On this page |
|
|
\uD83D\uDCCB What's about
SAML is an acronym used to describe the Security Assertion Markup Language (SAML). Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (IDP) and a web application (in our case, XCALLY).
The technology industry created SAML to simplify the authentication process where users needed to access multiple, independent web applications across domains. Prior to SAML, single sign-on (SSO) was achievable but relied on cookies that were only viable within the same domain. It achieves this objective by centralizing user authentication with an identity provider. Web applications can then leverage SAML via the identity provider to grant access to their users. This SAML authentication approach means users do not need to remember multiple usernames and passwords. It also benefits service providers as it increases security of their own platform, primarily by avoiding the need to store (often weak and insecure) passwords and not having to address forgotten password issues. (Reference: https://www.onelogin.
How to set up🔧 Configuration
| Info |
|---|
Consider that there are many types of configurations with SAML |
To activate the login with SAML on XCALLY, you need to:
A. Configure XCALLY Serverthe Identity Provider
B. Enable Configure XCALLY connection in IDPServer
C. Enable SAML login for Administrator, Users and Agents
Requirements
| Panel | ||
|---|---|---|
| ||
The SAML SSO feature requires:
|
Configure the Identity Provider
A SAML identity provider is a system entity that issues authentication assertions in conjunction with a single sign-on profile of the Security Assertion Markup Language (SAML).
SAML assertions are the messages that are exchanged between an identity provider (IDP) and XCALLY that confidentially identify who a user is, what pertinent information exists about them, and what they’re authorized or entitled to access.
Choose a SAML Identity Provider (IDP)
Associate the XCALLY Motion to the IDP (ex. create the application)
When requested, add the XCALLY certificate (see next how to get it)
From the IDP Settings, retrieve:
SAML Endpoint (HTTP)
IDP Certificate
Issuer URL
Single Logout URL (HTTP), if available in IDP
When configuring SAML Assertions, add the custom attribute (or parameter) that defines the connector field. Set email as value, so that the provider will consider the XCALLY user email as connector field.
| Info |
|---|
Emails registered on the identity provider must be already set on XCALLY |
Below, you can find an example:
.png?version=1&modificationDate=1664967293952&cacheVersion=1&api=v2&width=544)
Retrieve XCALLY Certificate
Certificates in SAML are used as a convenient way to handle the signing and encryption keys. The keys are usually either exchanged through metadata, or by some secure transfer of the certificate to the parties involved in the SAML exchange.
To retrieve the XCALLY certificate from the SAML metadata, go to the API:
| Code Block |
|---|
https://<XCALLY DOMAIN>/api/auth/saml/metadata |
(enter your XCALLY domain in the string)
Below, you can find an example:
Configure XCALLY Server
Follow these steps to configure the XCALLY server:
Use SSH to connect to your XCALLY server
Login with
motion user
Set SAML strings for activating the connection between XCALLY and the IDP in /var/opt/motion/.env :
Code Block DOMAIN -> Your Motion Domain (XCALLY URL) XC_SAML_ENTRYPOINT ->
IDP
SAML Endpoint XC_SAML_CERT -> IDP's public signing certificate (paste the certificate text into a single line) XC_SAML_ISSUER -> Issuer string to retrieve from the IDP XC_SAML_LOGOUT_URL (optional) -> IDP Single Logout
Enable Active Directory connection in XCALLY
To use Active Directory login, you need to add Active Directory settings on XCALLY.
Retrieve Active Directory configuration
Ask to Active Directory Administrator the following properties:
Property
Description
url
Active Directory server to connect to, e.g. ldap://ad.example.com
baseDN
The root DN from which all searches will be performed, e.g. dc=example,dc=com.
domain
Domain of email address, e.g. example.com
Configure Active Directory in XCALLY
Follow these steps to configure the Active Directory:
Use SSH to connect to your XCALLY server
Login with motion user
| Code Block | ||
|---|---|---|
| ||
su - motion |
Open /var/opt/motion2/.env and edit the following properties (add it if not existing)
| Code Block | ||
|---|---|---|
| ||
XC_ACTIVEDIRECTORY_BASE_DN='<baseDN>'
XC_ACTIVEDIRECTORY_URL='<url>'
XC_ACTIVEDIRECTORY_DOMAIN='<domain>' |
Stop motion application (with root privileges)
| Code Block | ||
|---|---|---|
| ||
service motion stop |
Initialize environment variables
| language | bash |
|---|
Below, you can find an example:
To edit the file .env, follow the instructions recommended here, by searching XC_SAML variables
Enable SAML login for Administrator, Users and Agents
Enable login in General Settings
The Login with SAML must be enabled under Settings → General:
Users and Agents (WebRTC and External) will be able to connect to XCALLY using identity provider credentials.
Login for XCALLY users
On the Login page, the button Login with SAML is available:
Clicking on Login with SAML, XCALLY Users will be redirected on the identity provider portal.
After entering the provider credentials on the provider portal, XCALLY Interface will be opened as usual.
If configured, from the second login on, each time Users click on Login with SAML, they will directly access to XCALLY, without entering credentials again.