The purpose of this document is to provide guidelines for integrating a web application or a web service into an SSO system empowered by a Parallels identity provider service.
The document is intended for developers of web applications/services whose aim is to provide end users of the applications/services with the ability to easy access all applications (joined by a single Identity Provider) after being authenticated only once.
Because the number of web applications/services grows, and they tend to become increasingly complex, the ways in which authentication is achieved become more numerous. Parallels offers its implementation of Single Sign-On (SSO) that is based on the APS Identity protocol. This protocol regulates communication between parties inside an SSO system.
An SSO system is a system comprising multiple web applications/services and a single administrative domain that holds the identity provider service. All the applications/services are registered in the identity provider service database. Such system can include both Parallels and third-party applications/services.
This guide contains in-depth instructions on how to add a web application/service to an SSO system.
Definitions, acronyms, and abbreviations
All terms used in this document (if not specially mentioned) are defined in the Glossary for the OASIS Security Assertion Markup Language (SAML) V2.0.
This document also uses the following terms and and/or term meanings beyond the Glossary:
Single sign-on (SSO). A specialized form of user authentication that enables a user to access resources of multiple service providers after being authenticated only once.
SSO system. A system comprising multiple web applications/services and a single administrative domain that holds the identity provider service. All the applications/services are registered in the identity provider service database. The system provides SSO to users of the web applications/services.
Service provider (SP). A web application/service that offers its resources to users.
Identity provider (IdP). A Parallels identity provider. Depending on the context, this term takes one of the following meanings:
FI. Federated identity.
Local account. A user account managed by an SP.
Global account. A user account managed by IdP.
Session. A data structure that caches results of authentication procedure so a user does not need to go through authentication procedure for each operation. A session is opened (created) after successful authentication of a user. A session is closed (terminated) when a user logs out or after a defined period of inactivity.
Local session. A session opened by an SP.
Global session. A session opened by IdP.
User. An end user of an SSO system.
In this document, the following conventions are used: