Federations

Overview

Ceptor supports Identity Federation with third parties using SAML or OpenID Connect, or by supplying various proprietary methods via custom Authentication plugins, such as ETicket.

These federations have existed for many years, configured via name/value pairs in the session controllers configuration.
See Microsoft ADFS Integration / WebSSO SAML and JWT / OpenID Connect for details.

But as a new feature in Ceptor v6.4, these can be configured in an easily accessible GUI within Ceptor Console instead of the older method, making it easier to configure.
Configuration is now stored as JSON objects within the configuration, but for backwards compatibility reasons, the older approach using properties documented in the links above is still possible.

Note that if the session controller configuration contains a JSON object called federation_JSON_ then this JSON type configuration is used, and the older properties are ignored.

OAuth2 / JWT / OpenID Connect

Concepts

In its OpenID Connect related configuration, Ceptor has these elements.

  • Tokens
  • Scopes
  • Fields
  • Identity Providers

Tokens

Tokens are distinct and separate configurations for JWT Tokens - it covers configuration for how to issue tokens, but also how to parse tokens received from others.
This approach makes it possible to issue different tokens with separate content to different parties.

When used together with Ceptor API Management it is possible to specify specific types of tokens issued to specific Partners and Applications (see Managing Partners, Applications and Developers)

For configuration, see Federation - OAuth2 / OIDC - Tokens

Scopes

Scopes are used to define which fields end up in which token - here you can specify that if a client asks for e.g. a scope called "salary" when requesting a token, then you control which attributes are added to the ID token, Access Token and Userinfo respectively.
This gives you fine grained control of which data you expose under which conditions.

For configuration, see Federation - OAuth2 / OIDC - Scopes

Fields

Some attributes are themselves objects, such as the OpenID Connect "address" object - by configuring them here, you control which attributes are included, and from where the information within originates.

For configuration, see Federation - OAuth2 / OIDC - Fields

Identity Providers

When Ceptor authenticates users using foreign OpenID Connect Providers, you can define the authentication providers here.
These Identity Providers are then used within the Ceptor Gateway - see Location - Authentication for information about how to configure the gateway to use these identity providers under specific conditions. 

Ceptor has custom support for some identity providers which almost are following the OpenID Connect standard, such as LinkedIn and Facebook.

For configuration, see Federation - OAuth2 / OIDC - IdentityProviders

Clients / Partners

Depending on configured plugin, and general deployment of Ceptor, you have different options available for configuring Clients or Partners.

With API Management, you typically use an SQL based datastore to store the partners in - and you offer A Developer Portal for self-registration of partners - see Managing Partners, Applications and Developers
For smaller scale deployments, it is also possible to use the configuration-based store for clients, which stores clients / partners in the configuration instead.

Or alternatively, you can provide your own implementation using whatever datastore you wish.

Only one implementation can be active at a time, this is controlled by the OAuth2 Client Datastore class which decides the implementation to use.
For configuration when using the property/configuration based datastore, see: Federation - OAuth2 / OIDC - Clients/Partners
For configuration when using API management / API Developer Portal and the SQL based datastore, see: Managing Partners, Applications and Developers

SAML / WebSSO

Concepts

Ceptor can be configured to use SAML / WebSSO (Web Single SignOn) to federate identity to or from 3rd parties.

Using SAML2, SAML1.1 and WS-Trust it is possible to share identities with other Service Providers or Relying Parties as they are also called, or you can use other Identity Providers to authenticate users in Ceptor.

SAML Service Provider / Relying Party

A SAML Service Provider is a site that receives identities from Ceptor - meaning it uses Ceptor as an Identity Provider for authenticating users.

For each SAML Service Provider we issue SAML tokens to, we have complete control over which attributes we wish to send to it.
Most of the attributes can just be configured, e.g. userid, name and groups, but writing scripts to completely tailor the SAML ticket to any purpose is also supported - using these scripts it is possible to change all parts of the issued SAML login response ticket.

For configuration, see Federation - SAML / WebSSO - Service Providers

SAML Identity Provider

Ceptor can be configured to authenticate an end-user by redirecting him to a 3rd party site which issues SAML tickets that Ceptor then parses and validates and uses to authenticate the users, thereby trusting the 3rd party to do the authentication.

For each SAML IdentityProvider we trust, a corresponding configuration of this identity provider along with its SAML metadata or trustedcertificates is needed.

For configuration, see Federation - SAML / WebSSO - Identity Providers


Federation and Ceptor Gateway

The Federation modules in Ceptor Session Controller contains the mechanisms for validating and issuing SAML / JWT tokens, but they need to be called from somewhere else with either a ticket issued by someone, or in order to issue tickets themselves.

Using Ceptor Agent it is possible to integrate this into any application, but you can simply configure Ceptor Gateway to do the steps needed instead.

This is done by configuring Authentication Plugins - see Location - Authentication - these authentication plugins in the gateway do the heavy lifting by receiving requests from end-user and doing the redirection back and forth between sites to obtain the tickets or send the issued tickets as needed.

For OpenID Connect, see Location - Authentication - OpenID Connect
For SAML, see: Location - SAML/ADFS/WebSSO