SSO (версия для системного администратора)/en: различия между версиями

Description of the situation

Users don't want to increase the number of accounts. They want to use their corporate email as an account for all platforms. In this case, the SSO technology is needed.

All about SSO:

SSO (Single Sign-On) — is an authentication system that allows a user to log into multiple applications or services using a single set of credentials (usually a login and password). It simplifies the login process, reduces the number of passwords a user needs to remember, and enhances security by reducing risks associated with data breaches.

How SSO Works

SSO establishes a connection between an application and an external service provider, sometimes referred to as a user identifier (IdP). This linking is done through a series of authentication, verification, and binding actions between the application and the central SSO service. These are the key elements of the SSO system.

Central SSO Service

This service is primary for applications when a user attempts to log in. When an anonymous user tries to gain access, the application directs them to the SSO service. After authentication, the service returns the user to the requested application. This typically takes place on a dedicated SSO policy server.

SSO Token

The SSO token is an electronic document containing data that identifies the user, such as a username or email. When a user requests access, the application and the SSO service exchange this token to validate the user.

SSO Mechanism

When a user accesses an application, they initiate the creation of an SSO token, which is sent to the SSO service for verification. The service determines if the authentication process has previously been completed for this user. If the procedure was successful, the service confirms access for the application.

If the user does not have an account, the SSO service redirects them to the main login page, prompting them to enter their username and password. After verifying the credentials, the service sends a positive response to the application.

Otherwise, an error notification appears, and the user is asked to try again. Multiple failed attempts may lead to temporary access suspension to the service.

SSO Protocols

SSO employs various protocols and standards to verify and authenticate users' credentials.

The primary ones are outlined below:

1. SAML - a protocol for exchanging authentication information with an SSO service. Based on XML, it ensures high security as applications do not store user credentials.
2. OAuth - an open standard allowing applications to access user data without transferring the password. It operates through API, establishing trust relationships between applications.
3. OIDC - an approach where one set of credentials provides access to various sites. The service provider performs authentication, and applications request additional data to verify the user.
4. Kerberos - an authentication system based on "tickets", protecting network participants' identities through cryptography.

Setting up the Server Application

Preliminary Steps

Next, contact the SmartPlayer team so they can enable this feature on the backend and also add its display on the frontend authentication page.
Additionally, the client's system administrator should send our team the configuration parameters:
SSO SAML certificate
SSO_SAML_LOGIN_URL
From our team's side, a metadata file is also sent.

Preparation:

Connect via ssh (or using other tools) to the remote server where the SmartPlayer server application is installed. Use the server's login and password.

Navigate to the folder where the SmartPlayer platform is installed.

The default path is: “/home/smartplayer/smartplayer/”. Open the .env file for editing.. This file is hidden. To modify it, open it with any text editor, by default: nano /home/smartplayer/smartplayer/.env

3. Configure the server application's configuration file. Select the configuration with the SAML protocol::

4. Save changes to the configuration file.
5. Restart all Docker containers completely, due to the changes made in the .env file.

• Navigate to the folder containing the *.yml file. The default path is:
  

“/home/smartplayer/smartplayer/“

• Stop the Docker containers using: docker-compose down
• Start the Docker containers using: docker-compose up -d

6. Wait for 2 to 5 minutes for the platform to start, and then you can log into your personal account. Access is made via the personal account URL.

Принцип действия

Производимые действия

Со стороны пользователя	Со стороны сервера
Пользователь заходит на страницу аутентификации и нажимает кнопку зайти по SSO	Фронтэнд Smartplayer отправляет к бэкенду запрос на редирект
Пользователя переносит на страницу аутентификации его компании	Бэкенд SmartPlayer формирует запрос на ADFS сервер клиента и редиректит пользователя на страницу аутентификации компании с помощью протокола SAML
Пользователь заполняет личные данные (логин и пароль) на странице аутентификации его компании	Сервер клиента собирает данные и параметры для ответа
Пользователя переносит в личный кабинет SmartPlayer	Сервер клиента снова с помощью SAML отправляет ответ для сервера SmartPlayer. Сервер SmartPlayer расшифровывает полученные данные и логинит пользователя.
Пользователь может использовать весь функционал платформы SmartPlayer в зависимости от своей роли: пользователь или администратор. Это настраивается на стороне клиента в ADFS сервере	После входа сервер SmartPlayer сохраняет данные и параметры о пользователе в своей базе данных

Возможно сделать на этапе аутентификации сделать автолог. В данном случае пользователь запросил обязательный вход при начале каждой сессии

Соотношение прав

g_smartplayer_admins: 'adminBrand', по факту g_smartplayer_admins = 'adminBrand'= правам администратора
g_smartplayer_manager: 'userBrand', по факту g_smartplayer_manager = 'userBrand' = правам пользователя