!!info This document discusses SAML concepts and use cases. Refer to Configuring SSO for setting values and step-by-step setup instructions.
SAML 2.0 is a single sign-on (SSO) and federation protocol suite that enables your organization to synchronize identity with web applications. Once you have configured SSO for your organization, your users can log in to RightScale without choosing a password. When a user logs in with SSO, an audit entry in your master account captures the details.
SAML 2.0 at RightScale
Creating a Mutual Trust Relationship
Before you can use SAML to provision users or access, you must configure RightScale to trust your IdP and vice-versa.
For detailed information, refer to Configuring SSO using SAML 2.0.
Default Relay State
When configuring your IdP, you may specify a default relay state in order to determine which part of the RightScale platform your users arrive at when they perform IdP-initiated login.
For more information, refer to SAML Relay States.
All SAML assertions include a Name ID that uniquely identifies users in your organization. RightScale is agnostic to the format of Name ID that you send to us, but we recommend a time-invariant format (such as LDAP DN or persistent UUID) instead of a value that can change over time (such as email address).
In addition to Name ID, RightScale requires three metadata attributes (email address, surname, given name) when provisioning new users.
You should configure your IdP to send these attributes (sometimes known as
claims); refer to RightScale SAML Attributes for specific values.
Finally, in order to provision users, RightScale must vouch that you own the email domain that your identity provider will claim. Once your IdP is configured and the SAML test completes successfully, contact RightScale support to confirm ownership of your email domain and enable seamless provisioning of new users.
Provisioning Access to RightScale Accounts
Inviting SAML-Linked Users
Once you have confirmed ownership of your email domain, the invitations UI functions slightly differently.
When you invite someone whose email domain matches the identity provider's, RightScale creates a user and assigns permissions on the spot.
This is signified by a small grey
SSO icon that appears next to the user's email on the send-invitations page.
SAML-linked users still receive an invitation email, but they are not obligated to go through a sign-up flow, choose a password, or perform other signup activities. They can simply login to RightScale with SAML, using the link provided in the email, and begin using the accounts to which they were invited.
SAML 2.0 Concepts
An Identity Provider (IdP) is a Web application operated by your organization that performs the following functions:
- Provides SAML attributes identifying the user attempting to interact with the SP.
- Asserts to the SP that the user identified by those attributes is authorized by the provider to access the service.
- Optionally provides additional attributes for the user, such as group membership information, that the SP may use for provisioning the user in the system.
You may purchase identity-as-a-service from a vendor or operate your own in-house IdP. In either case, your IdP software provides an application portal that provides one-click access to RightScale and other Web applications.
A Service Provider (SP) is a Web application, such as RightScale, that consumes information from your IdP in order to provision users and determine their access privileges.
Before an IdP and an SP can exchange SAML messages, an administrator must configure each of them to trust the other.
Web Browser SSO
SAML 2.0's Web Browser SSO Profile is its principal login mechanism. For a detailed protocol description, refer to Wikipedia.
There are two variants of the Web Browser SSO flow:
- one where the user visits the SP first,
- and another where the user visits the IdP first.
If a user arrives at RightScale without being logged in, we must forward her browser to a suitable IdP in order to obtain a SAML assertion. To determine where to send the user, we prompt her for a discovery hint, a DNS-like name that you have chosen at setup time to uniquely identify your IdP in our database. We recommend using your organization's domain name as a discovery hint for your IdP.
A more common way for an end-user to perform SSO is to login to the IdP and visit an application portal that provides a menu of SSO-accessible applications, including RightScale. When the user clicks the RightScale menu item, her browser is directed to RightScale with a SAML assertion.
The relay state is a SAML parameter that conveys where users will be directed after they perform single sign-on. When performing IdP-initiated login, the IdP can add a default relay state in order to send the user to a specific place.