Page History

This guide will show you how to integrate Kiuwan with a Local Authentication system. 

Contents: 

Introduction

Kiuwan

can be integrated with a Local Authentication system.

This is a common scenario in organizations that validate their employees' credentials against their

authentication system, and do not want them to use other credentials when accessing external services. 

If your company uses a corporate authentication service, your users and passwords will most probably be stored in Active Directory, OpenLDAP, IBM Tivoli or any other similar system.

If that is your case, it’s not needed to have different credentials for your Kiuwan account, you can use existing ones.

Local Authentication scenarios

Depending on your infrastructure, there are at least two possible scenarios:

1. Centralized Authentication

1. Do you need to login to every system in your organization using the same user/password? Are you tired to type the same credentials to access different systems? This is a clue that your organization maintains a centralized authentication system (i.e. your organization is keeping your credentials in a unique system) that is used by the different systems.

2. Single Sign-On (SSO)

1. Do you only need to authenticate once and you

1. can access the different systems? That is

1. evidence that your systems are internally using an authentication system that is shared by the different applications, making unneeded to type your credentials when you access those systems. This is what is called a Single Sign-On environment.

If you want to avoid using/maintaining Kiuwan credentials, ask you first which of the above models apply to your organization, and don’t care, Kiuwan supports both !!

Delegated Authentication Single Sign-On

Centralized authentication is also known as “delegated authentication”.

In this scenario, Kiuwan delegates your authentication to an external system, it’s a matter of trust!!

How this can be accomplished? Take a look at the next image.

Image Modified

In this scenario:

1. Login to Kiuwan

1. First, you must

1. log in to Kiuwan …. but not to www.kiuwan.com !! No, you need to

1. set up a specific URL within your domain. Something similar to http://www.yourdomain.com/kiuwan,  http://kiuwan.yourdomain.com or something similar.

1. Identify user

1. That URL will be received by an “authentication service application” that will delegate your authentication to an external system, e.g. Active Directory, LDAP or a similar system.

2. Redirect to kiuwan.com with a token

1. The corporate authentication system checks if you do already have a security context or you need to identify. If the authentication succeeds, the authentication service application will generate a JWT authentication token including the username (encrypted using a secret key that you can generate in your Kiuwan account settings page).

2. Once the auth token is ready, the system redirects to your browser

3. Authenticated request

1. The browser request access to kiuwan.com with an authenticated request that kiuwan.com recognizes, granting access to the requested resource.

You can find a sample authentication service application (kiuwan/kiuwan-local-authentication) as a sample to get started. This sample application uses Tomcat (tomcat-users.xml) as an authentication mechanism, but you can freely adapt to any other external auth system.

You can find details on how to set up here 

Single Sign-on (SSO) with SAML 2.0

As you have seen during the explanation of the Centralized Authentication scenario, you need to provide some authentication service application that generates the auth token based on

Kiuwan’s provided secret key. Therefore, to use this scenario you must

set up this specific app.

A different approach is to use a more advanced approach that makes use of a “standard” mechanism to which most vendors adhere to (SAML’s Single Sign-One)

In a SAML - SSO scenario, we can define the following actors or participants:

• A User requesting for some resource or service

• A Service Provider (SP) that receives the request and provides the service or access to the resource

• An Identity Provider (IdP) that authenticate the user and asserts the user identity

Image Modified

SSO can be implemented through different protocols, being SAML and OpenId Connect the most widely used.

Kiuwan currently supports SAML and this document serves as a how-to to use Kiuwan in

an SSO-SAML environment.

In summary, if your organization is using some kind of centralized users’ credentials repository implementing SAML and you want to use those enterprise credentials to authenticate in Kiuwan, this document provides you with information on how to set up Kiuwan to participate in

an SSO-SAML environment.

What is SAML?

SAML is an XML-based markup language for security assertions usually transferred from IdPs to SPs. These assertions are used by SPs to make access-control decisions.

SAML assertions

contain three types of statements:

1. Authentication statements 

   • Example: User U has been successfully authenticated at time T using method M of authentication

2. Attribute statements 

   • Example: User U does

1. • contain value V for attribute A

2. Authorization statements 

   • Example: User U is permitted to perform action A on resource R

Besides assertions, SAML defines SAML protocols, i.e. the processing rules to use assertions between SPs and IdPs.

Examples of such protocols are :

• Assertion Query and Request Protocol

• Authentication Request Protocol

• etc.

These SAML protocols can be mapped to standard messaging formats. This mapping is called a SAML binding, examples of such bindings are:

• SAML SOAP Binding

• HTTP Redirect (GET) Binding

• HTTP POST Binding

• etc.

Finally, SAML profiles describe in detail how SAML assertions, protocols, and bindings combine to support a defined use case.

SAML 2.0 provides support for many profiles such as:

• Web Browser SSO Profile

• Identity Provider Discovery Profile

• Assertion Query/Request Profile

• etc

SAML Security requirements

The SAML specifications recommends:

• TLS 1.0+ for transport-level security

• XML Signature and XML Encryption for message-level security

Web Browser Single Sign-On

1. The user (usually through a

1. web browser) requests a resource to a Service Provider (SP)

2. If a valid security context does not exist, the SP redirects the user agent to the  Identity Provider’s (IdP) SSO Service

3. The user agent issues a request to the IdP’s SSO Service to identify the user (if there’s not a previous security context)

4. IdP validates the request and responds to the user agent

5. The user agent sends the “authentication” assertion to the SP

6. The SP processes the assertion and redirects the user agent to the requested resource

7. The user agent requests SP for the requested resource

8. Finally, SP returns the resource to the user agent.

Image Modified

SAML 2.0 Metadata

In the Web Browser SSO workflow above, there are some interactions between the IdP and the SP that are based on mutual trust, for example:

• How does the SP know the IdP is authentic? And in turn, how does the IdP know the SP is authentic?

• How does the SP know where to send the user agent with the auth request? And how does the IdP know where to send the user agent with the auth response?

• How does the IdP encrypt the SAML assertion so that the trusted SP (and only the trusted SP) can decrypt the assertion?

• How does the service provider know that the auth response is coming from a trusted IdP?

Regarding SSO SAML actor’s identity, metadata are defined for:

• Identity Provider metadata (to publish

• identifying information about the IdP itself)

• Service Provider metadata (to publish

• identifying information about the SP itself)

Also, the endpoints of communication are

defined by metadata, such as:

• SSO Service metadata (description of IdP’s SSO endpoint)

• Assertion Consumer Service (desc of SP’s service to send assertions from the IdP)

How to configure Kiuwan to work with SSO - SAML

To configure SSO in Kiuwan you must first, of course, rely on an existing Identity Provider (IdP). There are many available IdP systems, all of them sharing SAML concepts (more or less adapted to their

terminology).

As seen above, to set up a Web SSO environment, SAML agents (idP and SP) need to be identified and let each other know of their existence.

This step is accomplished by exchanging each other’s metadata.

Kiuwan configuration: How to configure your IdP in Kiuwan

You can find the SSO configuration page at Account Management >> Organization and clicking on Configure SSO button.

Image Modified

Please read carefully the notes:

• By activating the SSO in your account, all users of your account will be automatically migrated to your

• domain to avoid conflict with other usernames in other Kiuwan accounts.

• After this migration, all users of your account must use a new URL for the Login, leaving the login URL that you have been using until now. This new URL will be communicated to you in the next step of this page.

• To continue using the Kiuwan Local Analyzer, API REST, Kiuwan for Developers, or any other plugin that needs to request for some data to Kiuwan, you must change the configuration and indicate the DOMAIN ID in their respective configuration screens. This DOMAIN ID will be provided when you activate the SSO. (see further sections on these topics)

• Once activated the SSO, you must communicate to all your users the new login URL and your DOMAIN ID.

• Once SSO is activated, it is NOT possible to disable it or re-migrate users to the previous Kiuwan domain.

• Even though the activation process is completed, you will need to register Kiuwan as SP in your IdP. Till then, you can not use SSO. See section on “Kiuwan’s metadata configuration in ADFS”

Click Continue to upload your IdP Metadata XML.

In a typical ADFS installation, you can commonly get it

at https://<your_idp_domainname>/FederationMetadata/2007-06/FederationMetadata.xml

Image Modified

Image Modified

Once it’s loaded, click on Continue button

Image Modified

At this moment, you should have received an email with an activation code as well as Domain Id and Login URL. Enter the activation code and click Activate SSO button.

Note: See How to login at Kiuwan in a Web SSO scenario on how to use the

login URL.

Example mail with activation code:

Image Modified

Image Modified

Close the page and .. voilà! Your Kiuwan SSO configuration is done!!

In case you further need to update existing metadata with new IdP metadata just to SSO initial configuration page and Upload a new IdP Metadata.

Image Modified

Click on Save to complete the update

Image Modified

Image Modified

After metadata configuration, you will see the following data into your Kiuwan account.

At Account Management >> Profile you will see :

Image Modified

Domain ID field only appears when your Kiuwan account is configured to use SSO.

• This ID is needed to login to your kiuwan account and it’s shared by all users of a Kiuwan account, but unique for every Kiuwan account.

Username field contains your Kiuwan username and it matches the Claim mapping (Name ID) defined in your IdP when you defined Kiuwan as Service Provider (see image above for ADFS).

Email, Name and Lastname fields are descriptive data about the user.

IdP configuration: How to configure Kiuwan as Service Provider

Any SAML-compliant IdP (Active Directory FS, Azure AD, CA Single Sign-On, etc)  follows its

configuration method, although steps are similar.

We provide a detailed example

of how to configure Active Directory Federation Services (ADFS). For other IdPs please refer to

your sysadmins or product documentation.

Active Directory Federation Services (ADFS) configuration

You can use ADFS’s Add Relying Party Trust wizard

Image Modified

Select Claims aware option and Start.

Then, ADFS will ask you about Kiuwan’s identity metadata.

Image Modified

Ideally, if your ADFS can reach Kiuwan servers, you will select the first option (Import data .. online).

Then you must provide the address that can be found at your Kiuwan website at Account Management >> Organization page (see image below)

Image Modified

In case your ADFS cannot reach the Kiuwan server, you can upload the XML metadata document by selecting Import data .. from a file.

In this case, you must previously download the XML document from the KIuwan URL above. Just paste the URL in a browser that can access the Kiuwan server

The next step is to provide a Display name for Kiuwan.

Image Modified

You can choose any name, it doesn’t have to be a domain hostname.

The next step is to choose the Access Control Policy that will govern the access rules of your organization’s users to Kiuwan.

Image Modified

After choosing a policy, just confirm (or change) and click Next.

Image Modified

Review the information from the SP (relying party) and click next to finish the SP configuration in ADFS.

Image Modified

Notice that “Configure claims issuance policy ..” is checked.

When checked, you will define how to map/transform your organization’s users to Kiuwan users.

 Edit Claim Issuance Policy dialog will pop up:

Image Modified

Clicking on Add Rule will open Add Transform Claim Rule Wizard.

Image Modified

First, you must select the template rule most adequate

for your organization.

In the example, we select to map

an LDAP attribute

Image Modified

After finishing, apply changes

Image Modified

How to login at Kiuwan in a Web SSO scenario

Most commonly, in

an SSO environment you will access Kiuwan from an existing link in a corporate intranet page, so the Kiuwan URL should be changed to it and you will not need to type manually such

URL.

Anyway, once you have successfully accessed Kiuwan for the first time, your browser will store the domain id, so you can just type https://www.kiuwan.com and everything will work.

Then, the Kiuwan SSO Login page will be displayed.

Image Modified

Just click

Log In

and the SSO-SAML protocol will be activated.

• If you were already successfully authenticated, you will log in to Kiuwan. 
• If not, you will be redirected to your organizational authentication page. Once authenticated, you will be redirected to the Kiuwan dashboard.

An alternative method to login to Kiuwan is from your IdP.

If you are using ADF, you will find a URL like this:

https://<your_idp_hostname>/adfs/ls/idpInitiatedsignon.htm

Image Modified

Just select the site (the Display Name defined at your IdP), you will be asked for your credentials and will be redirected to the Kiuwan dashboard!!

How to configure Kiuwan clients to work with SSO - SAML

Kiuwan Local Analyzer (KLA): SSO configuration

In summary, after SSO activation:

1. Configure KLA with SSO Domain ID

2. Be sure KLA users are allowed to use username/password authentication

KLA’s SSO Domain ID configuration can be done in three different ways:

First, by using KLA GUI as the image shows:

Image Modified

Also, by modifying the agent.properties file:

• set domain.id property to your domain id

Additionally, if you are using KLA CLI you can also specify the domain.id property as a command-line parameter.

Kiuwan for Developers (K4D): SSO configuration

Image Modified

REST-API: SSO configuration

For custom programs using Kiuwan REST-API calls, you have to add a new header (X-KW-CORPORATE-DOMAIN-ID) to indicate the Domain ID to pass the BASIC authentication.

For example:

curl -H "X-KW-CORPORATE-DOMAIN-ID: {domain.id}" -u {username}:{password} https://api.kiuwan.com/info