Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication data between a service provider (such as Replicon) and an identity provider. SAML allows users to employ single sign-on, on web browser, and is typically used as an enterprise-level identity management solution.

Replicon can connect with SAML to assist users in logging into the application using their AD/NT credentials.

SAML authentication allows Single sign-on to Replicon. This implies that when users access the SAML website, they will be prompted for their NT/AD credentials, while they are accessing the URL from outside the network or have used local system credentials to log into their workstation. Once the user is authenticated, the request is forwarded to the Replicon URL defined during the SAML setup.

The application is configured to support SAML authentication hence the users are expected to access the SAML website instead of the Replicon URL since the authentication is completed on the SAML website. The SAML Identity Provider redirects all requests to the Replicon application, once the authentication is completed.

The users’ log-in credentials are verified on the Domain Controller or Active Directory and only the user name is forwarded to the Replicon database to ensure that the user exists in Replicon. If the user is found, the timesheet is loaded, without the need for the user to re-authenticate.

A user is considered to be logged into the application until the user logs out of the application to signify the termination of the session. If the user closes the browser the session is still active unless the session cookie is deleted or overridden. At no point of time, will the Replicon server or the database server, cache the login credentials of the user.

SAML is installed on one of the server within the office network and is hosted on IIS hence, if a user is unaware of the URL for the SAML website, they will have to contact their local Admin or the IT Help Desk.

How will SAML setup change the end user experience?

Before SAML setup:
User will access the link – http: //login.replicon.com. Enter the user credentials, which are, the company name, username and password to access the Replicon account.
After SAML setup:
User will use the internal URL provided by the IT team to access their Replicon account.
When on SAML, users may or may not get a password prompt. This will depend on the browser settings and also on the browser which the user is using.
When the user is prompted for username and password, he\she will have to enter their Active Directory credentials to login to the Replicon application. User should not enter the their Domain name as a part of the username. So if my Domain is D1 and username is U2, I should type the username as U2 and not D1\U2.

Requirements:

  • There has to be an Active Directory setup available.
  • SAML has to be setup on a server with IIS 6.0 or 7.0/7.5 which is connected to any of the domain controllers on the Active Directory and if there are multiple Domains involved then each  of these Domains must have a two-way trust relationship.
  • This SAML server has to have IIS installed with Windows authentication module. ASP.NET Impersonation is a good to have module on IIS 7/7.5.
  • You can setup the SAML on the default website or create a new web site.
  • Download the SAMLIdentityProvider.zip file from the following URL: https://www.replicon.com/customer-zone2/kb-5077
  • The username of users on Replicon has to match their username on the Active Directory.
  • User’s Authentication Type hass to be set to SSO in Replicon application. (In order to get this option under edit user profile screen, you will have to enable SAML under System Preferences)
  • The preferred web browsers on the client machine are the latest stable versions of Internet Explorer, Firefox or Chrome.
  • If there are multiple Domains, then there has to be a two-way trust relation between the user’s Domain and the Domain on which the SAML server is hosted.
  • If there is a firewall on the network, then you will have to create a rule for both inbound and outbound to allow traffic from na1.replicon.com on port 80 and 443.
  • If there is a proxy server setup on the network then an exception has to be created for na1.replicon.com.