Use
Users can login to Avendoo® via Single Sign-On (SSO) without entering user name and password. The authentication consists of two checks – which user wants to login and is this user permitted to login to this resource. The authentication happens once at a central point, by logging-in at the working place for example, and not again additionally when calling Avendoo® via the login page.
This uniquely sign on and the further use of programs like Avendoo® is called as Single Sign-On (SSO).
The learner access then an URL to the Avendoo® system for SSO to which will be then information for the SSO configuration added. The learner doesn’t see after that not the login page of Avendoo®, but he/she is directly on the start page in the user’s frontend. A service could be the Avendoo® system for example.
“Being globally logged-in” means that the user is authenticated and logged-in in an environment. An example for such an environment is the Windows domain. Thus SSO enables the access to a service by checking the authenticating of the accessing user via Identity Provider (IDP). The Active Directory Federation Services (ADFC) is an example for an IDP.
Avendoo® supports the following SSO technologies:
- Security Assertion Markup Language 2.0 (SAML2),
- SCIM 2.0 and
- OpenID Connect.
On this page the SSO technologies SAML2 and OpenID Connect are described. A chapter about SCIM 2.0 will follow soon.
Prerequisites
Regarding the SSO configurations and IDPs there can be system wide in Avendoo® only one SSO configuration to which are different IDPs assigned and stored. We recommend to define only one standard IDP per client. Therefore the author enters a value in the field Identity Provider Id, this means the prefix of the SSO configuration in the Client wizard on the tab Options.
Quick instruction for SSO per SAML2
The SSO interface has been realized with the so called Security Assertion Markup Language 2.0 (SAML2). This is a protocol to exchange authentication and authorization information between two proven systems. The SAML protocal is based on XML.
The user who logs into the Learning world via SSO authenticates via a certain attribute from the user data. Either he authenticates against the field “Login” or the field “IDPUserID”.
Open SSO link
The SSO link is called by the user via the browser, this means the link to Avendoo® system plus information about the SSO parameters.
Redirect to the IDP
The user will be redirected to his/her IDP by interpreting the SSO attribute.
Confirm SAML response
If the end user is a user, the IDP confirms by using a signed SAML response that the user is globally logged-in and there exists a session with the IDP.
If the user is currently not logged-in (to the IDP), several IDPs can check also login data. This can be relevant if the Avendoo® system is opened via SSO during transport or from home office.
Execute login
The SAML response is routed to the Avendoo® system and evaluated via the browser of the user. Then there will be a login and finally the user’s frontend is shown.
Quick instruction for SSO via OpenID Connect
The author creates the OpenID Connect configuration with the help of the SSO and import configuration. This enables the browser to check (=SSO) the identity of the end user, based on the authentication executed by an authorization server (analog to IDP) and to receive basic profile information about the end user for example. Thus can be created also a user data set besides SSO via OpenID Connect, if there is no user data set existing when the access happens in Avendoo®.
Open SSO link
The user opens the SSO link via the browser, this means the link to the Avendoo® system plus information about the SSO parameters.
Redirect to IDP
The user is redirected to his/her IDP by interpreting the SSO attribute.
Note that via the option Check IDP provider ID (sub tab Attribute assignment of the tab Configuration in the wizard SSO and Import Configuration) only users with this configuration can login, if their identity provider ID matches. If you don’t want this check, please deactivate this check mark in the wizard SSO and Import Configuration.
IDP confirms global login and redirects to IDP
Execute login
If the user is currently not logged-in (to the IDP), several IDPs can acess to user data. This can be relevant when opening the Avendoo® system via SSO during transport or from home office.
Avendoo® and the IDP communicate for exchanging user data and executing the Avendoo® login into the user’s frontend.