Using LogonBox as a SAML Identity Provider (IdP)

system

Introduction

This article outlines the information and steps you need to take in order to configure a LogonBox server to act as a SAML Identity Provider (IdP).

Once configured your users of your own webapps can be redirected to your LogonBox Server to handle authentications before being handed back to the webapp. 

 

1. Install and license the feature

Note first that you can only use this feature if you have an Enterprise license. This feature is not available on the Professional or Foundation (free) licenses.

It's likely the feature is already installed on the system. If so you can navigate to the Identity Services menu under the Resources section of the left hand menu.

If the feature is not installed, navigate to Updates, Features & Licensing in the top right menu, then click the Servers tab.

You can install the SAML Server feature from here with the download button on the right hand side. Click Accept then Restart the server when prompted with the power icon at bottom right.

 

2. Create a new SAML Resource

Log into your LogonBox server with your admin account and navigate to Identity Services->SAML and click Create

Give the resource a meaningful name.

In the Metadata tab enter the Consumer URL, which will be the URL of your server. e.g:

https://test.logonbox.io/app/ui

Select the Assertion tab and click the plus icon and add an attribute called api with a value of LogonBox.

 

On the Assignment tab, set which users, groups or roles will be able to use this resource.

If you want every user to be able to authenticate you can add the Everyone role. Start typing Everyone in Roles and select it when it appears in the list.

 

Click Create to create the new resource.

 

3. Export metadata and certificate

Now we have the resource, we need to get all of the information that your webapp will need in order to operate as a SAML Service Provider (SP).

Next to the newly created resource, click the Options (gears) icon and select Download Metadata. Save this xml file for later.

 

Now expand the newly created resource with the plus on the left side. Click Download Certificate to save the SAML RSA certificate that may be required by your webapp.

 

There is other information that a SAML Service Provider will need. The first two items can be found on this same page, Logon URL and Logoff URL. Note these down for use with your webapp.

These will be the locations your webapp will direct to when logging on and off your service.

 

Any other information required may be found inside the metadata file downloaded earlier.

For example, your webapp may need the Entity ID, which can be found in the second line of the file.

e.g. https://test.logonbox.io/app/api/sso/metadata/198787

 

 

4. Configure your webapp to connect to LogonBox

This varies from provider to provider (for popular providers we have templated resources with their own articles for quick configuration of these).

But your provider would need at the very minimum:

  • The logon URL
  • The logoff URL

It may optionally need:

  • The RSA certificate
  • The Entity ID

 If the webapp needs to define any further SAML configuration items, you may have to edit the SAML resource and look at some of the advanced settings (e.g for Audience URI, signing Assertions etc).

 

 

5. Example login

A user navigates to the webapp login page, which should redirect to LogonBox.

The user enters their username and password, upons success LogonBox redirects the user back to their webapp and they are logged on.

 

Here we'll do a quick example using another LogonBox server as the webapp (for reference, our webapp has a blue colour scheme, our LogonBox IdP has a green scheme so you can see the difference).

We start on our web app and click My Account as if we were going to authenticate as normal.

 

We now click next which will redirect us to the LogonBox IdP for authentication.

 

We have been successfully redirected to our Identity Provider. Enter your username and password here.

 

Authentication succeeds and redirects back to the original server and we are logged on.