Introduction

Purpose

The purpose of this document is to provide guidelines for integrating a web application or a web service into an SSO system empowered by a Parallels identity provider service.

The document is intended for developers of web applications/services whose aim is to provide end users of the applications/services with the ability to easy access all applications (joined by a single Identity Provider) after being authenticated only once.

Scope

Because the number of web applications/services grows, and they tend to become increasingly complex, the ways in which authentication is achieved become more numerous. Parallels offers its implementation of Single Sign-On (SSO) that is based on the APS Identity protocol. This protocol regulates communication between parties inside an SSO system.

An SSO system is a system comprising multiple web applications/services and a single administrative domain that holds the identity provider service. All the applications/services are registered in the identity provider service database. Such system can include both Parallels and third-party applications/services.

This guide contains in-depth instructions on how to add a web application/service to an SSO system.

Definitions, acronyms, and abbreviations

All terms used in this document (if not specially mentioned) are defined in the Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0.

This document also uses the following terms and and/or term meanings beyond the Glossary:

Single sign-on (SSO). A specialized form of user authentication that enables a user to access resources of multiple service providers after being authenticated only once.

SSO system. A system comprising multiple web applications/services and a single administrative domain that holds the identity provider service. All the applications/services are registered in the identity provider service database. The system provides SSO to users of the web applications/services.

Service provider (SP). A web application/service that offers its resources to users.

Identity provider (IdP). A Parallels identity provider. Depending on the context, this term takes one of the following meanings:

A service which manages identities. For instance, registration in IdP (under registration in a service we mean registration in the service database).
An administrative domain that holds a service managing identities. For instance, joined by a single IdP.

FI. Federated identity.

Local account. A user account managed by an SP.

Global account. A user account managed by IdP.

Session. A data structure that caches results of authentication procedure so a user does not need to go through authentication procedure for each operation. A session is opened (created) after successful authentication of a user. A session is closed (terminated) when a user logs out or after a defined period of inactivity.

Local session. A session opened by an SP.

Global session. A session opened by IdP.

User. An end user of an SSO system.

Conventions

In this document, the following conventions are used:

The APS Identity Protocol Specification is referred to as the Specification for the description convenience purposes.
The Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0 document is referred to as the SAML Specification for the description convenience purposes.
We assume that all SPs in an SSO system restrict access to their resources. It means that to retrieve a resource pertaining to a specific SP, a user must be authenticated and authorized to perform the action.

References

Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0
http://www.oasis-open.org/committees/download.php/21111/saml-glossary-2.0-os.html
Assertions and Protocols for the OASIS Security Assertion Markup Language (SAML) V2.0
http://docs.oasis-open.org/security/saml/v2.0/saml-core-2.0-os.pdf
HTTP 1.1 Protocol Specification
http://www.ietf.org/rfc/rfc2616.txt
APS Identity Protocol Specification
/docs/Specification/sso-2.0-spec.pdf