SSO Setup¶

Yappes native authentication securely lets users log in to the platform and utilize the available options. However, in addition to it, you can set up an alternative authentication that allows users to log in to both Admin Console and API Manager using one set of login credentials. Through the Yappes Admin Console, you can achieve this type of authentication by setting up SSO.

SSO offers the session and user authentication service based upon the trust relationship set up between Yappes (Service Provider) and Identity Provider, and this trust relationship functions based upon a certificate exchanged between the two.

When the user signs in to the platform using the available identity provider, the certificate acts as a verification of the identity information that has been sent from the identity provider to the service provider. If the information is correct/coming from a trusted source, the authentication will succeed, and the user can log in.

flowchart TD;
    title[Workflow of SSO]
    subgraph SSO_Flow
        A[User Accesses Yappes] -->|User info| B[Request to Verify User with SAML 2.0 or OpenLDAP]
        B -->|Request| C[Check Authentication Status]
        C -- Yes --> G[User Access Granted]
        C -- No --> D[User Authentication if Needed]
        D -->|Credentials| E[Authentication Confirmation]
        E -->|Token| F[Token Validation]
        F -->|Token Validation| G
    end

SSO Workflow

The available identity providers for the Yappes platform are:

• SAML 2.0
• Open LDAP

Once you set up one of these SSOs, users can log in to Yappes using their existing SSO credentials without needing a separate set of credentials unique to Yappes (both Admin Console and API Manager.)

SAML 2.0¶

Yappes platform support SAML 2.0 (Security Assertion Markup Language) as an identity provider. Amongst B2B and B2E applications, SAML is popular for identity federation and has been used since 2005. It's an open standard for applying single sign-on (SSO) over cross-domain.

SAML uses XML files and simple HTTP for data transport mechanisms to represent the user's identity data.

Due to its open standard, it makes interoperability of the system possible, and users can access multiple service providers by signing in just once. Furthermore, it doesn't require user information to be maintained and synchronized between directories. Hence, it is a potential identity provider that you can enable for your users across all the Yappes platform.

graph LR
subgraph SSO_FLOW 
direction LR
    title[Working of SAML 2.0 SSO]
    A[User clicks 'Login'] -->|Initiates authentication| B(Yappes Platform)
    B -->|Creates SAML Request| C(IdP)
    C -->|Validates Request| D{Valid?}
    D -- Yes --> E[User enters credentials]
    E -->|Generates SAML Assertion| F(IdP)
    F -->|Sends Assertion| B
    B -->|Verifies Assertion| H{Assertion valid?}
    H -- Yes --> I[Assign permissions and login]
    H -- No --> J[End authentication]
    I -->|Redirects user| K[Logged in]
    J -->|Ends authentication| A
   end

To enable SAML 2.0 for SSO, follow the below steps one by one.

How to enable SAML 2.0 SSO¶

In order to enable SAML 2.0 SSO across your platform, you need to meet some requirements.

Prerequisites¶

Check out the requirements in the above table, and once you meet them, go to the steps to enable SAML 2.0 SSO.

Steps to enable SAML 2.0 SSO¶

To set up SSO across platform for all users using SAML 2.0 as an identity provider, you need to access the SSO Setup window on your Admin Console. Therefore:

• From your home screen, go to the SSO Setup.

• You find the following options in the SSO Setup window:

• The default SSO type is set to SAML 2.0.
• Fields available for Server Provider Settings.
• Fields available for Identity Provider Settings.
• And SSO Status set to Disable.

• To activate the SAML 2.0 SSO.
• First, go to the Server Provider Settings and enter the required information:
  • Login URL.
  • Entity Id.
  • Acs URL.
  • Name-Id Format.

• Once you've added those, go to the Identity Provider Settings and enter the required information:

  • Entity Id.
  • X509Certificate.
  • SSO Entry URL.
  • And IDPs Metadata.

• After adding the above information, click on the Update and Activate button, and you can see a configuration successful alert.

• Now, you can enable the SAML 2.0 SSO for your platform.
  • To do that, go to the SSO Status.
  • And turn the toggle from Disable to Enable.

That's it; you have successfully enabled the SSO using SAML 2.0 on your platform. When users try to log in, they can find the SAML 2.0 SSO option on the login page as follows.

SAML SSO for Admin Console Login Page

SAML SSO for API Manager Login Page

Open LDAP¶

LDAP is a software protocol that enables locating data related to organizations, individuals and other resources like files and devices in a network. It's most commonly used for authentication, and system administrators can use it to enable single sign-on (SSO.) It functions over a bind operation based on a client/server model where the client is an LDAP-ready system, and the server is the LDAP directory database.

It uses a smaller amount of code compared to other protocols, and that's why it's a Lightweight Directory Access Protocol.

Yappes supports enabling SSO through Open LDAP, giving an alternative choice to SAML 2.0. When users access the platform using Open LDAP SSO, they send a bind request to the LDAP server, including their identifier (i.e., username or email) and password. Open LDAP initiates an SSO request. This request gets prompted to the credential check, and if the credentials are valid, a token gets generated. Otherwise, the authentication/bind fails.

The generated token is returned to the user, and the validation starts. If the token is valid, access is granted. Otherwise, re-authentication happens, and another SSO request is initiated.

flowchart LR
subgraph SSO_FLOW 
direction LR
    title[Working of OpenLDAP SSO]
    A(User Accesses Yappes Platform) -->|Requires Authentication| B(SSO Redirect)
    B -->|Initiates SSO| C(OpenLDAP)
    C -->|Prompts for Credentials| D{Valid Credentials?}
    D -- Yes --> E[Generate Token]
    E -->|Return Token| A
    D -- No --> F[Authentication Failed]
    F -->|Return Error| A
    A -->|Uses Token| G{Token Valid?}
    G -- Yes --> H[Grant Access]
    G -- No --> I[Re-authenticate]
    I -->|Initiates SSO| C
    H -->|Accesses Yappes Platform| A
    H -->|Logs Out| J[End of Session]
    end

How to enable Open LDAP SSO¶

In order to enable Open LDAP SSO across your platform, you need to meet some requirements.

Prerequisites¶

Check out the requirements in the above table, and once you meet them, go to the steps to enable Open LDAP SSO.

Steps to enable Open LDAP SSO¶

To set up SSO across platform for all users using the Open LDAP as an identity provider, you need to access the SSO Setup window on your Admin Console.

• From your home screen, go to the SSO Setup.

• You find the following options in the SSO Setup window:

• Here, go to the SSO Type and select the Open LDAP option.

• In the Open LDAP window, enter the required information in the respective fields.
  • First, enter the Server URL.
  • Then, enter the Bind DN.
  • After Bind DN, enter the Bind Credentials.
  • Once you have added those, enter the details of your Search Base.
  • Finally, click on the Update and Activate button.

• As you click the Update and Activate button, you get the Configuration Successful notification. Now, you can enable the SSO using Open LDAP as the identity provider.
  • To do that, go to the SSO Status section.
  • And turn the toggle from Disable to Enable.

That's it; you have successfully enabled the SSO using Open LDAP on your platform. When users try to log in, they can find the Open LDAP SSO option on the login page as follows.

Open LDAP SSO for Admin Console Login Page

Open LDAP SSO for API Manager Login Page