Create an authentication provider
Haiilo makes it possible to set up several authentication providers and supports the protocols SAML2.0 and OpenID. We support all IDPs that use these two common authentication protocols. This makes it possible to automatically authenticate yourself using the Windows-integrated authentication (SAML) or on networks, such as LinkedIn (OpenID). Using SAML just-in-time, users can also be imported during the first login if they don’t yet exist in Haiilo.
Note:
Haiilo does not support 2-factor authentication. You can, however, use a SAML service. You need to ensure that the service uses a certificate from a trustworthy certification body and TLS 1.2.
Log into your Haiilo as an administrator and go into the Administration. When opening the area "Authentication", you’ll see the following:
Click on "Create authentication provider", select the desired "Type" (SAML, OpenID) and add a tick for "active". Select automatic login to set up an automatic redirect to your IDP after 3 seconds.
Create an authentication provider: SAML
To set up SAML, you should find the entity ID, endpoints, certificates, and much more in the metadata.xml of your identity provider (IDP).
General information
It’s now time to configure your SAML authentication provider. The screenshot shows an example configuration for an ADFS. The following points are important:
- Only activate "ADFS" if your Microsoft Active Directory uses "Federation Services".
- "Entity ID", "Authentication URL" and "Logout URL" are listed in the metadata.xml of your IDP.
- "Logout method" defines whether the user is logged out locally (only Haiilo) or globally (SAML logout) when they log out of Haiilo.
- "Response validity" defines the period of time for queries. We recommend the usual 300 seconds.
- "User directory" defines for which users you want to use this authentication provider.
Request signing
Activate this function by selecting "Sign request". It’s possible to sign the SAML request in Haiilo with a certificate and a private key. Simply add both here and ensure that you use the PEM format. You can use a self-signed certificate. The certificate must then be added to the ADFS server in the trust relationship settings under "Signing".
Response validation
Alongside the signing of Haiilo requests, it’s also possible to check the response of the SAML server. To do this, you can simply add the token-signing certificate of the IDP server here. Deactivate to skip the validation.
Just-in-time provisioning (optional)
If you don’t want to use SAML to import users, you can continue with the next step.
Haiilo Home also offers the option of importing users when first logging in using SAML. In this case, choose the type SAML just-in-time. On the Just-in-time provisioning tab, you need to define the attributes that are imported for the users. You will get the necessary values if you search for them in your FederationMetadata.xml.
It’s also possible to synchronize profile fields. To do this, choose the profile fields in the JIT provisioning and assign them according to the values in FederationMetadata.xml.
Add trust relationship
Once you’ve finished, you need to add Haiilo to your IDP. For Microsoft ADFS, this means the management tool ADFS. Haiilo only establishes a redirect to the ADFS server and then expects an "SAML assertion", in which the login name (e.g. the e-mail address) is passed on as "Name ID". In ADFS, this is set up under Claim Issuance:
For SAML just-in-time, the attributes that are provisioned must also be configured there:
Note that the outgoing claims have a different name on a German-language server.
Connection test
You now have a fully configured SAML IDP, which can be used when logging into Haiilo. The last thing to do is to simply test the login with a user from the user directory you have configured.
Create an authentication provider: Open ID
In contrast to SAML, OpenID authentication is always available to all Haiilo users once activated and is not limited to one of the Haiilo user directories. To configure OpenID, please read the OpenID handbooks from the identity provider.
- The "Mapping ID" is the parameter in the IDP response that needs to match the login name of the Haiilo user.
The "unique_name" should in this case match the e-mail of the Haiilo user. - To create the "Client ID" and "Client Secret", you need to register Haiilo as a web application in the Administration of your IDP. You will be asked for the Haiilo login URL. This redirect URL is generated when saving your configuration for the authentication provider in Haiilo.
- The URLs for "Authentication", "Access Token", and "User Info" are defined in the app registration of your IDP.
FAQ
Does a new authentication provider also need to be created for each user directory?
In the case of SAML, yes. When creating an SAML authentication provider in the Administration in Haiilo, exactly one user directory must be stated and this login only applies to users of this user directory.
OpenID, however, applies to all users in your Haiilo.
Does Haiilo use an integrated authentication or only form-based authentication via ADFS?
Our SAML interface supports user authentication according to the SAML protocol. User provisioning via this interface is thus not possible.
If you move more towards WIA (Windows Integrated Authentication), then this is possible.
However, you need to configure this not in Haiilo but in the ADFS system. Haiilo only establishes a redirect to the ADFS server and then expects an "SAML assertion", in which the login name (e.g. the e-mail address) is passed on as "Name ID".
Haiilo offers the "Automatic login" option in the SSO configuration. Can users still log in manually?
In the configuration of the "Automatic login" option, users are automatically redirected to the corresponding authentication provider. The login page then redirects to the ADFS server after three to five seconds.
Should the users not be redirected to the ADFS server? No problem! Then you have the opportunity before the redirect to click on the field "Log in as a local user" to reach the familiar login screen.