Follow

Redtail SAML 2.0 Specifications

Redtail supports SAML 2.0 protocol, the industry standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider, for both outbound and inbound SSO. SAML 2.0 defines an architecture, protocol, and schema for secure identity management and single sign on across organizations. This document describes technical details for implementing this exchange.

Inbound:

Redtail can act as a service provider to support IDP initiated inbound SSO.  In this case, the identity of the user is already verified by the partner and is requesting SSO to Redtail, hence Redtail is acting as SP (Service Provider). Below are some default configurations.

  • Assertion will be signed with partner’s private key.
  • Assertion Encryption is supported. By default assertion will be unencrypted.
  • Attributes can be added if required.
  • SLO (Single Logout) is not supported.

Development/Test

ACS: http://dev.api2.redtailtechnology.com/integrations/saml/20/in.aspx

Production

ACS: https://api2.redtailtechnology.com/integrations/saml/20/in.aspx

 

Outbound:

Redtail can act as Identity provider to support IDP initiated outbound SSO.  A sample outgoing SAML response is detailed later in this document.

  • Assertion will be signed with Redtail’s public key. 
  • A userkey identifying Redtail user will be sent as NameID.
  • Assertion Encryption is supported. By default assertion will be unencrypted.
  • Extra attributes can be added if required.
  • SLO (Single Logout) is not supported.

 

Development/Test

Public key can be obtained from https://dev.api2.redtailtechnology.com

Production

Public key can be obtained from https://api2.redtailtechnology.com

Basic use case

  1. The user logs into Redtail CRM or is already logged in.
  2. The user clicks a link to launch the partner application.
  3. Redtail calls SAML SSO service which creates, signs and sends SAML response configured URL

 

IDP initiated SSO:  Sample SAML response

<samlp:Response ID="_aa610ca2-cf6c-430f-b3bc-eca8fdb07eff" Version="2.0" IssueInstant="2013-03-29T18:05:14.954Z" Destination="https://partner.com/" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

  <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://dev.api2.redtailtechnology.com/</saml:Issuer>

  <samlp:Status>

    <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />

  </samlp:Status>

  <saml:Assertion Version="2.0" ID="_98c27382-ed4e-44c8-a8d9-7fef665cb27a" IssueInstant="2013-03-29T18:05:14.451Z" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">

    <saml:Issuer>https://dev.api2.redtailtechnology.com/</saml:Issuer>

    <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">

      <SignedInfo>

        <CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />

        <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />

        <Reference URI="#_98c27382-ed4e-44c8-a8d9-7fef665cb27a">

          <Transforms>

            <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />

            <Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">

              <InclusiveNamespaces PrefixList="#default saml ds xs xsi" xmlns="http://www.w3.org/2001/10/xml-exc-c14n#" />

            </Transform>

          </Transforms>

          <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />

          <DigestValue>IOglISyARu5uSXoKP62Z+GNEQrM=</DigestValue>

        </Reference>

      </SignedInfo>

      <SignatureValue></SignatureValue>

      <KeyInfo>

        <X509Data>

          <X509Certificate></X509Certificate>

        </X509Data>

      </KeyInfo>

    </Signature>

    <saml:Subject>

      <saml:NameID NameQualifier="https://dev.api2.redtailtechnology.com/" SPNameQualifier="MoneyGuidePro" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">SAMPLE_USER_KEY</saml:NameID>

      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">

        <saml:SubjectConfirmationData NotOnOrAfter="2013-03-29T18:07:14.453Z" Recipient="https://partner.com/" />

</saml:SubjectConfirmation>

    </saml:Subject>

    <saml:Conditions NotBefore="2013-03-29T18:03:14.452Z" NotOnOrAfter="2013-03-29T18:07:14.452Z">

      <saml:AudienceRestriction>

        <saml:Audience>https://partner.com/</saml:Audience>

      </saml:AudienceRestriction>

    </saml:Conditions>

    <saml:AuthnStatement AuthnInstant="2013-03-29T18:05:14.453Z">

      <saml:AuthnContext>

        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>

      </saml:AuthnContext>

    </saml:AuthnStatement>

    <saml:AttributeStatement>

      <saml:Attribute Name="UserKey" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

        <saml:AttributeValue>SAMPLE_USER_KEY</saml:AttributeValue>

      </saml:Attribute>

    </saml:AttributeStatement>

  </saml:Assertion>

</samlp:Response>

 

 

SAML Wiki Knowledgebase

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

Powered by Zendesk