SSO (версия для системного администратора)/en: различия между версиями

Материал из SmartPlayer
(Новая страница: «== '''All about SSO:''' == '''SSO (Single Sign-On)''' — is an authentication system that allows a user to log into multiple applications or services using a single set of credentials (usually a login and password). It simplifies the login process, reduces the number of passwords a user needs to remember, and enhances security by reducing risks associated with data breaches. === '''How SSO Works''' === SSO establishes a connection between an application an...»)
(Обновление для соответствия новой версии исходной страницы.)
 
(не показаны 3 промежуточные версии 1 участника)
Строка 1: Строка 1:
<languages/>
== '''Description of the situation''' ==
== '''Description of the situation''' ==
Users don't want to increase the number of accounts. They want to use their corporate email as an account for all platforms. In this case, the SSO technology is needed.
Users don't want to increase the number of accounts. They want to use their corporate email as an account for all platforms. In this case, the SSO technology is needed.
Строка 27: Строка 28:
=== '''Preliminary Steps''' ===
=== '''Preliminary Steps''' ===
{{Note|Initially, the client's system administrator needs to set up the ADFS server on their end.|warn}}  
{{Note|Initially, the client's system administrator needs to set up the ADFS server on their end.|warn}}  
Next, contact the SmartPlayer team so they can enable this feature on the backend and also add its display on the frontend authentication page.<br>
Next, it is necessary to collaborate with the SmratPlayer team and the system administrator. This is required to enable the backend functionality. Additionally, its display was added to the frontend on the authentication page..<br>
For this purpose, there is a configuration file responsible for enabling the SSO button.<br>
Its path is: <code>/home/smartplayer/smartplayer/cms/cms/config.js</code>.<br>
In this file, it's essential to modify the  <code>showSSOButton</code>parameter and set its value to ''true''<br>
Additionally, the client's system administrator should send our team the configuration parameters:<br>
Additionally, the client's system administrator should send our team the configuration parameters:<br>
<code>SSO SAML certificate </code><br>
<code>SSO SAML certificate </code><br>
Строка 40: Строка 44:
<code>nano /home/smartplayer/smartplayer/.env</code><br><br>
<code>nano /home/smartplayer/smartplayer/.env</code><br><br>


<div lang="ru" dir="ltr" class="mw-content-ltr">
3. Configure the server application's configuration file. Select the configuration with the SAML protocol::
3. Производим настройку в конфигурационном файле серверного приложения. Выбираем  конфигурацию с протоколом SAML:
[[File:Настройка SSO через SAML.png|thumb|right|Sample commands for configuring SSO over SAML|300px]]
[[File:Настройка SSO через SAML.png|thumb|right|Пример команд для настройки SSO через SAML|300px]]
{| class="wikitable sortable"
{| class="wikitable sortable"
|+ Текст подписи
|+ Текст подписи
|-
|-
! '''Название параметра''' !! '''Допустимые значения''' !! '''Описание'''
! '''Parameter name''' !! '''Valid values''' !! '''
Description'''
|-
|-
| SSO_SAML_ENABLED || 0 - выключена интеграция. 1 - включена интеграция || По умолчанию отключена. Чтобы включить используйте значение 1
| SSO_SAML_ENABLED || 0 - integration is disabled. 1 - integration enabled ||Disabled by default. To enable use value 1
|-
|-
| SSO_SAML_ENTITY_ID || Любое строковое значение. || Служит для определения SAML клиента на стороне сервиса аутентификации. Это значение необходимо предварительно согласовать
| SSO_SAML_ENTITY_ID || Any string value ||Used to define a SAML client on the side of the authentication service. This value must be agreed in advance.
|-
|-
| SSO_SAML_Login_URL || URL сервиса аутентификации || Выдается сервисом аутентификации
| SSO_SAML_Login_URL || Authentication Service URL || Issued by the authentication service
|-
|-
| SSO_SAML_CERTIFICATE_PATH || Путь до публичного сертификата от сервисом аутентификации || Сертификат выдается сервисом аутентификации
| SSO_SAML_CERTIFICATE_PATH || Path to the public certificate from the authentication service || The certificate is issued by the authentication service
|-
|-
| SSO_SAML_COMPANY_ID || Число указанное в профиле компании || Сертификат выдается сервисом аутентификации
| SSO_SAML_COMPANY_ID || The number indicated in the company profile || The certificate is issued by the authentication service
|-
|-
| LOCAL_SSL_KEY_PATH || Путь до приватного ключа сертификата || Сертификат выдается сервисом аутентификации.
| LOCAL_SSL_KEY_PATH ||  
Path to the private key of the certificate || The certificate is issued by the authentication service
|-
|-
| LOCAL_SSL-CERT_PATH || Путь до публичного ключа сертификата || Сертификат выдается сервисом аутентификации.
| LOCAL_SSL-CERT_PATH ||  
Path to the public key of the certificate || The certificate is issued by the authentication service
|}
|}
{{Note|Работа по протоколу '''SAML''' осуществляется только по ''https'', поэтому так же необходимо проверить наличие ''ssl'' сертификатов и переменных: <code>LOCAL_SSL_KEY_PATH и LOCAL_SSL_CERT_PATH.</code>|warn}}
{{Note|Operations using the SAML protocol are conducted exclusively over https, so it's also essential to check for the existence of SSL certificates and the variables: <code>LOCAL_SSL_KEY_PATH и LOCAL_SSL_CERT_PATH.</code>|warn}}
[[File:Пример настройки SSO.png|thumb|center| Пример настроенного SSO |700px]]
[[File:Пример настройки SSO.png|thumb|center| Example of configured SSO |700px]]
4. Сохранить изменения в конфигурационном файле.<br>
4. Save changes to the configuration file.<br>
5. Перезапустить полностью контейнеры Docker. Это необходимо в связи с внесёнными изменениями в .env файл.
5. Restart all Docker containers completely, due to the changes made in the .env file.
* Перейти в папку, где находится файл *.yml. По умолчанию путь:<br>
* Navigate to the folder containing the *.yml file. The default path is: <br>
''“/home/smartplayer/smartplayer/“''  
''“/home/smartplayer/smartplayer/“''  
* Остановить контейнеры Docker <code>docker-compose down</code>
* Stop the Docker containers using:  <code>docker-compose down</code>
* Запустить контейнеры Docker <code>docker-compose up -d</code>
* Start the Docker containers using:  <code>docker-compose up -d</code>
6. Подождать от 2 до 5 минут, для запуска платформы и можно заходить в личный кабинет. Вход осуществляется по URL личного кабинета.
6. Wait for 2 to 5 minutes for the platform to start, and then you can log into your personal account. Access is made via the personal account URL.
</div>
=='''Operating Principle'''==
<div lang="ru" dir="ltr" class="mw-content-ltr">
=='''Принцип действия'''==
{| class="wikitable"
{| class="wikitable"
|+ Производимые действия
|+ Actions taken
|-
|-
! Со стороны пользователя !! Со стороны сервера
! From the user side !! From the server side
|-
|-
| Пользователь заходит на страницу аутентификации и нажимает кнопку зайти по SSO|| Фронтэнд Smartplayer отправляет к бэкенду запрос на редирект
| The user enters the authentication page and clicks the login via SSO button||Smartplayer frontend sends a redirect request to the backend
|-
|-
| Пользователя переносит на страницу аутентификации его компании || Бэкенд SmartPlayer формирует запрос на ADFS сервер клиента и редиректит пользователя на страницу аутентификации компании с помощью протокола SAML
| The user is transferred to the authentication page of his company || The SmartPlayer backend generates a request to the client's ADFS server and redirects the user to the company's authentication page using the SAML protocol
|-
|-
| Пользователь заполняет личные данные (логин и пароль) на странице аутентификации его компании || Сервер клиента собирает данные и параметры для ответа
| The user fills in personal data (login and password) on the authentication page of his company|| The client server collects data and parameters for the response
|-
|-
| Пользователя переносит в личный кабинет SmartPlayer || Сервер клиента снова с помощью SAML отправляет ответ для сервера SmartPlayer. Сервер SmartPlayer расшифровывает полученные данные и логинит пользователя.
| The user is transferred to the SmartPlayer personal account || The client server again sends a response to the SmartPlayer server using SAML. The SmartPlayer server decrypts the received data and logs in the user.
|-
|-
| Пользователь может использовать весь функционал платформы SmartPlayer в зависимости от своей роли: пользователь или администратор. Это настраивается на стороне клиента в ADFS сервере || После входа сервер SmartPlayer сохраняет данные и параметры о пользователе в своей базе данных
| The user can use all the functionality of the SmartPlayer platform depending on his role: user or administrator. This is configured on the client side in the ADFS server|| After logging in, the SmartPlayer server saves data and settings about the user in its database
|}
|}
{{Note|Возможно сделать на этапе аутентификации сделать автолог. В данном случае пользователь запросил обязательный вход при начале каждой сессии|warn}}
{{Note|It's possible to make an auto-log at the authentication stage. In this case, the user requested mandatory login at the beginning of each session.|warn}}
[[File:Запрос.png|thumb|Пример запроса от сервера|300px]]
[[File:Запрос.png|thumb|Server request example|300px]]
=== '''Соотношение прав''' ===
=== '''Rights Allocation''' ===
<code>g_smartplayer_admins: 'adminBrand'</code>, по факту ''g_smartplayer_admins = 'adminBrand'= правам администратора''<br>
<code>g_smartplayer_admins: 'adminBrand'</code>, in fact ''g_smartplayer_admins = 'adminBrand'= administrator rights''<br>
<code>g_smartplayer_manager: 'userBrand'</code>, по факту ''g_smartplayer_manager = 'userBrand' = правам пользователя''
<code>g_smartplayer_manager: 'userBrand'</code>, in fact ''g_smartplayer_manager = 'userBrand' = user rights''
</div>
== '''Identified Setup Issues:''' ==
<div lang="ru" dir="ltr" class="mw-content-ltr">
* '''Situation: The claim rules are set up incorrectly.<br>
== '''Выявленные проблемы при настройке''' ==
[[File:Claim rules .png|thumb|An example of the difference in filling "Claim Rules"|300px]]
* '''Ситуация:''' неправильно настроены claim rules.<br>
'''Solution:''' Claim rules must necessarily be set up in the same language. In our case, on the SmartPlayer server, the claim rules were written in Russian, while the client's were in English. On our side, it was written as "Адрес электронной почты" (Email Address), and for the client, it was "E-mail". Once the customer rewrote them in Russian on their ADFS server, the problem was resolved.
'''Решение:''' Claim rules обязательно должны быть настроены на одном языке. В нашем случае на сервере SmartPlayer claim rules были прописаны на русском языке, а у клиента не английском. На нашей стороне было прописано "Адрес электронной почты", а у клиента "Е-mail". После того, как заказчик переписал их на своём ADFS сервере на русском, проблема решилась.
* '''Situation:''' Incorrect certificate submission. <br>
* '''Ситуация:''' некорректная отправка сертификатов. <br>
'''Solution:''' System administrators from the client side sent the certificate in text format, which turned out to be incorrect and inconvenient to use. After sending the certificate in file format, the issue was resolved.
'''Решение:''' Системные администраторы со стороны заказчика отправили сертификат в виде текста, что оказалось некорректным и неудобным в использовании. После отправки сертификата в виде файла, ситуация была решена.
</div>


<div lang="ru" dir="ltr" class="mw-content-ltr">
== '''Final Outcome''' ==
== '''Итоговый результат''' ==
As a result of all the actions described above, the user's system administrator will set up the SSO system on their server. This will allow the user not to create a separate account. Thus, they will gain more straightforward, comfortable, and secure access to the SmartPlayer functionality.
В результате всех произведённых выше действий системный администратор пользователя "поднимет" систему SSO на своём сервере. Это даст возможность пользователю не создавать отдельную учётную запись. Таким образом получит боле простой, комфортный и безопасный доступ к функционалу SmartPlayer.
</div>

Текущая версия от 15:41, 14 августа 2023

Другие языки:

Description of the situation

Users don't want to increase the number of accounts. They want to use their corporate email as an account for all platforms. In this case, the SSO technology is needed.

All about SSO:

SSO (Single Sign-On) — is an authentication system that allows a user to log into multiple applications or services using a single set of credentials (usually a login and password). It simplifies the login process, reduces the number of passwords a user needs to remember, and enhances security by reducing risks associated with data breaches.

How SSO Works

SSO establishes a connection between an application and an external service provider, sometimes referred to as a user identifier (IdP). This linking is done through a series of authentication, verification, and binding actions between the application and the central SSO service. These are the key elements of the SSO system.

Central SSO Service

This service is primary for applications when a user attempts to log in. When an anonymous user tries to gain access, the application directs them to the SSO service. After authentication, the service returns the user to the requested application. This typically takes place on a dedicated SSO policy server.

SSO Token

The SSO token is an electronic document containing data that identifies the user, such as a username or email. When a user requests access, the application and the SSO service exchange this token to validate the user.

SSO Mechanism

When a user accesses an application, they initiate the creation of an SSO token, which is sent to the SSO service for verification. The service determines if the authentication process has previously been completed for this user. If the procedure was successful, the service confirms access for the application.

If the user does not have an account, the SSO service redirects them to the main login page, prompting them to enter their username and password. After verifying the credentials, the service sends a positive response to the application.

Otherwise, an error notification appears, and the user is asked to try again. Multiple failed attempts may lead to temporary access suspension to the service.

SSO Protocols

SSO employs various protocols and standards to verify and authenticate users' credentials.

Main types of security protocols SSO

The primary ones are outlined below:

  1. SAML - a protocol for exchanging authentication information with an SSO service. Based on XML, it ensures high security as applications do not store user credentials.
  2. OAuth - an open standard allowing applications to access user data without transferring the password. It operates through API, establishing trust relationships between applications.
  3. OIDC - an approach where one set of credentials provides access to various sites. The service provider performs authentication, and applications request additional data to verify the user.
  4. Kerberos - an authentication system based on "tickets", protecting network participants' identities through cryptography.
The SmartPlayer development team uses the SAML protocol for configurationSAML

Setting up the Server Application

Preliminary Steps

Initially, the client's system administrator needs to set up the ADFS server on their end.

Next, it is necessary to collaborate with the SmratPlayer team and the system administrator. This is required to enable the backend functionality. Additionally, its display was added to the frontend on the authentication page..
For this purpose, there is a configuration file responsible for enabling the SSO button.
Its path is: /home/smartplayer/smartplayer/cms/cms/config.js.
In this file, it's essential to modify the showSSOButtonparameter and set its value to true
Additionally, the client's system administrator should send our team the configuration parameters:
SSO SAML certificate
SSO_SAML_LOGIN_URL
From our team's side, a metadata file is also sent.

Preparation:

Connect via ssh (or using other tools) to the remote server where the SmartPlayer server application is installed. Use the server's login and password.

Navigate to the folder where the SmartPlayer platform is installed.

The default path is: “/home/smartplayer/smartplayer/”. Open the .env file for editing.. This file is hidden. To modify it, open it with any text editor, by default: nano /home/smartplayer/smartplayer/.env

3. Configure the server application's configuration file. Select the configuration with the SAML protocol::

Sample commands for configuring SSO over SAML
Текст подписи
Parameter name Valid values

Description

SSO_SAML_ENABLED 0 - integration is disabled. 1 - integration enabled Disabled by default. To enable use value 1
SSO_SAML_ENTITY_ID Any string value Used to define a SAML client on the side of the authentication service. This value must be agreed in advance.
SSO_SAML_Login_URL Authentication Service URL Issued by the authentication service
SSO_SAML_CERTIFICATE_PATH Path to the public certificate from the authentication service The certificate is issued by the authentication service
SSO_SAML_COMPANY_ID The number indicated in the company profile The certificate is issued by the authentication service
LOCAL_SSL_KEY_PATH

Path to the private key of the certificate || The certificate is issued by the authentication service

LOCAL_SSL-CERT_PATH

Path to the public key of the certificate || The certificate is issued by the authentication service

Operations using the SAML protocol are conducted exclusively over https, so it's also essential to check for the existence of SSL certificates and the variables: LOCAL_SSL_KEY_PATH и LOCAL_SSL_CERT_PATH.
Example of configured SSO

4. Save changes to the configuration file.
5. Restart all Docker containers completely, due to the changes made in the .env file.

  • Navigate to the folder containing the *.yml file. The default path is:

“/home/smartplayer/smartplayer/“

  • Stop the Docker containers using: docker-compose down
  • Start the Docker containers using: docker-compose up -d

6. Wait for 2 to 5 minutes for the platform to start, and then you can log into your personal account. Access is made via the personal account URL.

Operating Principle

Actions taken
From the user side From the server side
The user enters the authentication page and clicks the login via SSO button Smartplayer frontend sends a redirect request to the backend
The user is transferred to the authentication page of his company The SmartPlayer backend generates a request to the client's ADFS server and redirects the user to the company's authentication page using the SAML protocol
The user fills in personal data (login and password) on the authentication page of his company The client server collects data and parameters for the response
The user is transferred to the SmartPlayer personal account The client server again sends a response to the SmartPlayer server using SAML. The SmartPlayer server decrypts the received data and logs in the user.
The user can use all the functionality of the SmartPlayer platform depending on his role: user or administrator. This is configured on the client side in the ADFS server After logging in, the SmartPlayer server saves data and settings about the user in its database
It's possible to make an auto-log at the authentication stage. In this case, the user requested mandatory login at the beginning of each session.
Server request example

Rights Allocation

g_smartplayer_admins: 'adminBrand', in fact g_smartplayer_admins = 'adminBrand'= administrator rights
g_smartplayer_manager: 'userBrand', in fact g_smartplayer_manager = 'userBrand' = user rights

Identified Setup Issues:

  • Situation: The claim rules are set up incorrectly.
An example of the difference in filling "Claim Rules"

Solution: Claim rules must necessarily be set up in the same language. In our case, on the SmartPlayer server, the claim rules were written in Russian, while the client's were in English. On our side, it was written as "Адрес электронной почты" (Email Address), and for the client, it was "E-mail". Once the customer rewrote them in Russian on their ADFS server, the problem was resolved.

  • Situation: Incorrect certificate submission.

Solution: System administrators from the client side sent the certificate in text format, which turned out to be incorrect and inconvenient to use. After sending the certificate in file format, the issue was resolved.

Final Outcome

As a result of all the actions described above, the user's system administrator will set up the SSO system on their server. This will allow the user not to create a separate account. Thus, they will gain more straightforward, comfortable, and secure access to the SmartPlayer functionality.