We have just enabled SignOn.com as an Auto-Connect IdP end point. What does this mean?
If you are an SP and are interested in evaluating Auto-Connect, you can now use SignOn.com as an IdP to validate your setup.
- The short version
A few months ago, Ping Identity announced the concept of Auto-Connect. Auto-Connect eliminates the need of manual configuration for SAML connections. It relies on SAML assertion to carry user’s information but follows an OpenID style IdP discovery process; thus allowing the SPs and IdPs to connect dynamically. As an example, a user can simply type in his email address at the SP application to initiate the process, which then allows the user to SSO to the SP application via the Identity provider. To see it in action:
- Go to SignOn.com and create an account.
- Enable Google Apps for your account via My Account (more details here. This will give you an email address e.g. firstname.lastname@example.org.
- Go to http://autoconnect.pingidentity.com, type in your SignOn.com email address and click ‘Sign In’.
- The long version
What is Auto-Connect?
Majority of the SAML implementations today require a decent amount of configuration to setup a partner connection. This includes setting up the right bindings, profiles, certs etc. This model works for a limited number of partners but has trouble scaling as the number of partners increase. A few months ago, Ping Identity announced the concept of Auto-Connect. The objective being to avoid any manual configuration and setting up partner connections dynamically. The feature is especially useful to an entity who wants to provide SSO capability to a large number of partners. A Software-as-a-Service (SaaS) provider, for example, can provide SSO to innumerable clients without specifying redundant connection information for each one. Or an enterprise that has a need to SSO to multiple outsourced services. Once the initial setup is done, adding a new partner is simply adding the partner’s domain name in the white list.
How to try it out?
If you simply want to see it in action, we have setup a demo SP application at http://autoconnect.pingidentity.com. If you want to set it up for your enterprise, use the following steps:
- Download PingFederate from here.
- Run through the PingFederate ‘Getting Started’ guide.
- Set up your SP application (you can use any of the bundled sample applications as a starting point).
- Enable Auto-Connect (configuring your metadata endpoint etc).
- Add SignOn.com to your Auto-Connect whitelist.
- Access the SP application and enter email@example.com.
- User will be redirected to SignOn.com.
- Authenticate using userid/password or Information card.
- User will be redirected to the SP application.
- SP application will display the user’s attributes as specified in SignOn.com.
What happens behind the scene?
- User sends a logon request with an email address to the SP application. For example: firstname.lastname@example.org.
- The application parses the email address and sends a request to PingFederate. For example: https://sp_host.com:9031/sp/ startSSO.ping/?Domain=signon.com.
- The SP PingFederate server looks up the domain in the Auto-Connect white list.
- If the domain is in the list, the SP retrieves connection metadata from the IdP’s public endpoint. By default, PingFederate looks for the metadata by prepending http://saml to the domain. In case of SignOn.com, the metadata is hosted at http://saml.signon.com.
- After validating the metadata, the SP sends an authentication request to the IdP’s SSO service.
- PingFederate IdP server at SignOn.com verifies the domain name of the requester.
- The IdP retrieves the SP’s metadata via its public endpoint and verifies the metadata signature.
- The IdP requests user authentication (SignOn.com supports username/password and Information Cards for authentication).
- Once the user is authenticated, the IdP returns a signed SAML assertion to the SP’s Assertion Consumer Service (ACS) endpoint.
- The SP logs the user on to the requested resource.