mobile client No
SAML 2.0 Yes
SP-initiated SSO Yes Users may go directly to a supplied Wikispaces URL and then use
the Centrify identity platform SSO to authenticate.
IdP-initiated SSO No
Force user login via SSO only No Administrators and users can still log in with a user name and
password after SSO is enabled.
Separate administrator login
after SSO is enabled
No
User or Administrator account
lockout risk
No User name and password login is always available.
Automatic user provisioning No
-
8/16/2019 SAML_Wikispaces
3/8
Configuring Wikispaces in Cloud Manager
Application Configuration Help 23232323
ConfiguringConfiguringConfiguringConfiguring WikispacesWikispacesWikispacesWikispaces inininin Cloud ManagerCloud ManagerCloud ManagerCloud Manager
To add and configure the Wikispaces application in Cloud Manager:
1111 In Cloud Manager, click Apps.
2222 Click Add Web Apps.
The Add Web Apps screen appears.
3333 On the Search tab, enter the partial or full application name in the Search field and clickthe search icon.
4444 Next to the application, click Add.
5555 In the Add Web App screen, click Yes to confirm.
Cloud Manager adds the application.
6666 Click Close to exit the Application Catalog.
The application that you just added opens to the Application Settings page.
7777 Configure the following:
Self-service password N/A
Access restriction using a
corporate IP range
Yes You can specify an IP Range in the Cloud Manager Policy page to
restrict access to the application.
FieldFieldFieldField Required orRequired orRequired orRequired or
optionaloptionaloptionaloptional
Set it toSet it toSet it toSet it to What you doWhat you doWhat you doWhat you do
Identity Provider Entity ID Required The cloud service
automatically
generates the
content for this field.
This content is automatically included in the
Identity Provider SAML Metadata.
Your Wikispaces Service
Provider Entity ID
Required https://session.wikisp
aces.net/
[number]/
Enter the Wikispaces Service Provider (SP)
Entity ID you received from Wikispaces. The ID
is part of the Wikispaces Service Provider
metadata URL.
The URL format is https://session.wikispaces.net/[number]/
where [number] represents the entity ID.
For example, https://session.wikispaces.net/1234/
CapabilityCapabilityCapabilityCapability Supported?Supported?Supported?Supported? Support detailsSupport detailsSupport detailsSupport details
-
8/16/2019 SAML_Wikispaces
4/8
Configuring Wikispaces in Cloud Manager
Chapter 85Chapter 85Chapter 85Chapter 85 • 24242424
8888 On the Application Settings page, expand the Additional Options section andspecify the following settings:
Download Identity Provider
SAML Metadata
Required The cloud service
automatically
generates the
content for this field.
Click the link to download the Metadata file.
Send the metadata file to:
[email protected] Wikispaces with the following attribute
mapping information:
• SAML Attribute Username = Display Name
• SAML Attribute Email Address = Email
Address
• SAML Attribute GUID = Email Address
Download Signing
Certificate
Required The cloud service
automatically
generates the
content.
If necessary, click the link to download the
default Signing Certificate. The certificate
content is automatically included as part of the
Identity Provider SAML Metadata.
To use a certificate with a private key (pfx file)
from your local storage, see below.
If you replace the certificate, download the
Identity Provider Metadata again and give the
new file to Wikispaces.
OptionOptionOptionOption DescriptionDescriptionDescriptionDescription
Application ID Configure this field if you are deploying a mobile application that uses
the Centrify mobile SDK, for example mobile applications that are
deployed into a Samsung KNOX version 1 container. The cloud service
uses the Application ID to provide single sign-on to mobile applications.
Note the following:
• The Application ID has to be the same as the text string that is
specified as the target in the code of the mobile application written
using the mobile SDK. If you change the name of the web application
that corresponds to the mobile application, you need to enter the
original application name in the Application ID field.
• There can only be one SAML application deployed with the name used
by the mobile application.
The Application ID is case-sensitive and can be any combination of
letters, numbers, spaces, and special characters up to 256 characters.
FieldFieldFieldField Required orRequired orRequired orRequired or
optionaloptionaloptionaloptional
Set it toSet it toSet it toSet it to What you doWhat you doWhat you doWhat you do
-
8/16/2019 SAML_Wikispaces
5/8
Configuring Wikispaces in Cloud Manager
Application Configuration Help 25252525
NoteNoteNoteNote Show in user app list is not set by default for the Wikispaces application.
9999 (Optional) On the Description page, you can change the name, description, and logofor the application. For some applications, the name cannot be modified.
The Category field specifies the default grouping for the application in the user portal.Users have the option to create a tag that overrides the default grouping in the user portal.
10101010 On the User Access page, select the role(s) that represent the users and groups that haveaccess to the application.
When assigning an application to a role, select either Automatic Install or OptionalInstall:
Select Automatic Install for applications that you want to appear automatically forusers.
If you select Optional Install, the application doesn’t automatically appear in theuser portal and users have the option to add the application.
Show in User app list Select Show in User app listShow in User app listShow in User app listShow in User app list to display this web application in the user
portal. (This option is selected by default.)
If this web application is added only to provide SAML for a corresponding
mobile app, deselect this option so the web application won’t display forusers in the user portal.
Security Certificate These settings specify the signing certificate used for secure SSO
authentication between the cloud service and the web application. Just
be sure to use a matching certificate both in the application settings in
the Cloud Manager and in the application itself. Select an option to
change the signing certificate.
• Use existing certificateUse existing certificateUse existing certificateUse existing certificate
When selected the certificate currently in use is displayed. It’s not
necessary to select this option—it’s present to display the current
certificate in use.
• Use the default tenant signing certificateUse the default tenant signing certificateUse the default tenant signing certificateUse the default tenant signing certificate
Select this option to use the cloud service standard certificate. This isthe default setting.
•••• Use a certificate with a private key (pfx file) from your local storageUse a certificate with a private key (pfx file) from your local storageUse a certificate with a private key (pfx file) from your local storageUse a certificate with a private key (pfx file) from your local storage
Select this option to use your organization’s own certificate. To use
your own certificate, you must click BrowseBrowseBrowseBrowse to upload an archive file
(.p12 or .pfx extension) that contains the certificate along with its
private key. If the file has a password, you must enter it when
prompted.
Upload the certificate from your local storage prior to downloading
the IdP metadata or the Signing Certificate from the Applications
Settings page. If the IdP metadata is available from a URL, be sure to
upload the certificate prior to providing the URL to your service
provider.
OptionOptionOptionOption DescriptionDescriptionDescriptionDescription
-
8/16/2019 SAML_Wikispaces
6/8
Configuring Wikispaces in Cloud Manager
Chapter 85Chapter 85Chapter 85Chapter 85 • 26262626
11111111 (Optional) On the Policy page, specify additional authentication control for thisapplication.You can select one or both of the following settings:
Restrict app to clients within the Corporate IP Range: Select this option to
prevent users outside the company intranet from launching this application. To use thisoption, you must also specify which IP addresses are considered as your intranet byspecifying the Corporate IP range in Settings > Corporate IP Range.
Require Strong Authentication: Select this option to force users to authenticateusing additional, stronger authentication mechanisms when launching an application.Specify these mechanisms in Policy > Add Policy Set > Account Security Policies >Authentication.
You can also include JavaScript code to identify specific circumstances when you wantto block an application or you want to require additional authentication methods. Fordetails, see Application access policies with JavaScript.
12121212 On the Account Mapping page, configure how the login information is mapped to theapplication’s user accounts. The options are as follows:
Use the following Directory Service field to supply the user name: Use thisoption if the user accounts are based on user attributes. For example, specify an ActiveDirectory field such as mail or userPrincipalName or a similar field from the Centrifycloud directory.
Everybody shares a single user name: Use this option if you want to share accessto an account but not share the user name and password. For example, some peopleshare an application developer account.
Use Account Mapping Script: You can customize the user account mapping here
by supplying a custom JavaScript script. For example, you could use the following lineas a script:LoginUser.Username = LoginUser.Get('mail')+'.ad';
The above script instructs the cloud service to set the login user name to the user’s mailattribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mailattribute value is [email protected] then the cloud service [email protected]. For more information about writing a script to mapuser accounts, see the SAML application scripting.
13131313 (Optional) On the Advanced page, you can edit the script that generates the SAMLassertion, if needed. In most cases, you don’t need to edit this script. For more
information, see the SAML application scripting.
14141414 (Optional) On the Changelog page, you can see recent changes that have been made tothe application settings, by date, user, and the type of change that was made.
15151515 (Optional) Click Workflow to set up a request and approval work flow for thisapplication.
http://../Docs-Centrify/AppConfig/SourceFiles/Book_Scripthttp://../Docs-Centrify/AppConfig/SourceFiles/Book_Scripthttp://../Docs-Centrify/AppConfig/SourceFiles/Book_Scripthttp://../Docs-Centrify/AppConfig/SourceFiles/Book_Scripthttp://../Docs-Centrify/AppConfig/SourceFiles/Book_Scripthttp://../Docs-Centrify/AppConfig/SourceFiles/Book_Script
-
8/16/2019 SAML_Wikispaces
7/8
Contacting Wikispaces to enable SSO
Application Configuration Help 27272727
The Workflow feature is a premium feature and is available only in the Centrify IdentityService App+ Edition. See Configuring Workflow for more information.
16161616 Click Save.
After configuring the application settings (including the role assignment) and theapplication’s web site, you’re ready for users to launch the application from the userportal.
ContactingContactingContactingContacting WikispacesWikispacesWikispacesWikispaces to enable SSOto enable SSOto enable SSOto enable SSO
To configure Wikispaces for SSO:
1111 Email Wikispaces at the following address: [email protected] and include:
Identity Provider SAML Metadata you downloaded in Step 7 of Configuring
Wikispaces in Cloud Manager. Attribute mapping information:
SAML Attribute Username = Display Name
SAML Attribute Email Address = Email Address
SAML Attribute GUID = Email Address
2222 If you haven’t done so already, get the Service Provider Entity ID from Wikispacesand enter it into the Wikispaces Service Provider Entity ID field in the CloudManager Application Settings page.
For more information aboutFor more information aboutFor more information aboutFor more information about WikispacesWikispacesWikispacesWikispaces
For more information about configuring Wikispaces for SSO, contact Wikispaces support.
http://../Docs-Centrify/AppConfig/SourceFiles/Book_AppsAnhttp://../Docs-Centrify/AppConfig/SourceFiles/Book_AppsAn
-
8/16/2019 SAML_Wikispaces
8/8
For more information about Wikispaces
Chapter 85Chapter 85Chapter 85Chapter 85 • 28282828