1.0 Integration

Integration with Fluig Identity will be done through the SAML 2.0 - Security Assertion Markup Language protocol (http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language). The SAML Protocol is ideal for performing a SSO - Single Sign On through a Web-Based application.

The following figure details the activity flow in the scenario where the user accesses a Service Provider service/application (TOTVS Software) through the Identity Provider (Fluig Identity).

The next figure details the activity flow in the scenario where the user accesses a service/application directly in the Service Provider (TOTVS Software). This scenario will not be available for desktop applications (.exe).

2.0 Nomenclature

• SAML: Security Assertion Markup Language

Open standard of authentication and authorization for single sign-on (SSO) for the web
http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language
http://en.wikipedia.org/wiki/SAML_2.0

• IDP: Identy Provider (Fluig Identity)
  Authenticates the user and generates the assertion
  http://en.wikipedia.org/wiki/Identity_provider
• SP: Service Provider (TOTVS Software)
  Checks the assertion and provides the service
  http://en.wikipedia.org/wiki/Service_provider
• Assertion
  XML with authentication security tokens
  http://en.wikipedia.org/wiki/SAML_2.0#SAML_2.0_Assertions
• Resource
  Service Provider service or application
• Metadata
  XML with information on the Identity Provider or Service Provider to ensure communication between them
  http://en.wikipedia.org/wiki/SAML_2.0#SAML_2.0_Metadata

3.0 Requirements

• Fluig Identity
  
  • Address (URL) of XML metadata (example: https://www.fluigidentity.com/cloudpass/saml2/metadata)
• TOTVS Software
  
  • UI in the system security policy for identity manager configuration where the user will provide:
    - IDP address;
    - the address that TOTVS Software will respond as SP (example: http://myhostname:8080/spEntityID), it will be entityID of SP;
    - list of addresses that can use SSO through SP (example:  http://myhostname:8080/)
    - digital certificate
  • HTTP configured to respond to the addresses below:
    - SP metadata XML (example http://myhostname:8080/spEntityID/saml2/metadata);
    - SP SAML service (example http://myhostname:8080/spEntityID/saml2/get);
    - response to IDP assertion (example http://myhostname:8080/spEntityID/saml2/post);