SDK Authentication & SSO

Contents [hide]

1. Authentication & SSO using SIMS ID and OAuth2.0
- 1.1 Sample Clients and Settings for OAUTH 2.0
- 1.2 Useful information
2. SAML for SSO interactions
- 2.1 Shibboleth for SSO interactions
- 2.2 UKAMF for SSO interaction
3. SDK Authentication Modes

Authentication & SSO using SIMS ID and OAuth2.0

SIMS ID can provide federated authentication services to your product providing a single sign-on (SSO) experience to joint customers, allowing them to use their familiar username and password to access your product. This removes barriers to access, and lessens the administration overhead associated with the adoption of a new service with its accompanying usernames and passwords.

This authentication can assert a number of attributes for the user, ranging from simply the site(s) they are associated with through to more complex person and relationship data.

Using OAUTH 2.0 and SAML 2.0 authentication integration is achieved using recognised standards and protocols

Sample Clients and Settings for OAUTH 2.0

Sample clients are available to aid in developing against the SIMS OPEN ID Connection Specification. The ZIP file below contains a sample client. Client configuration details that will need to be included in the configuration of the sample client app are available on request.

This is a sample Hybrid C# MVC Web Application that will need to be populated with specific test client details that will be provided for your organisation in the SIMS ID live environment. The SI . Where you are also a SIMS Partner, the organisation will be common to any developments you are doing against SIMS Primary APIs.

Download a sample client application

The Sample Client is of no use without the keys, secrets, scopes and URIs. How to obtain these is detailed below

Useful information

The web.config details of the client will need to be filled in with your ClientId, scopes and our URI settings. You will need set your secret value. All of these settings will be provided following the return of the SIMS ID Partner agreement.

The application is required to be run on https://localhost:5454. You will need to provide your hosting details so that the appropriate redirecturi settings for your client can be populated along with post logout redirect uri values. You will also need a test SSL certificate, however, this can simply be a self-signed certificate installed for the application.

The sample app has a page “../Debug/Tokens” where you can see the Access and Identity tokens, this will assist you in your integration.

Sandbox Environment

UsefulWe Detailsprovide a sandbox environment for SSOyou integration:

to test your integrations. The details are:

~~Our OpenId .well-known endpoint can be found here:~~ ~~https://sts.sims.co.uk/.well-known/openid-configuration~~

STS Base URI: https://simsid-partner-stsserver.azurewebsites.net

OpenId .well-known endpoint: https://simsid-partner-stsserver.azurewebsites.net/.well-known/openid-configuration

Live Environment

The details are:

STS Base URI: https://sts.sims.co.uk

OpenId .well-known endpoint: https://sts.sims.co.uk/.well-known/openid-configuration

Endpoints

Logout Endpoint = {STSBase}/connect/endsession
Token Endpoint = {STSBase}/connect/token
User Info Endpoint = {STSBase}/connect/userinfo
Identity Token Validation Endpoint = {STSBase}/connect/identitytokenvalidation
Token Revocation Endpoint = {STSBase}/connect/revocation
~~Settings (core ones of interest):~~

Scopes:

~~Consent Required : currently to off, this will be turned on for your Live client~~
openid
~~Allow Remember Consent: allows the above to be persisted for the user~~
profile
~~Logout Session Required: on logging out it will end the sessions~~
roles
~~Require Sign Out Prompt: when logging out you get a prompt screen asking to confirm you want to log out, before actually logging out~~

~~Scopes:~~

~~openid~~

~~profile~~

~~roles~~

partner

All of the above are configurable and we can adjust to your needs, however the above is the most restrictive settings. We also allow additional scopes to be requested:

simsapplication

simsmultiorgapplication

offline_access
- Used by a requesting client to request a Refresh Token.

Useful Details for SSO integration:

SIMS ID is based on IdentityServer3, and there is a large amount of resources available online. A good starting point is https://identityserver.github.io/Documentation/docsv2/resources/home.html

The following is bespoke to your implementation and will be provided by secure means:

Client Id
Client Name
Client Secret
This client is linked to your SIMS Primary organisation in the Live system you will have 2 users for:
- Admin User: to be sent separately by secure mail
- Staff User : to be sent separately by secure mail
The admin user can create user(s) in the site using the normal SIMS ID functionality, guide is available from the menu under the Users name.

Requesting Clients

In order to integrate with us, you will need to request clients to be created for you in our Sandbox and Live environments.

We will need the following information for each hybrid client:

Scopes you require

Redirect URIs (URI’s you wish users to redirect back to after a successful authentication).
- These can be localhost addresses in the sandbox environment

Any identity provider restrictions. For example, you may wish to only allow SIMS ID login, and not allow any users to log in using external providers such as Facebook.

Is Consent Required: currently this is set to off in our sandbox environment, however this will be turned on for your live environment client

Allow Remember Consent: this allows the above to be persisted for the user

Logout Session Required: Specifies if the user’s session id should be sent to the Logout Uri

Require Sign Out Prompt: when logging out you get a prompt screen asking to confirm you want to log out, before actually logging out

Contact for client ownership. This is the contact we will send the following information to:
- The details Client Id and Secret will be encrypted in a password protected 7zip compressed file.
- The compressed file will be sent to client owner(s) – the details at this point can be sent to multiple people
- The password for the compressed file will then sent to the single client owner

When you are ready to request your client(s), please send the details to simsidteam@capita.co.uk

SAML for SSO interactions

SAML integration outside of OAUTH 2.0 is not a preferred methodology, and we favour the OAUTH 2.0 approach. However, we can, and do, handle other SAML 2.0 interactions where necessary. Please contact to discuss your requirements.

Shibboleth for SSO interactions

Shibboleth can be supported.

UKAMF for SSO interaction

SIMS ID is registered with UKAMF.

Shibboleth 2.0 endpoint that supports WAYFless

You can review our endpoint attributes by using the UK Federation Test Service Provider at https://test.ukfederation.org.uk/ and specifically, the test Service provided for the UK Federation Central Discovery Service

A WAYFless URL can also be generated using the UK Federation WU-GEN service

The metadata provided by the SIMS ID Shibboleth endpoint can be seen at Live https://sso.sims.co.uk/metadata Staging [https://r4csso.identityfor.co.uk/metadata]

SDK Authentication Modes

SDK Main Page | Authentication & SSO | Provisioning Integration | SIMS ID a stable integration platform