SAML Configuration with CAS Manager
What is SAML?¶
SAML stands for Security Assertion Markup Language (SAML) and is a standard which Identity Providers use to communicate authorization credentials to different Service Providers. This enables users to manage one set of credentials to authenticate with different services.
SAML enables federated login to several services by passing authorization credentials between services. A SAML flow has three main roles:
- End User: A user who is trying to access a service using federated login credentials
- Identity Provider (IDP): An identity provider performs the authentication about the end users identity and sends the necessary data to the service provider along with any other access control data in the form of SAML Assertions. Popular examples are Azure Active Directory and Okta.
- Service Provider (SP): A service provider is the system that requests authentication from an identity provider to authorize an end user. CAS Manager plays the role of a SP
SAML Assertions are XML documents that the IDP sends to a given SP to validate user authorization. There are three different types of SAML Assertions:
- Authentication: This assertion provides user identity and the time at which a user was authenticated and the method of authentication that was used.
- Attribute: This assertion passes the SAML attributes about the user to the service provider. There can be more than one attribute assertions in a SAML response.
- Authorization: This assertion is the decision that determines if the user was successfully authorized to access the service or not by the IDP. Most common causes of failed authorization are incorrect password and/or insufficient access to the service the end user tried to access.
CAS Manager Initiated SAML Authentication Flow¶
In the diagram above the following is happening
- An end user wants to login to CAS Manager. The user uses the SSO link for CAS Manager.
- CAS Manager requests the configured IDP for the SAML response for the user.
- IDP requests the user to login and verifies credentials.
- User logs in with the desired credentials to IDP.
- The IDP now sends a SAML response to CAS Manager based on the user provided credentials.
- CAS Manager validates the SAML response and SAML Attribute Assertions for CAS Manager received from the IDP, and then grants access to the end user.
SAML Attribute Assertions for CAS Manager¶
CAS Manager checks for the following attributes in the SAML response received from the configured IDP:
- NameID: CAS Manager verifies the NameID attribute, which is used to uniquely identify a user. The NameID value is typically a user's UPN or email.
- Group Attributes: CAS Manager can also verify a user's group membership from properties in the AttributeStatement of the SAML Assertion. The Group attribute name (configured in the Allowed Groups tab on the Multi Admin Setting page of the Admin Console) specifies the name of the Attribute where the groups are returned. The AttributeValue can match either a Group ID or Group Name based on how an Allowed Group was created in the Multi-Admin Settings page.
CAS Manager will allow access to a user through a SAMl configuration if the user is in the list of Allowed Admins in CAS Manager or the user is a member of one or more of the Allowed Groups in your IDP. Hence if you need to revoke a user's access to CAS Manager through a SAMl configuration, you will need to remove the user from the Allowed Admins list in CAS Manager and remove the user's membership from any Allowed Groups through your IDP.
Configure CAS Manager as a SAML Service Provider to Enable Multi-Admin¶
The following section outlines the steps to setup and configure SAML for CAS Manager using the CAS Manager Admin Console:
- From the account icon click Multi Admin Settings to create a new multi-admin configuration.
- Register CAS Manager as a SP with your IDP. You can obtain the Assertion Consumer Service URL and Audience URL from the Configuration Info section. This information should be used to configure your IDP to recognize CAS Manager as a SP.
- Configure CAS Manager to be able to connect to your IDP. Obtain the Identity Provider Login URL and Identity Provider Certificate from your IDP and configure the IDP Settings section accordingly. Alternatively you can also upload an IDP XML Metadata file in the IDP Settings section.
- Enable Multi-Admin configuration to use configured IDP. Make sure that your configuration is enabled by toggling the switch at the bottom of the Configuration Info section and confirm that you see the Configuration is enabled message.
- Configure CAS Manager Assertion Attributes:
- To allow individual user as admin, go to the Allowed Admins section and add the UPN associated to that user. CAS manager validates the UPN against the NameId SAML assertion attribute in the SAML response received from the IDP.
- To allow user groups. Go to the Allowed Groups section and configure the Group Attributes accordingly. This configures CAS Manager to validate the Group Name and/or Group ID SAML attribute assertions in the SAML response received from the IDP.
- You can configure either Allowed Admins or Allowed Groups or both in the Multi-Admin Settings.
- Allowed users can now access CAS Manager by opening the CAS Manager login page URL which is available in the Configuration Info section. Alternatively, users can also directly login via the IDP using the Direct login via identity provider URL also available on the Configuration Info section.
This section contains auto-generated information about the login URLs and IDP:
- CAS Manager login page: A link to the page for multi-administrator login to the Admin Console. This is the SSO link used by the end user in Step 1 of SAML auth flow diagram
- Direct login via identity provider: An endpoint to which multi-admin sign-in requests can be sent. This is the login page for the configured IDP.
- Assertion Consumer Service URL: The callback URL provided to the IDP to which user information is sent once the IDP has authorized the user. This is the CAS Manager endpoint that the IDP sends the SAML response to in Step 5 of the SAML auth flow diagram
- Audience URL: The entity ID that the IDP can use to identify the Admin Console.
This section contains IDP settings that can be updated to manage the SAML configuration within CAS Manager:
- Identity Provider Login URL: The IDP endpoint to which SAML authentication requests are sent. This endpoint is the one that CAS Manager sends the SAML login request to in Step 2 of SAML authentication flow diagram above.
- Identity Provider Certificate: The public certificate of the IDP used to verify the signature of the IDP.
You can also upload a .xml file that contains your IDP information.
This section enables you to add new admins and displays all existing admins that are allowed to login via your IDP. To add a new admin, enter their e-mail, and click the Add Admin button.
This section enables you to add new groups and displays all existing groups that are allowed to login via your IDP. To enable the access for a group of users, enter the claim type and group claim and click Add Group.
- The claim type informs CAS Manager how the group is returned in the SAML attribute assertions in the SAML response received from your IDP.
- The group claim matches against the group either in the Group Name claim or in the Group ID claim received in the SAML attribute assertions for a user based on the claim type defined for the group.