KNF:SSOnotification/en: verschil tussen versies

Uit Kennisnet Developers Documentatie
Naar navigatie springen Naar zoeken springen
 
(24 tussenliggende versies door 2 gebruikers niet weergegeven)
Regel 1: Regel 1:
{{PageTitleCustom|title=SSOnotification|name=Kennisnet Federation|image=true|imageurl=KNF:Hoofdpagina/en}}
+
{{PageTitleCustom|title=SSOnotification|name=Entree Federation|image=true|imageurl=KNF:Hoofdpagina/en}}
   
If a school has its own connection with the Entree Federation (for example an ELE or an ADFS) there is the possibility to skip the inlog screen of Entree. This is done via the use of a cookie, which is set '''after''' the user has logged in on his own environment (for example an intranet page or the homepage of re ELE).
+
If a school has its own connection with the Entree Federation (for example an ELE (electronic learning environment) or an ADFS) there is the possibility to skip the WAYF ('''W'''here '''A'''re '''Y'''ou '''F'''rom) screen of Entree. This is done via the use of a cookie, which is set '''after''' the user has logged in on his own environment (for example an intranet page or the homepage of the ELE).
   
The cookie only contains information about the school on the basis of which the correct school is selected in the Entree inlog screen.
+
The cookie only contains information about the Identity Provider on the basis of which the correct Identity Provider is selected on the Entree WAYF screen.
   
To show the advantage of SSOnotification follow the two scenarios beneath.
+
To show the advantage of SSO notification follow the two scenarios beneath.
   
 
== Example without SSOnotification: ==
 
== Example without SSOnotification: ==
 
To simulate this scenario follow these steps:
 
To simulate this scenario follow these steps:
 
#'''The student/teacher logs in on the ELE/Active directory'''
 
#'''The student/teacher logs in on the ELE/Active directory'''
#*Go to: [https://referentie.entree.kennisnet.nl/ReferentieELO/app Reference ELE]
+
#*Go to: [https://referentie.entree.kennisnet.nl/referentie Reference ELE]
 
#'''The student/teacher clicks on a link to learning material'''
 
#'''The student/teacher clicks on a link to learning material'''
 
#*Click on 'Naar dienst' ('To service')
 
#*Click on 'Naar dienst' ('To service')
 
#'''You're going to the WAYF (Where Are You From) screen. There's no information available about the school the user is coming from.'''
 
#'''You're going to the WAYF (Where Are You From) screen. There's no information available about the school the user is coming from.'''
 
#*Search and select 'Referentie Omgeving' ('Reference application')
#*Select 'Inloggen via je school' ('Login by school')
 
 
#*Click on 'Verder' ('next')
#*Then select 'Referentie Klant Organisatie' ('Reference customer organisation')
 
  +
#'''The user data (attributes) are requested from the Identity Provider by Entree Federation'''
#*Click on 'verder' ('next')
 
#'''This step is unique for our Reference ELE, because of the possibility to enter dummy data. Normally the user attributes are sent through the back channel'''
+
#*This step is unique for our Reference ELE, because of the possibility to enter dummy data. Normally the user attributes are sent through the back channel
  +
#*Click on 'Direct verder naar dienstaanbieder' ('Directly to Service Provider')
#*Enter the dummy data
 
#*Click on 'Naar dienst' ('To service')
 
 
#'''The user is now logged in and subsequently the user attributes that were used during the login process are shown.'''
 
#'''The user is now logged in and subsequently the user attributes that were used during the login process are shown.'''
   
Regel 25: Regel 24:
 
To simulate this scenario follow these steps:
 
To simulate this scenario follow these steps:
 
#'''The student/teacher logs in on the ELE/Active directory'''
 
#'''The student/teacher logs in on the ELE/Active directory'''
#*Go to: [https://referentie.entree.kennisnet.nl/ReferentieELO/app Reference ELE]
+
#*Go to: [https://referentie.entree.kennisnet.nl/referentie Reference ELE]
#*Click on 'SSO Notification'
+
#*Click on 'SSO Notificatie instellen' ('Set SSO notification')
 
#'''The student/teacher clicks on a link to learning material'''
 
#'''The student/teacher clicks on a link to learning material'''
#*Click on 'Naar dienst' ('To service')<br/><span style="color:#ff0000">In this scenario the WAYF (Where Are You From) screen will '''not''' be shown. The system reads the cookie that is used for SSOnotification and automatically selects the correct school.</span>
+
#*Click on 'Naar dienst' ('To service')<br/><span style="color:#ff0000">In this scenario the WAYF screen will '''not''' be shown. The system reads the cookie that is used for SSO notification and automatically selects the correct school.</span>
  +
#'''The user data (attributes) are requested from the Identity Provider by Entree Federation'''
#'''This step is unique for our Reference ELE, because of the possibility to enter dummy data. Normally the user attributes are sent through the back channel'''
+
#*This step is unique for our Reference ELE, because of the possibility to enter dummy data. Normally the user attributes are sent through the back channel
#*Enter the dummy data
 
#*Click on 'Naar dienst' ('To service')
+
#*Click on 'Direct verder naar dienstaanbieder' ('Directly to Service Provider')
 
#'''The user is now logged in and subsequently the user attributes that were used during the login process are shown.'''
 
#'''The user is now logged in and subsequently the user attributes that were used during the login process are shown.'''
   
== Implementation using an Iframe ==
+
== Implementation==
  +
The SSO notification cookie can be placed, after the user has logged in on the schoolportal, with an redirect to Entree Federation.
* To implement SSO notification in an Iframe the following script should be placed within the Iframe: http://www.kennisnet.nl/fileadmin/contentelementen/kennisnet/Kennisnet_federatie/Plug-ins/EntreeSSONotificatie.txt
 
* To implement SSO notification in Sharepoint 2007 the following webpart should be used: http://www.kennisnet.nl/fileadmin/contentelementen/kennisnet/Kennisnet_federatie/Plug-ins/Entree.SSO.1.0.3.wsp
 
* To implement SSO notification in other Sharepoint versions the script (http://www.kennisnet.nl/fileadmin/contentelementen/kennisnet/Kennisnet_federatie/Plug-ins/EntreeSSONotificatie.txt) should be placed in a hidden webpart.
 
   
  +
===Config redirect URL ===
Two variables in the script have to be edited:
 
  +
The redirect URL has 4 parts:
* '''var eloid''': contains the unique identifier (Entity Id) of the Kennisnet Federation coupling
 
  +
# The Entree Federatie URL where the redirect will be redirected to.
* '''var elourl''': the location/domain where the script is hosted
 
  +
# The unique identifier of the Identity Provider as known in Entree Federatie. This is the entity ID of the IdP and can be found here: https://engine.entree.kennisnet.nl/sso/wayfsearch
  +
# The URL (url-encoded) of the serveraddress where it comes from.
  +
# The redirectURI (url-encoded), this is the URL where the users goes to after the redirect. In most cases this is the same place, but if needed it can be somewhere else. This has to be an address owned by the school, it can't be the address of the Service Provider.
   
  +
Important: Before you can use the SSO notification, the URL needs to be added to the whitelist. You can send the URL via an ticket [https://support.kennisnet.org/Tickets/Submit Kennisnet].
== Implementation using a redirect ==
 
The following url has to be invoked:
 
<br>
 
<nowiki>https://aselect.entree.kennisnet.nl/openaselect/profiles/entree?id=<identifier of the coupling>&url=<url encoded url>&redirectUri=<url encoded url></nowiki>
 
   
  +
===Endpoint===
For example:
 
https://aselect.entree.kennisnet.nl/openaselect/profiles/entree?id=http://authenticate.example.org&url=http%3A%2F%2Fwww.example.org&redirectUri=http%3A%2F%2Fwww.example.org
+
# '''production''': <nowiki>https://ssonot.entree.kennisnet.nl/?id=<identifier van de IdP>&url=<url-encoded ELO URL>&redirectUri=<url-encoded redirect URL></nowiki>
  +
# '''staging''': <nowiki>https://ssonot.entree-s.kennisnet.nl/?id=<identifier van de IdP>&url=<url-encoded ELO URL>&redirectUri=<url-encoded redirect URL></nowiki>
   
  +
The redirect URL looks like this:<br>
The URL has to be whitelisted by Kennisnet, you need to provide this URL to Kennisnet.
 
 
''<nowiki>https://ssonot.entree.kennisnet.nl/?id=<identifier van de IdP>&url=<url-encoded ELO URL>&redirectUri=<url-encoded redirect URL></nowiki>''
  +
  +
===Example===
  +
In the example, this is the IdP identifier ''<nowiki>http://authenticate.example.org</nowiki>'', and this is de URL where the redirects starts ''<nowiki>http://www.example.org</nowiki>'' and this is the url where the user will be redirected to afthe the cookie is set ''<nowiki>http://www.kennisnet.nl</nowiki>''.<br>
  +
''<nowiki>https://ssonot.entree.kennisnet.nl/?id=http://authenticate.example.org&url=http%3A%2F%2Fwww.example.org&redirectUri=http%3A%2F%2Fwww.kennisnet.nl</nowiki>''
  +
  +
===third party cookie===
  +
When an Identity Provider places an SSO notification cookie via an AJAX call or an iframe by Entree Federation, this is considered to be a third party cookie. Third party cookies are placed by domains (in this case Entree Federation) other than the domain of the website you are visiting (the Identity Provider). Some organizations use third party cookies to track users when they visit different websites. Since this type of third party cookies (also called tracking cookies) can infringe the privacy of users, their use is increasingly discouraged by browsers and often blocked.
  +
  +
This may prevent the SSO notification cookie from being placed. In such a case, the user can still log in via Entree Federation, but will have to select his or her school on the WAYF screen of Entree Federation. Since browsers have indicated to block third party cookies completely in the long term, placing an SSO notification is best done by means of a redirect.
   
[[Categorie:Kennisnet Federatie]]
 
 
[[Categorie:Entree Federatie]]
 
[[Categorie:Entree Federatie]]

Huidige versie van 4 mei 2023 om 08:59

KNF-symbol.png Entree Federation: SSOnotification

Nl.gif Nederlands En.gif English

If a school has its own connection with the Entree Federation (for example an ELE (electronic learning environment) or an ADFS) there is the possibility to skip the WAYF (Where Are You From) screen of Entree. This is done via the use of a cookie, which is set after the user has logged in on his own environment (for example an intranet page or the homepage of the ELE).

The cookie only contains information about the Identity Provider on the basis of which the correct Identity Provider is selected on the Entree WAYF screen.

To show the advantage of SSO notification follow the two scenarios beneath.

Example without SSOnotification:

To simulate this scenario follow these steps:

  1. The student/teacher logs in on the ELE/Active directory
  2. The student/teacher clicks on a link to learning material
    • Click on 'Naar dienst' ('To service')
  3. You're going to the WAYF (Where Are You From) screen. There's no information available about the school the user is coming from.
    • Search and select 'Referentie Omgeving' ('Reference application')
    • Click on 'Verder' ('next')
  4. The user data (attributes) are requested from the Identity Provider by Entree Federation
    • This step is unique for our Reference ELE, because of the possibility to enter dummy data. Normally the user attributes are sent through the back channel
    • Click on 'Direct verder naar dienstaanbieder' ('Directly to Service Provider')
  5. The user is now logged in and subsequently the user attributes that were used during the login process are shown.

Example with SSOnotification:

To simulate this scenario follow these steps:

  1. The student/teacher logs in on the ELE/Active directory
    • Go to: Reference ELE
    • Click on 'SSO Notificatie instellen' ('Set SSO notification')
  2. The student/teacher clicks on a link to learning material
    • Click on 'Naar dienst' ('To service')
      In this scenario the WAYF screen will not be shown. The system reads the cookie that is used for SSO notification and automatically selects the correct school.
  3. The user data (attributes) are requested from the Identity Provider by Entree Federation
    • This step is unique for our Reference ELE, because of the possibility to enter dummy data. Normally the user attributes are sent through the back channel
    • Click on 'Direct verder naar dienstaanbieder' ('Directly to Service Provider')
  4. The user is now logged in and subsequently the user attributes that were used during the login process are shown.

Implementation

The SSO notification cookie can be placed, after the user has logged in on the schoolportal, with an redirect to Entree Federation.

Config redirect URL

The redirect URL has 4 parts:

  1. The Entree Federatie URL where the redirect will be redirected to.
  2. The unique identifier of the Identity Provider as known in Entree Federatie. This is the entity ID of the IdP and can be found here: https://engine.entree.kennisnet.nl/sso/wayfsearch
  3. The URL (url-encoded) of the serveraddress where it comes from.
  4. The redirectURI (url-encoded), this is the URL where the users goes to after the redirect. In most cases this is the same place, but if needed it can be somewhere else. This has to be an address owned by the school, it can't be the address of the Service Provider.

Important: Before you can use the SSO notification, the URL needs to be added to the whitelist. You can send the URL via an ticket Kennisnet.

Endpoint

  1. production: https://ssonot.entree.kennisnet.nl/?id=<identifier van de IdP>&url=<url-encoded ELO URL>&redirectUri=<url-encoded redirect URL>
  2. staging: https://ssonot.entree-s.kennisnet.nl/?id=<identifier van de IdP>&url=<url-encoded ELO URL>&redirectUri=<url-encoded redirect URL>

The redirect URL looks like this:
https://ssonot.entree.kennisnet.nl/?id=<identifier van de IdP>&url=<url-encoded ELO URL>&redirectUri=<url-encoded redirect URL>

Example

In the example, this is the IdP identifier http://authenticate.example.org, and this is de URL where the redirects starts http://www.example.org and this is the url where the user will be redirected to afthe the cookie is set http://www.kennisnet.nl.
https://ssonot.entree.kennisnet.nl/?id=http://authenticate.example.org&url=http%3A%2F%2Fwww.example.org&redirectUri=http%3A%2F%2Fwww.kennisnet.nl

third party cookie

When an Identity Provider places an SSO notification cookie via an AJAX call or an iframe by Entree Federation, this is considered to be a third party cookie. Third party cookies are placed by domains (in this case Entree Federation) other than the domain of the website you are visiting (the Identity Provider). Some organizations use third party cookies to track users when they visit different websites. Since this type of third party cookies (also called tracking cookies) can infringe the privacy of users, their use is increasingly discouraged by browsers and often blocked.

This may prevent the SSO notification cookie from being placed. In such a case, the user can still log in via Entree Federation, but will have to select his or her school on the WAYF screen of Entree Federation. Since browsers have indicated to block third party cookies completely in the long term, placing an SSO notification is best done by means of a redirect.