saml, sso plugin

● Bringing Ping Federate to BMC and HP ITSM

posted by John B on 9th February 2012

There's a (mistaken) belief that SAML is easy, and that a product with SAML support will integrate with other SAML products.

This is not correct.

Each vendor implements the standard how they see fit and products need to be validated to ensure compatibility.

Ping Federate is a well known SAML Identity Provider implementation that's used for providing Internet based SSO. SSO Plugin (3.5.6) has been validated against Ping Federate and JSS will support this deployment.

If Internet SSO is a requirement, you can now rely on Ping Federate and SSO Plugin to provide a solution.

saml, sso plugin

● What's SAML?

posted by John B on 21st December 2011

SAML is a protocol for allowing authentication over the Internet, typically associated with SSO.

Consider a company wishing to use an Internet based Remedy On Demand service who's already enjoying SSO Plugin on their corporate network. Users don't need to login to ITSM and if the company moved to Remedy On Demand (without SSO Plugin), users would have to login. This would result in fewer people raising tickets, because people don't like barriers. However, users can have SSO access to Remedy On Demand by requesting SSO Plugin and using SAML to integrate with their Active Directory Federation Service.

The high level process is as follows:

1. User is sitting inside the corporate network and they try to access Remedy On Demand. They are not authenticated so typically, a login page would appear.

2. With SSO Plugin installed on RoD, an XML request is created (by SSO Plugin) and the user's browser is redirected to the corporate Active Directory Federation Service with the XML request.

3. ADFS decodes the XML request and decides if it's from a known third party. Once this has been established, ADFS authenticates the user and creates an XML response. The user's browser is redirected back to Remedy on Demand complete with the XML response.

4. The request hits RoD and SSO Plugin intercepts it. The XML response is discovered, decoded, verified to be from ADFS (using public/private keys), and a username extracted. SSO Plugin now continues with an SSO login to RoD.

5. User now has access to RoD using their standard Windows login, just as they did before moving to RoD.

It's also worth noting that a number of these technologies exist, it just happens that SAML and OpenID (which Google seem to promote) are more common than others. The concept is essentially the same: an exchange of tokens, with layers of encryption, to pass a username (and other associated information, such as a list of Active Directory roles) from one system to another without the systems directly interacting with each other.