Contents x
    Single Sign On Overview
    • 02 Nov 2023
    • 5 Minutes to read
    • Print
    • Dark
      Light
    Contents

    Single Sign On Overview

    • Updated on 02 Nov 2023
    • 5 Minutes to read
    • Print
    • Dark
      Light
    Article summary

    Overview

    CobbleStone® Software’s Contract Insight application offers various functional options for application authentication (users logging into the system).

    Authentication Types

    CobbleStone® Software’s Contract Insight application has the ability to support the following types of authentication:

    • Standard Username & Password
    • SAML 2.0 SSO
    • ADFS SSO
    • LDAP SSO
    • Active Directory SSO (Integrated Windows Auth)

    What is Single Sign-On (SSO)?

    Single sign-on (SSO) is a system that enables users to securely authenticate with multiple applications and websites by logging in only once, with just one set of credentials against a single central identity provider. With SSO, the application or website that the user is trying to access relies on a trusted third party (an Identity Provider) to verify that users are who they say they are. 

    If the Identity Provider can verify the user’s identity, it passes verification back to the website or application. The website or application then takes the Identity Provider’s word for it and logs the user in (creates a session for the user).

    Standard Username & Password Authentication

    This is the basic, out-of-the-box authentication method for CobbleStone®.

    What is Required?

    Nothing additional is required to use this authentication type.

    How it is Used?

    With this authentication type each user must login using their credentials (username and password) associated with their employee/user account within their CobbleStone® application.

    How it is Secured?

    This authentication type is secured through several components:

    • HTTPS secured/encrypted connection.
    • Passwords are stored encrypted using 256-bit AES encryption.

     

    SAML 2.0 SSO Authentication

    Security Assertion Markup Language (SAML) is an open standard that allows identity providers (IDP) to pass authorization credentials to service providers (SP).

    What is Required?

    Client’s Identity Provider (IDP) metadata (XML file) including signing certificate. Typically, this would be provided by the Identity Provider administrator.

    Please note: CobbleStone® does not currently support encryption of the assertions.

    How it is Used?

    CobbleStone® supports both IDP and SP initiated logins/authentications.

    IDP initiated:

    Users initially start from their Identity Provider (typically through their intranet). From here a user would typically click on a link to their CobbleStone® application.

    SP initiated:

    Users initially start from their CobbleStone® application (by navigating to their CobbleStone® URL). Users who are not already authenticated with their Identity Provider will be redirected to their Identity Provider’s login page. Once authenticated, the user will be passed back to their CobbleStone® URL and logged in.

    User Verification: Standard

    When a user successfully authenticates against their Identity Provider it will return a signed response to the CobbleStone® application containing the user’s username. The CobbleStone® application will verify if the username provided matches a username within the application. If there is a valid matching user account, a session will be created, and the user will be logged in.

    User Verification: Just-In-Time Provisioning

    CobbleStone® additionally supports a Just-In-Time Provisioning of user accounts. In this scenario/setup, users who do not already have an account in their CobbleStone® system will have one automatically generated/created when they first access the system.

    How it is Secured?

    This authentication type is secured through several components:

    • HTTPS secured/encrypted connection.
    • Passwords are never stored or entered in CobbleStone®.
    • All authentication occurs within Identity Provider.

    ADFS SSO Authentication

    Active Directory Federation Service (ADFS) is a software component developed by Microsoft to provide Single Sign-On (SSO) authorization service to users on Windows Server Operating Systems. ADFS allows users across organizational boundaries to access applications on Windows Server Operating Systems using a single set of login credentials.

    What is Required?

    Client’s Identity Provider (IDP) metadata (XML file) including signing certificate. Typically, this would be provided by the Identity Provider administrator.

    Please note: CobbleStone® does not currently support encryption of the assertions.

    How it is Used?

    CobbleStone® supports both IDP and SP initiated logins/authentications.

    IDP initiated:

    Users initially start from their Identity Provider (typically through their intranet). From here a user would typically click on a link to their CobbleStone® application.

    SP initiated:

    Users initially start from their CobbleStone® application (by navigating to their CobbleStone® URL). Users who are not already authenticated with their Identity Provider will be redirected to their Identity Provider’s login page. Once authenticated, the user will be passed back to their CobbleStone® URL and logged in.

    User Verification: Standard

    When a user successfully authenticates against their Identity Provider it will return a signed response to the CobbleStone® application containing the user’s username. The CobbleStone® application will verify if the username provided matches a username within the application. If there is a valid matching user account, a session will be created, and the user will be logged in.

    Just-In-Time Provisioning

    CobbleStone® additionally supports a Just-In-Time Provisioning of user accounts. In this scenario/setup, users who do not already have an account in their CobbleStone® system will have one automatically generated/created when they first access the system.

    How it is Secured?

    This authentication type is secured through several components:

    • HTTPS secured/encrypted connection.
    • Passwords are never stored or entered in CobbleStone®.
    • All authentication occurs within Identity Provider.

    LDAP Authentication

    LDAP (Lightweight Directory Access Protocol) is an open and cross platform protocol used for directory services authentication.

    What is Required?

    Client’s LDAP endpoint URL and additional parameters

    How it is Used?

    User enters their active directory username and password into their CobbleStone® application’s login page. The CobbleStone® application takes the provided credentials and calls the LDAP server to verify credentials. The LDAP server will return if the credentials provided are valid, and the CobbleStone® application will process accordingly.

    If the provided credentials were valid, the CobbleStone® application will verify if the username provided matches a username within the application. If there is a valid matching user account, a session will be created, and the user will be logged in.

    If the LDAP server reported the credentials were invalid or there is no matching username within the CobbleStone® application, an invalid login message will be displayed.

    How it is Secured?

    This authentication type is secured through several components:

    • HTTPS secured/encrypted connection.
    • Passwords are never stored in CobbleStone®.
    • All authentication occurs within the LDAP server.

     

    Active Directory Authentication (Integrated Windows Auth)

    Integrated Windows authentication enables users to log in with their Windows credentials. Windows authentication is best suited for an intranet environment.

    What is Required?

    The CobbleStone® Application must be deployed on the client’s servers. The IIS Server must be on the same Active Directory domain as the user(s) being authenticated.

    How it is Used?

    When the CobbleStone® Application is being installed, the IIS website must be configured to allow “Windows Authentication” and disable “Anonymous Authentication”.

    When a user accesses the CobbleStone® Application URL, the user’s browser will prompt for username and password credentials. These credentials are verified against the client’s Active Directory domain by the Windows and IIS server(s).

    User Verification: Standard

    When a user successfully authenticates against their Active Directory domain, the user’s username is returned and passed to the CobbleStone® application. The CobbleStone® application will verify if the username provided matches a username within the application. If there is a valid matching user account, a session will be created, and the user will be logged in.

    If the username returned from Active Directory is invalid or there is no matching username within the CobbleStone® application, an invalid login message will be displayed.

    User Verification: Automatic Browser Pass-through

    CobbleStone® additionally supports automatic pass-through of user credentials by the browser. This setting must be configured under the browser’s security settings for either “Local Intranet” or “Trusted Sites”. 

    How it is Secured?

    This authentication type is secured through several components:

    • HTTPS secured/encrypted connection.
    • Passwords are never stored or entered in CobbleStone®.
    • All authentication occurs within client’s Active Directory domain.

     

     

    Was this article helpful?
    What's Next
    CobbleStone® Software is an industry leader in contract management.
    Thought Leadership
    Services
    Follow Us
    © 2022 CobbleStone® Software. All Rights Reserved