Professional Documents
Culture Documents
DotLoop Single Sign On
DotLoop Single Sign On
DotLoop Single Sign On
Introduction
The Dotloops Single Sign on supports SAML 2 Standards. The Security Assertion
Markup Language 2.0 is a version of SAML standard used for exchanging authorization
and authentication data between the servers typically, IDP and SP.
Typically, the
messages exchanged contain "assertions" that state information about a given user. The
receiving server must believe the assertions to be true, so a trust must be established
between the two servers before communication can take place. SAML can be used for
many purposes, but the scope of this document is to explain the SSO capabilities of SAML.
The Identity provider provides the authentication and verification of the users identity.
The Service provider are providers who provide access to end users.
In the context of Single Sign-On (SSO), an assertion from the source server or
"Identity Provider" will contain an assertion that "user X logged in to our server at Y time
and date and is currently logged in and authenticated". If the message is from a trusted
source, then the recipient server must log that user in as well. The link between the user
ID provided and the user ID in the receiving system (or "Service Provider") must either be
established beforehand or established as part of the SSO process.
The actual Entity Id and SAML Metadata can be provided upon request. The identity
providers can send an email to support@dotloop.com to request for valid SAML
Metadata.
HTTP-Artifact
HTTP-POST
PAOS
The complete information of the assertion consumer service can be found at the SAML
Metadata provided by the Dotloop.
2. The user provides valid credentials and a local logon security context is created
for the user at the Identity provider.
3. The user selects a menu option or link on the Identity Provider to request access to
dotloop website. This causes the Identity Provider's Single Sign-On Service to be
called.
4. The Single Sign-On Service builds a SAML assertion representing the user's logon
security context. Since a POST binding is going to be used, the assertion is digitally
signed before it is placed within a SAML <Response> message. The <Response>
message is then placed within an HTML FORM as a hidden form control named
SAMLResponse.(If the convention for identifying a specific application resource at
the SP is supported at the Identity Provider and dotloop, the resource URL at
dotloop is also encoded into the form using a hidden form control named
RelayState.) The Single Sign-On Service sends the HTML form back to the browser
in the HTTP response. For ease-of-use purposes, the HTML FORM typically will
contain script code that will automatically post the form to the destination site.
5. The browser, due either to a user action or execution of an auto-submit script,
makes an HTTP POST request to send the form to the dotloop's Assertion Consumer
Service (dotloop assertion consumer service endpoint URL is mentioned in the
above section). Dotloops Assertion Consumer Service obtains the <Response>
message from the HTML FORM for processing. The digital signature on the SAML
assertion must first be validated and then the assertion contents are processed in
order to create a local logon security context for the user at dotloop. Once this
completes, the dotloop retrieves the RelayState data (if any) to determine the
desired application resource URL and sends an HTTP redirect response to the
browser directing it to access the requested resource (not shown).
6. An access check is made to establish whether the user has the correct
authorization to access the resource. If the access check passes, the resource is
then returned to the browser.
6. dotloop validates the SAML response and if successful takes the user to dotloop
homepage.
(Numbers marked in above diagram are explained below with respect to dotloop integration)
7. dotloop validates the SAML response and if successful takes the user to dotloop
homepage.
Metadata xml from both sides (dotloop and from Identity providers)
References
http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd02.pdf
http://en.wikipedia.org/wiki/SAML_2.0