InstaSafe | Overview of SAML Integration in ZTAA

Overview of SAML Integration in ZTAA

This article serves as an overview to the SAML Integration available in the InstaSafe ZTAA solution, and demontsrates the configuration to be carried out to have ZTAA serve as an IdP for SSO to a sample application (Zen Desk).

Security Assertion Markup Language (SAML) is an XML-based open security standard framework for authentication and authorization across two different systems (Service Provider and an Identity Provider). Instasafe ZTAA can act as a single sign-on (SSO) solution for applications that support login via SAML.

Terminologies

  1. Identity provider performs the authentication i.e., verifies the end user and establishes identity by confirming that the end users are who they say they are and sends that data to the service provider.
  2. Service Provider is the application that needs the authentication data from the identity provider and uses the established identity to grant authorization to the user.
  3. ACS URL is a location to which the SSO tokens are sent, according to partner requirements. The assertion consumer service (ACS) is applicable to all SAML versions and both the IdP- and SP-initiated SSO profiles.
  4. Entity ID is a globally unique name for a SAML entity, either an Identity Provider (IdP) or a Service Provider (SP). The first step in configuring any SAML deployment is to choose a permanent name for the entity

Supported Configuration

Instasafe supports two kinds of SAML Configuration.

1. Frontend SAML - Backend Local

In this Case the ZTAA is directly used as an IDP to log into the Application.

Application (SP)---> ZTAA(IDP)


2. Frontend SAML - Back End SAML

In this scenario an organization already uses an IDP and wants to use ZTAA for other features while still retaining a different primary IDP. In this case ZTAA functions as a proxy acting as both an Identity provider for the application as well as a service provider for the primary IDP. When any User tries logging in to the application, request will first come to InstaSafe. InstaSafe will forward the request to primary IDP. The response received will be modified and forwarded to the application.

Application (SP) ---->ZTAA(IDP)  II  ZTAA(SP)-----> OCTA(IDP)

Setting up ZTAA as an IDP

In this case, ZTAA is directly used as an IDP to log into the Application. The application set up for demo purposes is Zendesk.

Zendesk (SP) ---> ZTAA (IDP)

Prerequisites - Zendesk account should be created for that user and required access control policies should have been configured

Identity Provider Set Up

1. Login to the ZTAA Console as Admin

2. Go to Identity Management >> Identity Provider

3. Click on ‘Add’ and give a name to this SAML Integration

4. Select ‘Generic SAML SP’



5. Click on ‘Next’

6. Click on ‘Generate Certificate’



Fill in the details as:
  1. ACS URL and SP Entity ID will be obtained from the SP configuration page.
  2. IDP Entity ID can be chosen by admin. However, it is recommended to use Tenant Domain name as IDP Entity ID
  3. SP Certificate is not Mandatory
  4. Remaining fields will have default values automatically filled in

Service provider set up

1. Login into the Zendesk account with admin credentials

2. Go to 'Security Settings' > 'SSO'

3. Copy the ACS URL (SAML SSO URL)



4. Paste the ACS URL in the appropriate field in the ZTAA console



5. Copy the IDP certificate from the identity provider and paste it into SAML oneLogin Tool (https://www.samltool.com/fingerprint.php) and click 'Calculate Fingerprint'



6. Paste the obtained certificate fingerprint in the ZenDesk Portal



7. Click on 'Save'

8. In the ZenDesk Portal, go to 'Staff members'. and enable 'External authentication' and select 'Single sign on'. Click on 'Save'. Now, go to 'End users' and enable 'External authentication'. Click on 'Save'



8. Copy the generated Service Provider URL and Paste it in appropriate field in the ZTAA  console



9. Enable all the toggles
  1. Allow access from browser
  2. Allow access from desktop
  3. Allow access from mobile
10. Click on 'Next'

11. Select 'Backend Type' as Local

12. Click on 'Submit'

Creating an Application

1. Login to the ZTAA Console as Administrator and navigate to 'Perimeter Management'. Create a new Application, with the URL as https://instasafe.zendesk.com/

2. Go to 'Access Policies' and create an ACL granting Users (or User Groups) access to the Zen Desk application

3. Go to 'Identity Provider', select 'Zendesk IDP', enter Edit mode and add the application



This documentation aims to serve as a guide for configuring ZTAA as an IDP, serving as an SSO for Zen Desk.

While the general steps remain same, the nomenclature of fields and configuration flow may vary from application to application. However, the InstaSafe Tech Team would be more than happy to extend all the assistance required with the configuration, as well as address any queries that might arise in case deviations from the above steps while integrating certain applications.

If you are an Admin of the organization's ISA Account and need assistance, contact InstaSafe Support.