Understanding SAML/SSO

  • Updated

Introduction

One of the features Hudu supports, as of v. 2.0.7, is the ability to login in via a central identity provider. Single sign-on (SSO) is a time-saving and highly secure user-authentication process. SSO lets users access multiple applications with a single account and sign out instantly with one click.
 
Alternatively, visit App-Based 2FA to learn more ways of securing your environment!

 

How SAML SSO works

SAML is an acronym used to describe the Security Assertion Markup Language (SAML). SAML enables you to access multiple web applications using a single set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (IdP) and a web application (in this case, HUDU).
With SSO, there are two main entities in play:
  • Identity Provider (IdP)
    • Examples are AzureAD, Okta, OneLogin, etc.
  • Service Provider (SP)
    • The web application seeking authentication. This would be HUDU.
When you enable SSO as a HUDU Admin, users will have a button on your sign in pages appear to redirect to the specified Identity Provider. When we redirect you to the Identity Provider, the IdP will authenticate you, and send you back to Hudu with the necessary authentication credentials. We will match the authenticated user with the user in HUDU (via the email address) and log you in to your HUDU account (if authentication reports successful).

 

Guides

To setup SAML SSO using common identity providers, please refer to their respective guides below!

googleadminlogo.png

Google Admin Console

azureadlogo.png

AzureAD

jumpcloudlogo.png

JumpCloud

oktalogo.png

Okta

passlylogo.png

AuthAnvil (Passly)

oneloginlogo.png

OneLogin

 

How to Enable SSO

The following sections will assist setting up SAML SSO in a generic way that should work with any provider that supports SAML 2.0.
  • Login to Hudu and click the Admin tab on the top toolbar.
  • Click General.
  • Click Configure Single Sign-On.
  • Enter SAML details. See relevant section below on how to fill this information out.
  • Click Enable Single Sign-On.
  • Hit Update SAML Details and SAML should now be activated.

 

Configuring the Identity provider side (IdP):

  • Identifier (Entity ID): Enter your Hudu URL, e.g. https://docs.mywebsite.com
  • Reply URL (Assertion Consumer Service URL): Enter https://docs.mywebsite.com/saml/consume
  • Sign on URL: Enter https://docs.mywebsite.com
  • Relay State: You can skip filling this in.
  • Logout URL: Enter a URL where Hudu can redirect users after they sign out.

  Note!

Make sure to replace docs.mywebsite.com with your URL and subdomain. There is also no trailing slash at the end of the URL.

 

Configuring the HUDU side (SP):

  • SAML Issuer URL. This will be a URL that is the unique identifier for your Identity Provider. It can also be called Identity Provider, Entity ID, IdP, Issuer,IdP Metadata URL.
  • SAML Login Endpoint. This will be the endpoint you use to login. Also called: SSOEndpoint,Sign-on URL, Remote login URL, SSO URL,  SAML 2.0 URL, Identity Provider Sign-in URL, IdP Login URL, Single Sign-On Service URL.
  • SAML Logout Endpoint. This will be where we redirect you after logging out. Also called: SAML Logout URL, Trusted URL, Identity Provider Sign-out URL, Single Sign-Out Service URL.
  • SAML Fingerprint. This will come from from your Identity Provider. Also called Thumbprint.
  • SAML Certificate. This will come from your Identity Provider. It should be a base-64 encoded X.509 certificate. Make sure there is no extra space trailing at the end!
  • SAML ARN. This signifies the Authentication Context that Hudu will provide to the IdP. AuthnContext is the method by which a user tries to login (i.e. via password, passwordless, etc.).
    • If you specify Do not pass RequestedAuthnContext in your request, the URN is used by the IDP to say "I don't want to tell you how I identified the user".
      • Requested Authentication Context may be required for your IdP; but it is typically optional.
      • If you have users that use Passwordless login to your IdP; do not pass RequestedAuthnContext must be selected.
    • If you specify Password in your request, the IDP knows it has to authenticate the user through login/password.
    • If you specify PasswordProtectedTransport in your request, the IDP knows it has to authenticate the user through login/password, protected by SSL/TLS.

 

Signing Algorithm

  • SHA-1 and SHA-256 signing algorithms are both supported. SHA-256 is typically recommended for security purposes if your IdP provides the ability to do so.
  • To switch to SHA-256; you'll need to ensure that both the certificate fingerprint (thumbprint) is in the correct SHA-256 format, as well as that you click 'Use SHA-256' in Hudu.

 

Testing SAML

Open an incognito window and try and access Hudu. You should be redirected to the login page, where you will see a Use Single Sign On (SSO) button. If you are able to successfully login via this button, your SAML is working!

 

Disable Password Access for non-Admins

You have the option to disable password logins for non-administrators (users that are not super admins or admins). By clicking Disable Password Access for non-Admins; all users below admin will have to exclusively use single sign on to access your Hudu environment.
Admins will be able to access via an admin sign in page. This will prevent you from being locked out of your account when your Identity Provider is unavailable.

Still have questions?

Contact us