Introduction
For SSO (Single-Sign-On) integration, Innomesh acts as a Service Provider (SP), and is able to integrate to an identity provider (IdP) set up by your organisation. The most common use case for this is for integrating to your Active Directory using Security Assertion Markup Language 2.0 (SAML2). This tech note provides the process by which this can be achieved.
Overview
Innomesh has two components that require separate SSO integration:
- The main Innomesh portals. This integration is based on AWS Cognito.
- The Information Admin Portal, using a custom SAML integration.
The 1st component is usually the main candidate for SSO integration. The 2nd component is optional, and is usually not required, depending on:
- Whether the Information Portal is enabled on your tenancy.
- Whether you require the ability to manage users on the Information Admin Portal via your IdP.
Integration Steps
Step 1 – Provide Your Organisation’s SAML Metadata File
To get started with the Innomesh SSO integration, please provide Innomate with your organisation’s SAML metadata file. Ideally this is located at a URL which can by dynamically gathered as required, but can also be provided as a file.
Step 2 – Set up Your Organisation’s IdP
- Add relying party trust for AWS (required for some IdPs):
https://signin.aws.amazon.com/static/saml-metadata.xml
Reference: https://docs.aws.amazon.com/cognito/latest/developerguide/saml-identity-provider.html - Configure the SAML Audience (or Entity ID) for the Innomesh Portals. This will be provided to you by Innomate, and usually takes the form:
urn:amazon:cognito:sp:ap-southeast-2_xxxxxxxxx
- Configure the Assertion Consumer Service (ACS) URL (or Reply URL) for the Innomesh Portals. This will be provided to you by Innomate, and usually takes the form:
https://<tenant>.auth.ap-southeast-2.amazoncognito.com/saml2/idpresponse
- (Optional) Configure the SAML Audience (or Entity ID) for the Information Portal Admin. This will be provided to you by Innomate, and usually takes the form
https://admin.portal.<tenant>.innomesh.com.au/saml2_auth/acs
- (Optional) Configure the Assertion Consumer Service (ACS) URL for the Information Admin Portal. This will be provided to you by Innomate, and usually takes the form:
https://admin.portal.<tenant>.innomesh.com.au/saml2_auth/acs
Step 3 – Set up Required SAML Assertion Attributes
The below table outlines the SAML Assertion Attributes Innomesh requires from the IdP:
SAML Attribute Name | Possible Values | Description | Notes |
memberof | “Innomesh_admins” | Permission level for Innomesh Room Management administrator access | Usually returned with one permission level for Innomesh and one permission level for Innoportal |
“Innomesh_users” | Permission level for Innomesh Room Manager restricted (technician) access | ||
“Innoportal_admins” | Permission level for Innomesh Portal administrator access | ||
“Innoportal_users” | Permission level for Innomesh Portal restricted (technician) access | ||
givenName (urn:oid:2.5.4.42) | Text | User’s given name | |
sn (urn:oid:2.5.4.4) | Text | User’s family name | |
mail (urn:oid:0.9.2342.19200300.100.1.3) | Text in email format | Email address |
memberof
is a custom attribute Innomesh uses for role based access control (RBAC). Innomesh expects the SAML assertion similar to the below:
<Attribute Name="memberof">
<AttributeValue>Innomesh_admins</AttributeValue>
<AttributeValue>Innoportal_admins</AttributeValue>
</Attribute>
In an Active Directory integration, Active Directory can usually be set up with AD groups mapped to the memberof
values. This allows administrators to control access directly from Active Directory, simply by placing users into the relevant AD groups.
FAQ
Below are some of the frequently asked questions regarding Innomesh’s SSO integration.
1. Is Innomate able to provide a signing certificate?
Yes we can, on request. A signing certificate is usually related to the IdP sign-out flow, which we do not usually enable, so in general a signing certificate should not be required.
2. Does Innomesh support IdP-Initiated SSO?
No, it does not. Attempts to do an IdP-initiated SSO will result in an error. Reference: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-SAML-session-initiation.html
3. My IdP does not have the capability to support authorisation decisions using memberof
. Does Innomesh have the ability to assign permissions locally?
We do have the ability to set up authorisation on the service side. It is currently not a user-facing feature, so someone from Innomate will have to set it up for each user authenticated against your IdP. For a small number of users this is not a problem, but as the user base grows having the ability to manage your own users becomes invaluable.
4. Will Innomesh be signing AuthnRequests?
Unfortunately, not at this time, as AWS Cognito currently does not support this feature.
5. Does Innomesh expect unencrypted responses?
Yes
6. Does the Innomesh ACS use HTTP-POST binding?
Yes. Reference: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-saml-idp.html
7. Does Innomesh expect the NameID
to be returned as part of the SAML assertion?
Yes – but we do not care for the value, only that it is present.