SAML 2.0 Service Provider Configuration Overview
Encompass can be configured to work with a SAML 2.0 for user authentication. Encompass utilized the Apache Shibboleth plugin http://shibboleth.net/
Generally the SP (Service Provider) side is configured and installed during a typical installation, this application note does not describe the installation of the SP itself rather an overview of whats required to authorize the Encompass SP.
Apache 2.x + shibboleth packages
Tomcat 7 + Encompass Application WAR
Java 7 JVM
Apache is configured as an https endpoint, and the shibboleth module handles communicating with the Identify Provider. Assuming the user is authorized by the IP, Apache reverse proxies the connection via HTTP , placing the agreed to user ID i the header to the Tomcat server hosting Encompass. Encompass then opens an application session for the userid specified and the user begins work.
To configure the Service Provider a meta-data exchange between the SP and IP is required. This establishes the trust relationship.
1) The IDP generally provides its "meta-data" files to the SP, this is done via simple XML file exchange via email/fileshare etc. This is usually known as the partner-metadata.xml & shibboleth2.xml. This file most importantly will include the IDP's public Key.
2) The SP processes the meta-data, with information about the SP, such entityID (unique identifier for us that the IdP authorizes) and the URL to POST the assertions to. This creates a signed deliverable which needs communicated back to the IdP
3) Encompass is configured to pick up the agreed to user ID in the headers
Encompass only requires a unique identifier be supplied in the HTTP headers, shibboleth allows for the configuration of what this ID can be. Perception Software recommends using the users corporate username, or email address as the identifier. This identifier is what is utilized inside Encompass to reference the users profile, and logging events.