Ad Astra supports single sign-on (SSO) using either SAML 2.0 or Central Authentication Service (CAS). The following information will help in setting up SSO.
This article will cover SAML 2.0, for CAS see the Central Authentication Service (CAS) article.
Astra Schedule can act as a Service Provider (SP) to integrate with an Identify Provider (IdP) using the SAML 2.0 protocol. The SAML 2.0 protocol allows for federated authentication between two parties without the need for a direct VPN connection between Ad Astra and the Identity Provider.
Capabilities for SAML 2.0 Authentication
- Redirection of users upon sign in to an Identity Provider for authentication (SP-initiated Single Sign-On)
- Support for SAML 2.0 Redirect and POST bindings
- Redirection of users upon sign off to the Identity Provider to terminate IdP sessions (SP-initiated Single Sign Off)
- Requires a sign-off URL to be supplied to Ad Astra
- User binding – Identity Provider users can be bound to Astra users in the following ways:
- Map an entire SAML attribute value to a username by specifying the Object Identifier (OID) for the attribute
- Map a portion of a SAML attribute value to a username by using the OID along with a regular expression and matching group (e.g. Group #1 with regex string "(.)(@)(.)" to separate "mailbox" from value email@example.com
- If the user is authenticated by an IdP but does not exist in Astra Schedule, an Astra Schedule user is created with a default role. The default role is established during SSO configuration.
SAML 2.0 Integration Process
SAML 2.0 requires an initial metadata exchange for trust purposes. Ad Astra can exchange metadata either directly or via participation in InCommon.org.
- IdP metadata:
- Submit your IdP metadata (via URL) or directly to Ad Astra support to initiate the Integration Process.
- Ad Astra SP metadata:
- Available via a request for Astra Schedule 8 instances.
- Unique for each URL under https://aaiscloud.com, so production and test systems will require different SP metadata.
- SP metadata for Ad Astra can be retrieved via REST api once the initial configuration is complete.
Please submit a support ticket for assistance with setting up SAML 2.0 authentication.
Bypass Single Sign-On
To bypass the single sign-on mechanism for sites that are configured for SSO, the user may use the URL for the sign-in page with the nosso URL parameter. This may be useful if there are internal users that do not use SSO. Because of this feature, it is important to assign a strong password when creating users.