Versions Compared

Old Version 3

changes.mady.by.user Kim Rasmussen

Saved on

compared with

New Version 4

changes.mady.by.user Kim Rasmussen

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Ceptor has custom support for some identity providers which almost are following the OpenID Connect standard, such as LinkedIn and Facebook.

SAML / WebSSO

Concepts

Ceptor can be configured to use SAML / WebSSO (Web Single SignOn) to federate identity to or from 3rd parties.

Using SAML2, SAML1.1 and WS-Trust it is possible to share identities with other Service Providers or Relying Parties as they are also called, or you can use other Identity Providers to authenticate users in Ceptor.

SAML Service Provider / Relying Party

A SAML Service Provider is a site that receives identities from Ceptor - meaning it uses Ceptor as an Identity Provider for authenticating users.

For each SAML Service Provider we issue SAML tokens to, we have complete control over which attributes we wish to send to it.
Most of the attributes can just be configured, e.g. userid, name and groups, but writing scripts to completely tailor the SAML ticket to any purpose is also supported - using these scripts it is possible to change all parts of the issued SAML login response ticket.

SAML Identity Provider

Ceptor can be configured to authenticate an end-user by redirecting him to a 3rd party site which issues SAML tickets that Ceptor then parses and validates and uses to authenticate the users, thereby trusting the 3rd party to do the authentication.

For each SAML IdentityProvider we trust, a corresponding configuration of this identity provider along with its SAML metadata or trustedcertificates is needed.

Federation and Ceptor Gateway

The Federation modules in Ceptor Session Controller contains the mechanisms for validating and issuing SAML / JWT tokens, but they need to be called from somewhere else with either a ticket issued by someone, or in order to issue tickets themselves.

Using Ceptor Agent it is possible to integrate this into any application, but you can simply configure Ceptor Gateway to do the steps needed instead.

This is done by configuring Authentication Plugins - see Location - Authentication - these authentication plugins in the gateway do the heavy lifting by receiving requests from end-user and doing the redirection back and forth between sites to obtain the tickets or send the issued tickets as needed.

For OpenID Connect, see Location - Authentication - OpenID Connect
For SAML, see: Location - SAML/ADFS/WebSSO