Access Management: Setting up application integration using SAML, WS-Federation, OpenID Connect
With the Access Management module of Tools4ever’s HelloID identity and access management (IAM) solution, you provide users with easy access to systems and applications through Single Sign-On (SSO). In our previous blog post, we explained how to configure applications for SSO through our application catalog. If an application is not in this catalog, we can add that connection to the catalog for you. You can also integrate an application yourself with our SSO dashboard using generic templates, where you can use SAML, WS-Federation, or OpenID Connect. This article explains more.
What is SSO?
For security, you want users to use a unique password for every service and application. In practice, this leads to a proliferation of credentials; users quickly have to remember dozens of logins. This not only increases the likelihood that users forget a password, it also increases the chance that they deliberately choose a weaker password to make it easier to remember.
SSO provides a user-friendly alternative without compromising security. Users sign in once and then gain access to all applications and services they are authorized to use. A convenient dashboard makes all resources available with a single click. You can further protect access to the SSO dashboard, including with multi-factor authentication. This improves user security and supports their productivity.
Connecting via different protocols
You can use different protocols to connect applications to the SSO dashboard. HelloID supports SAML, OpenID Connect, and WS-Federation for this purpose. The protocols are explained below.
Connecting via SAML
Adding a SAML application requires a certificate. The certificate adds a critical security layer to the connection. You can choose to use the same certificate for multiple application connections, or assign a unique certificate to each application. You can also upload your own certificate in HelloID if desired.
To connect an application, you need information that you can request from the vendor. In most cases this concerns an endpoint URL, audience, and required claim set. In most cases the application vendor provides metadata. You extract the required information from it and enter it in the application configuration in HelloID. Once the configuration is complete, you provide the HelloID metadata to your application vendor. The vendor imports this configuration and activates the connection.
OpenID Connect
Connecting an application through OpenID Connect is relatively straightforward. Among other reasons because an application vendor must be certified to use OpenID Connect. This means the vendor must meet specific requirements from the OpenID Foundation. HelloID also holds this certification. This ensures that the IAM solution and the application you want to connect will interoperate correctly.
A key advantage of OpenID Connect is the ability to secure message traffic with the HMAC algorithm. This algorithm eliminates the need for a certificate, which simplifies establishing and managing a connection. The choice of algorithm is always up to the customer and the vendor and depends on security requirements. Note: to use HMAC, the application vendor must also support this algorithm, which is not always the case.
To configure an SSO connection through OpenID Connect, you exchange the so-called well-known configuration file. The vendor provides the redirect URL(s), which you then include in the HelloID configuration. You also provide the client ID and client secret to the application vendor, after which the connection can be established.
Connecting via WS-Federation
WS-Federation is a protocol mainly used to connect with Microsoft products, such as SharePoint, Exchange, and Remote Desktop. In combination with WS-Trust, WS-Federation also makes it possible to sign in to Entra ID joined devices through HelloID.
Creating an SSO connection through WS-Federation requires a certificate in a specific format. We are happy to help you get started. Want to set up a connection via WS-Federation? Contact us so that we can convert the certificate for you. We can also assist with importing the certificate into HelloID.
To establish a working connection, you also need information from the application vendor. Specifically, this concerns the endpoint, realm, and expected claim. After configuring this information, you can share the WS-Federation metadata and, if applicable, the WS-Trust metadata with the application vendor to establish the connection.
Get started
Ready to get started with HelloID Access Management? You can read more about the capabilities of this module on our website. Questions? Contact us!