Single Sign-On (SSO)
Comprehensive Single Sign-On integration for SOLVEFORCE services with SAML 2.0, OAuth 2.0, OpenID Connect, and enterprise identity provider support for secure, seamless user authentication and access management.
π― SSO Overview
SOLVEFORCE Single Sign-On provides secure, centralized authentication that enables users to access all telecommunications and IT services using their existing corporate credentials, eliminating password fatigue and enhancing security posture.
π SSO Key Features
Universal Authentication:
- Single credential access to all SOLVEFORCE services
- Cross-platform compatibility (web, mobile, API)
- Seamless integration with existing corporate identity systems
- Multi-factor authentication (MFA) support and enforcement
- Session management with configurable timeout policies
Enterprise Identity Integration:
- Active Directory and Azure AD integration
- LDAP and directory service connectivity
- SAML 2.0 identity provider support
- OAuth 2.0 and OpenID Connect standards
- Custom identity provider integration capabilities
Advanced Security Features:
- Just-in-time (JIT) user provisioning
- Role-based access control (RBAC) integration
- Conditional access and adaptive authentication
- Session security and token management
- Comprehensive audit logging and compliance
π SAML 2.0 Integration
π’ Enterprise SAML Configuration
SAML Identity Providers Supported:
- Microsoft Azure Active Directory: Enterprise cloud identity platform
- Active Directory Federation Services (ADFS): On-premises Microsoft identity
- Okta: Cloud-based identity and access management
- Ping Identity: Enterprise identity and access solutions
- OneLogin: Cloud identity and access management platform
- Auth0: Flexible identity platform with enterprise features
SAML Configuration Process:
- Identity Provider Setup: Configure SOLVEFORCE as service provider in IdP
- Certificate Exchange: Install SAML signing certificates and metadata
- Attribute Mapping: Map user attributes between IdP and SOLVEFORCE
- Testing: Validate authentication flow and user provisioning
- Production Deployment: Enable SSO for organization users
SAML Metadata Configuration:
<!-- SOLVEFORCE SAML Service Provider Metadata -->
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://sso.solveforce.com/saml/metadata">
<md:SPSSODescriptor
protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"
AuthnRequestsSigned="true"
WantAssertionsSigned="true">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIDXTCCAkWgAwIBAgIJAJC1...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
<md:AssertionConsumerService
index="0"
isDefault="true"
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://sso.solveforce.com/saml/acs"/>
<md:SingleLogoutService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://sso.solveforce.com/saml/sls"/>
</md:SPSSODescriptor>
</md:EntityDescriptor>
π§ Azure Active Directory Integration
Azure AD SAML Setup:
# Azure AD PowerShell Configuration
Connect-AzureAD
# Create new Enterprise Application for SOLVEFORCE
$app = New-AzureADApplication -DisplayName "SOLVEFORCE SSO" `
-Homepage "https://portal.solveforce.com" `
-IdentifierUris "https://sso.solveforce.com/saml/metadata"
# Configure SAML settings
Set-AzureADApplication -ObjectId $app.ObjectId `
-ReplyUrls @("https://sso.solveforce.com/saml/acs") `
-SamlMetadataUrl "https://sso.solveforce.com/saml/metadata"
# Assign users and groups
$servicePrincipal = New-AzureADServicePrincipal -AppId $app.AppId
Add-AzureADGroupMember -ObjectId $groupId -RefObjectId $servicePrincipal.ObjectId
Azure AD Attribute Mapping:
{
"attribute_mapping": {
"user.mail": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
"user.displayname": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"user.givenname": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
"user.surname": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
"user.department": "http://schemas.solveforce.com/claims/department",
"user.jobtitle": "http://schemas.solveforce.com/claims/role"
},
"role_mapping": {
"SOLVEFORCE_Admin": "Admin",
"SOLVEFORCE_User": "User",
"SOLVEFORCE_Billing": "BillingManager",
"SOLVEFORCE_Support": "SupportUser"
}
}
ποΈ Okta SAML Integration
Okta Application Configuration:
{
"okta_saml_config": {
"app_name": "SOLVEFORCE Enterprise Portal",
"sso_url": "https://sso.solveforce.com/saml/acs",
"audience": "https://sso.solveforce.com/saml/metadata",
"name_id_format": "EmailAddress",
"response_signed": true,
"assertion_signed": true,
"signature_algorithm": "RSA_SHA256",
"digest_algorithm": "SHA256",
"honor_force_authn": false,
"authn_context_class_ref": "PasswordProtectedTransport"
},
"attribute_statements": [
{"name": "FirstName", "name_format": "Basic", "value": "user.firstName"},
{"name": "LastName", "name_format": "Basic", "value": "user.lastName"},
{"name": "Email", "name_format": "Basic", "value": "user.email"},
{"name": "Department", "name_format": "Basic", "value": "user.department"},
{"name": "Groups", "name_format": "Basic", "value": "user.groups"}
]
}
π OAuth 2.0 and OpenID Connect
π OAuth 2.0 Authorization Framework
Supported OAuth 2.0 Flows:
- Authorization Code Flow: Secure server-side application authentication
- Client Credentials Flow: Machine-to-machine authentication
- Device Code Flow: IoT and device authentication
- Refresh Token Flow: Long-lived session management
- PKCE (Proof Key for Code Exchange): Enhanced mobile security
OAuth 2.0 Client Configuration:
{
"client_id": "solveforce_enterprise_app",
"client_secret": "your-client-secret",
"redirect_uris": [
"https://portal.solveforce.com/oauth/callback",
"https://mobile.solveforce.com/oauth/callback"
],
"grant_types": [
"authorization_code",
"refresh_token",
"client_credentials"
],
"response_types": ["code"],
"scope": [
"openid",
"profile",
"email",
"solveforce:services",
"solveforce:billing",
"solveforce:support"
],
"token_endpoint_auth_method": "client_secret_basic"
}
Authorization Code Flow Implementation:
# OAuth 2.0 Authorization Code Flow
import requests
from urllib.parse import urlencode
def initiate_oauth_flow():
"""Initiate OAuth 2.0 authorization flow"""
auth_params = {
'client_id': 'your-client-id',
'response_type': 'code',
'scope': 'openid profile email solveforce:services',
'redirect_uri': 'https://your-app.com/oauth/callback',
'state': generate_random_state(),
'code_challenge': generate_pkce_challenge(),
'code_challenge_method': 'S256'
}
auth_url = f"https://sso.solveforce.com/oauth/authorize?{urlencode(auth_params)}"
return auth_url
def exchange_code_for_tokens(authorization_code, code_verifier):
"""Exchange authorization code for access tokens"""
token_data = {
'grant_type': 'authorization_code',
'client_id': 'your-client-id',
'client_secret': 'your-client-secret',
'code': authorization_code,
'redirect_uri': 'https://your-app.com/oauth/callback',
'code_verifier': code_verifier
}
response = requests.post(
'https://sso.solveforce.com/oauth/token',
data=token_data,
headers={'Content-Type': 'application/x-www-form-urlencoded'}
)
return response.json()
π OpenID Connect Integration
OpenID Connect User Info:
def get_user_info(access_token):
"""Retrieve user information from OpenID Connect endpoint"""
headers = {'Authorization': f'Bearer {access_token}'}
response = requests.get(
'https://sso.solveforce.com/oauth/userinfo',
headers=headers
)
return response.json()
# Example user info response
{
"sub": "user123456",
"name": "John Doe",
"given_name": "John",
"family_name": "Doe",
"email": "john.doe@acme.com",
"email_verified": true,
"picture": "https://avatars.solveforce.com/user123456",
"department": "IT Operations",
"roles": ["Admin", "BillingManager"],
"solveforce_account_id": "acc_789012",
"preferred_username": "john.doe"
}
JWT Token Validation:
import jwt
import requests
def validate_jwt_token(token):
"""Validate JWT token and extract claims"""
# Get public keys from JWKS endpoint
jwks_response = requests.get('https://sso.solveforce.com/.well-known/jwks.json')
jwks = jwks_response.json()
# Decode and validate token
try:
decoded_token = jwt.decode(
token,
jwks,
algorithms=['RS256'],
audience='your-client-id',
issuer='https://sso.solveforce.com'
)
return decoded_token
except jwt.InvalidTokenError as e:
raise AuthenticationError(f"Invalid token: {e}")
π₯ User Provisioning and Management
π Just-in-Time (JIT) Provisioning
Automatic User Creation:
def provision_user_jit(saml_assertion):
"""Provision user based on SAML assertion attributes"""
user_attributes = extract_saml_attributes(saml_assertion)
user_data = {
'email': user_attributes.get('email'),
'first_name': user_attributes.get('first_name'),
'last_name': user_attributes.get('last_name'),
'department': user_attributes.get('department'),
'job_title': user_attributes.get('job_title'),
'phone': user_attributes.get('phone'),
'account_id': determine_account_from_domain(user_attributes.get('email'))
}
# Check if user exists
existing_user = User.objects.filter(email=user_data['email']).first()
if existing_user:
# Update existing user attributes
update_user_attributes(existing_user, user_data)
return existing_user
else:
# Create new user
new_user = create_user(user_data)
assign_default_roles(new_user)
send_welcome_email(new_user)
return new_user
Role and Permission Mapping:
{
"role_mapping_rules": [
{
"condition": {
"attribute": "department",
"value": "IT",
"operator": "equals"
},
"roles": ["TechnicalUser", "ServiceManager"]
},
{
"condition": {
"attribute": "job_title",
"value": "Manager",
"operator": "contains"
},
"roles": ["Manager", "BillingApprover"]
},
{
"condition": {
"attribute": "groups",
"value": "SOLVEFORCE_Admins",
"operator": "member_of"
},
"roles": ["Administrator", "SecurityManager"]
}
],
"default_roles": ["BasicUser", "PortalAccess"]
}
π User Lifecycle Management
User Deprovisioning:
def handle_user_deprovisioning(user_email, reason="user_terminated"):
"""Handle user account deprovisioning"""
user = User.objects.get(email=user_email)
# Disable account access
user.is_active = False
user.deactivation_date = timezone.now()
user.deactivation_reason = reason
# Revoke all sessions and tokens
revoke_user_sessions(user)
revoke_api_tokens(user)
# Remove from groups and roles
remove_user_from_all_groups(user)
# Archive user data
archive_user_data(user)
# Notify administrators
notify_user_deprovisioned(user)
user.save()
Group Synchronization:
def sync_user_groups(user, identity_provider_groups):
"""Synchronize user groups from identity provider"""
# Map IdP groups to SOLVEFORCE groups
group_mapping = {
'IT_Team': 'technical-users',
'Finance_Team': 'billing-managers',
'Executives': 'executives',
'Support_Staff': 'support-users'
}
# Get current user groups
current_groups = set(user.groups.values_list('name', flat=True))
# Determine new groups based on IdP groups
new_groups = set()
for idp_group in identity_provider_groups:
if idp_group in group_mapping:
new_groups.add(group_mapping[idp_group])
# Add user to new groups
groups_to_add = new_groups - current_groups
for group_name in groups_to_add:
group = Group.objects.get(name=group_name)
user.groups.add(group)
# Remove user from old groups
groups_to_remove = current_groups - new_groups
for group_name in groups_to_remove:
group = Group.objects.get(name=group_name)
user.groups.remove(group)
π Security and Compliance
π‘οΈ Multi-Factor Authentication (MFA)
MFA Integration with SSO:
def configure_mfa_requirements():
"""Configure MFA requirements for different user roles"""
mfa_policies = {
'Administrator': {
'required': True,
'methods': ['totp', 'hardware_token', 'biometric'],
'backup_codes': True,
'enforcement': 'strict'
},
'BillingManager': {
'required': True,
'methods': ['totp', 'sms'],
'backup_codes': True,
'enforcement': 'conditional'
},
'StandardUser': {
'required': False,
'methods': ['totp', 'sms'],
'backup_codes': False,
'enforcement': 'optional'
}
}
return mfa_policies
def validate_mfa_during_sso(user, mfa_token):
"""Validate MFA token during SSO authentication"""
mfa_policy = get_user_mfa_policy(user)
if mfa_policy['required']:
if not mfa_token:
raise MFARequiredError("MFA token required for this user")
if not validate_mfa_token(user, mfa_token):
raise MFAValidationError("Invalid MFA token")
# Log MFA validation
log_mfa_attempt(user, success=True)
π Conditional Access Policies
Risk-Based Authentication:
def evaluate_conditional_access(user, request_context):
"""Evaluate conditional access policies"""
risk_factors = calculate_risk_score(user, request_context)
policies = [
{
'name': 'Location-based access',
'condition': risk_factors['location_risk'] > 0.7,
'action': 'require_mfa'
},
{
'name': 'Device compliance',
'condition': not request_context.get('device_compliant'),
'action': 'deny_access'
},
{
'name': 'Business hours',
'condition': not is_business_hours(request_context['timestamp']),
'action': 'require_approval'
}
]
for policy in policies:
if policy['condition']:
enforce_policy_action(policy['action'], user, request_context)
def calculate_risk_score(user, context):
"""Calculate authentication risk score"""
risk_score = 0.0
# Location risk
if context['ip_address'] not in user.trusted_ips:
risk_score += 0.3
# Device risk
if context['device_id'] not in user.trusted_devices:
risk_score += 0.4
# Time-based risk
if not is_normal_login_time(user, context['timestamp']):
risk_score += 0.2
# Behavioral risk
if detect_anomalous_behavior(user, context):
risk_score += 0.5
return {'overall_risk': min(risk_score, 1.0), 'location_risk': 0.3 if context['ip_address'] not in user.trusted_ips else 0.0}
π Audit and Compliance
SSO Audit Logging:
def log_sso_event(event_type, user, details):
"""Log SSO authentication events for audit purposes"""
audit_entry = {
'timestamp': timezone.now(),
'event_type': event_type,
'user_id': user.id if user else None,
'user_email': user.email if user else None,
'ip_address': details.get('ip_address'),
'user_agent': details.get('user_agent'),
'session_id': details.get('session_id'),
'identity_provider': details.get('identity_provider'),
'success': details.get('success', False),
'failure_reason': details.get('failure_reason'),
'risk_score': details.get('risk_score'),
'mfa_used': details.get('mfa_used', False)
}
# Store in audit log
AuditLog.objects.create(**audit_entry)
# Send to SIEM if configured
if settings.SIEM_INTEGRATION_ENABLED:
send_to_siem(audit_entry)
# Example audit events
log_sso_event('login_success', user, {
'ip_address': '192.168.1.100',
'user_agent': 'Mozilla/5.0...',
'identity_provider': 'azure_ad',
'success': True,
'mfa_used': True
})
π οΈ Implementation and Configuration
βοΈ SSO Configuration Dashboard
Administrative Interface:
class SSOConfigurationView:
def get_identity_providers(self):
"""Get configured identity providers"""
return [
{
'id': 'azure_ad',
'name': 'Microsoft Azure AD',
'type': 'saml',
'status': 'active',
'users_count': 1250,
'last_sync': '2024-01-15T10:30:00Z'
},
{
'id': 'okta',
'name': 'Okta Enterprise',
'type': 'saml',
'status': 'active',
'users_count': 850,
'last_sync': '2024-01-15T10:15:00Z'
}
]
def configure_identity_provider(self, provider_config):
"""Configure new identity provider"""
# Validate configuration
validate_idp_configuration(provider_config)
# Test connection
test_result = test_idp_connection(provider_config)
if not test_result['success']:
raise ConfigurationError(test_result['error'])
# Save configuration
idp = IdentityProvider.objects.create(**provider_config)
# Generate metadata
generate_sp_metadata(idp)
return idp
π§ Advanced Configuration Options
Session Management:
{
"session_config": {
"timeout_minutes": 480,
"idle_timeout_minutes": 60,
"max_concurrent_sessions": 3,
"remember_me_enabled": true,
"remember_me_duration_days": 30,
"secure_cookies": true,
"same_site": "Strict"
},
"token_config": {
"access_token_lifetime_minutes": 60,
"refresh_token_lifetime_days": 30,
"id_token_lifetime_minutes": 60,
"token_rotation_enabled": true
}
}
Custom Attribute Mapping:
def configure_custom_attribute_mapping():
"""Configure custom attribute mapping from IdP to SOLVEFORCE"""
mapping_rules = [
{
'source_attribute': 'extensionAttribute1',
'destination_field': 'cost_center',
'transformation': 'uppercase',
'required': False
},
{
'source_attribute': 'department',
'destination_field': 'user_department',
'transformation': None,
'required': True
},
{
'source_attribute': 'employeeId',
'destination_field': 'employee_number',
'transformation': 'zero_pad_8',
'required': False
}
]
return mapping_rules
def apply_attribute_transformations(value, transformation):
"""Apply transformation to attribute value"""
transformations = {
'uppercase': lambda x: x.upper() if x else None,
'lowercase': lambda x: x.lower() if x else None,
'zero_pad_8': lambda x: x.zfill(8) if x else None,
'remove_spaces': lambda x: x.replace(' ', '') if x else None
}
if transformation and transformation in transformations:
return transformations[transformation](value)
return value
π Monitoring and Analytics
π SSO Performance Monitoring
Authentication Metrics:
class SSOMetrics:
def get_authentication_stats(self, time_period='24h'):
"""Get SSO authentication statistics"""
return {
'total_logins': self.count_logins(time_period),
'successful_logins': self.count_successful_logins(time_period),
'failed_logins': self.count_failed_logins(time_period),
'mfa_challenges': self.count_mfa_challenges(time_period),
'average_login_time_ms': self.calculate_avg_login_time(time_period),
'unique_users': self.count_unique_users(time_period),
'identity_provider_breakdown': self.get_idp_breakdown(time_period)
}
def get_security_metrics(self, time_period='24h'):
"""Get security-related SSO metrics"""
return {
'suspicious_login_attempts': self.count_suspicious_logins(time_period),
'blocked_login_attempts': self.count_blocked_logins(time_period),
'password_attacks': self.count_password_attacks(time_period),
'geographic_anomalies': self.count_geographic_anomalies(time_period),
'device_compliance_violations': self.count_compliance_violations(time_period)
}
Real-time Dashboard:
// SSO Dashboard JavaScript
class SSODashboard {
constructor() {
this.metrics = new SSOMetrics();
this.refreshInterval = 30000; // 30 seconds
}
async updateDashboard() {
const authStats = await this.metrics.getAuthenticationStats();
const securityStats = await this.metrics.getSecurityMetrics();
// Update charts
this.updateLoginChart(authStats);
this.updateSecurityChart(securityStats);
this.updateUserActivity(authStats.unique_users);
// Update alerts
this.checkSecurityAlerts(securityStats);
}
checkSecurityAlerts(stats) {
if (stats.suspicious_login_attempts > 10) {
this.showAlert('High number of suspicious login attempts detected', 'warning');
}
if (stats.blocked_login_attempts > 5) {
this.showAlert('Multiple blocked login attempts - possible attack', 'danger');
}
}
}
π Resources and Support
π οΈ Implementation Resources
Configuration Guides:
- Azure AD SAML Setup: Step-by-step Azure AD configuration guide
- Okta Integration: Comprehensive Okta SAML configuration
- OAuth 2.0 Implementation: OAuth 2.0 integration best practices
- Custom IdP Integration: Custom identity provider integration guide
- Troubleshooting Guide: Common SSO issues and resolutions
Testing Tools:
- SAML Tracer: Browser extension for SAML debugging
- JWT Debugger: Online JWT token validation and debugging
- SSO Test Suite: Automated SSO testing and validation tools
- Metadata Validator: SAML metadata validation utility
- Security Scanner: SSO security assessment tools
π Support and Professional Services
Technical Support:
- SSO Specialists: Dedicated SSO implementation support
- 24/7 Support: Round-the-clock SSO technical assistance
- Integration Support: Custom integration development and support
- Security Consultation: SSO security assessment and hardening
- Training Programs: SSO administration and best practices training
Professional Services:
- Identity Strategy Consulting: Enterprise identity architecture planning
- Custom Integration Development: Tailored SSO integration solutions
- Migration Services: Legacy system to modern SSO migration
- Security Assessment: Comprehensive SSO security evaluation
- Compliance Assistance: Regulatory compliance guidance and support
Contact Information:
- SSO Support: sso-support@solveforce.com
- Identity Services: identity@solveforce.com
- Security Team: security@solveforce.com
- Professional Services: consulting@solveforce.com
- Emergency Support: 1-888-SSO-HELP
Your Identity Security Partner β SOLVEFORCE Single Sign-On.
Comprehensive SSO platform designed to provide secure, seamless authentication with enterprise identity integration, advanced security features, and simplified user access management for all your telecommunications and IT services.