Implement authentication with SAML
10Duke Enterprise supports SAML 2.0 Web Browser SSO Profile (SP-initiated) for user authentication. You can connect your client application using SAML when you need to provide single sign-on (SSO) for your users.
If your application needs to consume licenses or access 10Duke APIs, connect it using OIDC instead.
Implementing SAML for your client application from scratch is difficult. There are plenty of libraries available, and we recommend that you find a library suitable for your client application to handle SAML for you.
Before you start
Define a SAML connection for your client application in 10Duke SysAdmin.
-
This includes defining the client ID (SAML entity ID) of your client application (SP), and the endpoint URL of your client application for receiving the response (SP assertion consumer service).
-
Add the response attributes using attribute names that your client application (SP) expects to receive from the IdP.
Step 1: Initiate authentication flow
From the client application (SP), send the user agent (browser) to the 10Duke Authentication API’s authentication endpoint at https://<your environment base URL>/user/saml20/signon.
An example URL where the browser is sent (line breaks added for display purposes):
https://customer.10duke.net/user/saml20/authz
?SAMLRequest=jVNNb...
&RelayState=TestRelayState
&SigAlg=http%3A%2F%2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1
&Signature=pXb8z...
-
Use the base URL of your 10Duke Enterprise environment.
-
In the request query parameters, in
SAMLRequestprovide an encoded SAML authentication request (AuthnRequest) and inRelayStateprovide any value that you want to be sent back to your client application when authentication has been completed and 10Duke Enterprise sends a response back to your client application. InSigAlgandSignature, specify a cryptographic signature for the request.
When the end user has completed the login in the browser and been successfully authenticated, the browser is sent back to the client application’s (SP’s) callback URI (assertion consumer service).
Step 2: Handle SAML response
Handle the response sent back to the client application to read the SAML authentication response.
An example response (line breaks added for display purposes):
POST /my-client-acs HTTP/1.1
Host: {SP_BASE_URL}
Content-Type: application/x-www-form-urlencoded
SAMLResponse=PHNhb...
&RelayState=TestRelayState
From the SAMLResponse parameter, your client application can now read the SAML authentication response containing the details of the authenticated user.
Next steps
After successfully connecting your client application to 10Duke Enterprise, the client application is now integrated to an SSO environment.
Your end users can authenticate with 10Duke Enterprise, and new authentication features can be added without affecting your client application.
For example, customer federation or multi-factor authentication (MFA) can be set up: