Joomag provides the ability for SP-initiated SSO authentication. This means that you can integrate your SSO IdP into their Joomag account. In this article, we have gathered a detailed description of the SSO process for technical implementation.
If you need a step-by-step explanation of integrating SSO with third-party services, you may want to refer to the following two articles:
-
Setting up Single Sign-on through OneLogin
- Setting up Single Sign-on with your Microsoft Azure
Settings page on Joomag
To set up SSO, you need to go to the account settings page: Settings -> Account settings -> Single Sign-on tab. Here, you will have access to the SSO settings provided by Joomag as the Service Provider (SP) and the fields you need to fill in for your Identity Provider (IdP).
As shown in the image, Joomag provides the following data for SSO authentication:
-
Audience URL - https://webhook.joomag.com/sso/metadata
-
ACS URL - https://webhook.joomag.com/sso/acs
-
X.509 Certificate
On your part, you need to provide the following data:
-
Identity Provider Identifier or Issuer URL
-
Identity Provider Single Sign-On URL
-
X.509 Certificate
Step-by-step description of the SSO process
1. SSO Initialization by the User
The process begins when a user tries to access a resource on Joomag (the Service Provider, SP). Instead of entering their credentials directly on Joomag’s login page, the user is redirected to the Identity Provider (IdP) for authentication.
-
Joomag will generate a SAML authentication request.
-
This request is sent to the Identity Provider Single Sign-On URL that you provided: For example, the screenshot shows
https://joomag-dev.onelogin.com/trust/saml2....
2. Redirection to the IdP (Identity Provider)
Client’s Identity Provider Identifier (Issuer URL) https://app.onelogin.com/saml/metadata/... is used by Joomag to uniquely identify and communicate with IdP. The authentication request will redirect the user to the IdP's login page, where they need to authenticate. The IdP's job is to confirm the identity of the user.
3. Creation of SAML Response by the IdP
The user enters their credentials (username/password) at the IdP's login page. The IdP verifies these credentials against its database. If the credentials are valid, the IdP creates a SAML response.
The IdP generates a SAML assertion containing information about the authenticated user. But how does the IdP service know what assertion data to send to joomag.com ? For this, the IdP needs to read the metadata from the Audience URL - https://webhook.joomag.com/sso/metadata. By loading the XML from this page, the IdP provider will obtain all the necessary data required by joomag.com . As indicated in the image below, joomag.com requires the IdP provider to send the email address of the just-logged-in user (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress).
4. Sending the SAML Response to the SP (Joomag)
So, the IdP must send the email address to the page specified in the ACS URL settings - https://webhook.joomag.com/sso/acs. After that, joomag.com will authenticate the user.
x509 certificate
The x509 certificate is only needed when the IDP creates an encrypted connection with the SP. For example, some IDPs only connect to SPs over an encrypted connection. In this case, you can get x509 certificate either from metadata URL (https://webhook.joomag.com/sso/metadata) or from SSO settings page. Also, you should specify x509 certificate of your IdP provider so that joomag.com can verify data coming from IdP.