SAML 2.0 Web SSO is a standard that enables users defined in an external directory to log in to Orchestra without configuring the users beforehand. This means that no users need to be added into Orchestra.
It also allows the user a single-sign-on experience, as long as they have previously logged in to the external directory.
There are three core actors involved in SAML 2.0 Web SSO:
• The Identity Provider (IdP): The external directory that stores and provides the authentication information (user accounts, passwords, access rights etc.) and authenticates users. This could be for example Microsoft Azure Active Directory, Microsoft Active Directory Federated Services, Keycloak or Okta. (See Wikipedia for a more detailed list.)
• The Service Provider (SP): The service that needs the authentication information from the Identity Provider. In this case it's Orchestra.
• User: The end user (eg. the staff member) that tries to log in using a web browser.
In the picture below you can see how the SAML flow works.
A user tries to access an Orchestra page.
If the user is not authenticated in Orchestra, the user is redirected to the configured IdP.
a) If the user is not authenticated at the IdP, -> step 3
b) If the user is authenticated at the IdP -> step 4
The IdP redirects the user to the login page and the user logs in.
The user is redirected back to Orchestra with a SAML Token containing information about the user and its access rights.
Orchestra checks the SAML Token, authenticates the user, and gives the user access to the page he/she was trying to access in step 1.
Restrictions and Prerequisites
• It is not possible to set up SAML Web SSO in Orchestra, when either LDAP, SSO (Kerberos) or PreAuth is enabled.
• It is still possible to log in into Orchestra using Orchestra user by accessing http://host:port/login.jsp
Configuration
To configure Orchestra to use SAML 2.0 Web SSO, the following steps need to be done:
A. Select an Identity Provider that supports SAML 2.0 web SSO, for example Microsoft Active Directory Federated Service.
B. Configure Orchestra to use https.
C. Configure Orchestra and the Identity Provider to trust each other with the proper redirect links.
D. Assign different access rights to the users in the Identity Provider.
For a more detailed instruction about how to configure SAML 2.0 Web SSO, see “Appendix E - SAML Setup” .
A user tries to access an Orchestra page.
If the user is not authenticated in Orchestra, the user is redirected to the configured IdP.
The IdP redirects the user to the login page and the user logs in.
The user is redirected back to Orchestra with a SAML Token containing information about the user and its access rights.
Orchestra checks the SAML Token, authenticates the user, and gives the user access to the page he/she was trying to access in step 1.