This document summarizes the Single Sign-On process when connecting to the Verizon Connect platform via an external Identity Provider ('IdP'). It also describes the configuration settings and conditions required to generate an authentication token and log into the Verizon Connect platform with SAML SSO using bearer assertions for OAuth 2.0.
Single Sign-On (SSO) allows network users to access multiple related, but independent, software systems without requiring them to log into each separately. Using SSO, your organization sees following benefits:
-
Your organization retains complete control over the authentication of accounts. Any security or password policies you have in place will also be applied to your Verizon Connect accounts.
-
Once users have logged into your network, they do not need to log in a second time to access their Verizon Connect account. They simply click a link on one of your web pages and immediately access their Verizon Connect accounts.
-
Because users have only a single login and password, there is much less likelihood that they will forget their credentials.
Verizon Connect provides support for SSO using SAML v2.0 (Security Assertion Markup Language – version 2.0). SAML is an XML-based protocol that uses security tokens containing 'assertions' to pass information about users.
Because it is your website or application that authenticates the user’s identity, SSO calls this application the Identity Provider or 'IdP'.
Once authenticated by your internal Identity Provider, the user then clicks a link or button on your IdP site which directs them to the Verizon Connect platform.
Your IdP generates a SAML v2.0 "bearer" assertion. This is an XML packet that conforms to the SAML schema and contains information about the user's identity. The assertion contains the following elements:
-
<saml:Issuer>, which uniquely identifies your organization.
-
<ds:Signature>, which contains an integrity-preserving digital signature (signing key).
-
<saml:Subject>, which identifies the user who is attempting to log in.
-
<saml:NameID>, a child of the element, which holds the name of the user.
-
<saml:Conditions>, which gives conditions under which the assertion is to be considered valid (what the user has been authenticated for). The AudienceRestriction element <saml:AudienceRestriction><saml:Audience>vzc-sp-provider</saml:Audience></saml:AudienceRestriction> must exist with this element.
-
<saml:AuthnStatement>, which describes the authentication performed by the IdP.
-
<saml:AttributeStatement>, which provides any additional properties of the user.
Note
For details, see the Sample SAML Response generated by the IdP.
The IdP sends an HTML page containing a form, which in turn contains a hidden field with the bearer assertion. This form is submitted to Verizon Connect Fleet which, in SSO terms, is called the Service Provider (SP) because it consumes the authentication assertion in order to provide a service.
After receiving the IdP form, Verizon Connect completes the following actions:
-
It redirects the assertion to the Fleet SAML Authentication Service, which verifies the bearer assertion.
-
The <saml:Subject> element is then used to identify the user and create a fleet authentication token if a matching and active account exists.
-
The user is logged into the Verizon Connect Fleet platform.
-
Finally, the user is redirected to the Fleet application.
You need the following to configure and use SAML SSO with the Verizon Connect platform:
-
A SAML 2.0 identity provider that has been configured to connect with the Verizon Connect SAML SSO service provider. For details on configuring the IdP, contact your Identity Service administrator. If you are using a third-party service provider, like Okta or ADFS, see the service documentation for IdP configuration. Self-signed certificates are also accepted.
-
A signed certificate from a trusted CA (certificate authority), or a self-signed certificate, that the IdP uses to sign the SAML assertions sent to Verizon Connect.
-
An IdP Issuer URL, which is the unique address for the SAML Identity Provider (IdP) that handles user sign-in requests for your organization. This value matches the element from your SAML assertions.
-
An active Verizon Connect Fleet account with administrator-level permissions.
The following instructions describe the SAML configuration process for setting up individual subusers when logged into the Verizon Connect Fleet UI. If you have many users to set up, contact your Verizon Connect account representative to learn about the configuration options available.
Note
SSO support is option-controlled and only available if your account subscription includes it. Contact your Verizon Connect representative for more information.
-
Sign in to Verizon Connect Fleet with an administrator account at one of these URLs: (https://login.platform.telogis.com/) or (https://login.platform.telogis.eu/).
-
Provide Verizon Connect with your X.509 signing certificate and related information:
-
Open the External Authentication Settings dialog by clicking on your account name in the upper right corner of the platform screen and then selecting Single Sign On.
-
Type the name of the SSO into the SSO name field. The value you enter should match the element of the assertion that the IdP sends to the Verizon Connect platform.
-
Click the Upload Certificate button, and then navigate to your certificate to upload it. Note that certificates that are not either self-signed, or signed by a trusted CA, will be rejected. Once you have uploaded the certificate, the display updates to indicate the verification status of the certificate, and common name of your certificate.
-
Select one of the two platform sign-in options available. SSO only allows access to the platform only via SSO authentication, while SSO and Verizon Connect allows access to the platform using either SSO, or the standard platform sign-in screen where manually-entered credentials are supplied.
-
Click the Save button.
-
-
Set up an IdP username for each of your subusers:
-
From the Subusers screen in Verizon Connect Fleet, individually click the name of each subuser that will use the SSO system. The Edit User dialog box opens.
-
On the Details tab of the Edit User dialog box, add a value to the IdP Username field. These name values should match the values included in the <saml:NameID> element of your IdP assertion.
-
-
To post your SAML assertions, first check the domain extension in your Fleet URL. If the domain extension is ".com" post the SAML assertions to https://<customer-name>.platform.telogis.com/app/sso/. If the domain extension is ".eu" post the SAML assertions to https://<customer-name>.platform.telogis.eu/app/sso/. In either case, <customer-name> should be replaced with the name of the account used when signing into Verizon Connect Fleet.
Verizon Connect uses the <saml:Issuer> element of the assertion to identify your account, and the <saml:NameID> element of the assertion to identify the individual to be logged in.
The following example shows a sample SAML v2.0 response (bearer assertion). The values enclosed in brackets, for example {randomGUID} and {currentTime}, represent the values generated by the IdP.
samlp:Response ID="{randomGUID}" Version="2.0" IssueInstant="{currentTime}" Destination="{AssertionUrl}" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> {issuer}</saml:Issuer> <samlp:Status> <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/> </samlp:Status> <saml:Assertion Version="2.0" ID="{randomGUID2}" IssueInstant="{currentTime}" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion"> <saml:Issuer>{issuer}</saml:Issuer> <saml:Subject> <saml:NameID>{nameId}</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData Recipient="{RecipientUrl}"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="{notBeforeTime}" NotOnOrAfter="{notOnOrAfterTime}"> <saml:AudienceRestriction> <saml:Audience>vznconnect-sp-prod</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="{currentTime}"> <saml:AuthnContext> <saml:AuthnContextClassRef> urn:oasis:names:tc:SAML:2.0:ac:classes:Password </saml:AuthnContextClassRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response>
When you configure the IdP to use the Verizon Connect SSO SAML service, use one of the following URLs for the AssertionUrl and RecipientUrl values: If the domain extension is ".com" post the SAML assertions to https://<customer-name>.platform.telogis.com/app/sso/. If the domain extension is ".eu" post the SAML assertions to https://<customer-name>.platform.telogis.eu/app/sso/. In either case, <customer-name> should be replaced with the name of the account used when signing into Verizon Connect Fleet.
Configuring AD FS to work with the Verizon Connect SAML SSO service requires adding an appropriate Relying Party Trust.
This flow and following screenshots are described for Windows Server 2016. You may need to adjust accordingly.
-
Launch Server Manager. Select Tools > AD FS Management.
-
In the left panel, click Relying Party Trusts.
-
In the right panel, click Add Relying Party Trust to open the Add Relying Party Trust Wizard.
-
Ensure that the Claims aware check box is selected, and then click Start.
-
Select the Enter data about the relying party manually check box, and then click Next.
-
Enter a Display name that identifies the Relying Party Trust, and then click Next.
-
On the Configure Certificate screen, click Next, since an encrypting certificate is not needed.
-
Select Enable support for the SAML 2.0 WebSSO protocol. Enter the appropriate URL:
-
If the domain extension in your Fleet URL is ".com" use this URL:
https://<customer-name>.platform.telogis.com/app/sso/. <customer-name> should be replaced with the name of the account used when signing into Verizon Connect Fleet.
-
If the domain extension in your Fleet URL is ".eu" use this URL: https://<customer-name>.platform.telogis.eu/app/sso/. Again, <customer-name> should be replaced with the name of the account used when signing into Verizon Connect Fleet.
-
-
Click Next.
-
Enter Fleet:<version> as the relying party trust identifier, where <version> is the fleet version you are signing into. If you don't know the Fleet version, fleet:default can be used, or default:default, which is equivalent to fleet:default. Click Add, and then click Next.
-
Configure your access policy as you want. This will control which of your users can access the integration. Then click Next.
-
Review the settings, and then click Next.
-
Click Close to complete the wizard.
-
With your new Relying Party Trust selected, click Edit Claim Issuance Policy… in the right panel.
-
Click Add Rule to open the Add Transform Claim Rule Wizard.
-
The SSO service requires a Name ID property for your users in the token claims. If you intend to directly map this from an LDAP attribute such as Employee ID or email, leave Send LDAP Attributes as Claims selected and then click Next.
Note: Other approaches are outside the scope of this walkthrough.
-
Give your claim rule a descriptive name. Select the Attribute store you’re using. In this case, "Active Directory" is used. Add a mapping to Name ID. In this case, "E-Mail-Addresses" is used.
-
Click Finish.
Comments
0 comments
Please sign in to leave a comment.