Redtrust IdP integration with SAML 2.0

Overview

In this tutorial, you'll learn how to integrate Redtrust with an Identity Provider (IdP) using Security Assertion Markup Language (SAML) 2.0 to enable Single Sign-On (SSO). This tutorial is intended for developers and IT administrators. It assumes you have basic knowledge of common IdPs such as Google Workspace or Microsoft Entra ID (formerly know as Azure Active Directory).

Background

One way to authenticate users in Redtrust is integrating a SAML 2.0 identity provider (IdP) with Redtrust. SAML 2.0 is a widely adopted protocol that facilitates secure communication between an Identity Provider (IdP) and a Service Provider (SP). At the core of this process is the SAML assertion, an XML-based document generated by the IdP that contains authentication details and user information, such as attributes and permissions. This assertion is securely passed to the SP to validate the user and grant access, ensuring seamless and secure user experiences. In this tutorial, you'll configure your software as an SP and establish trust with an IdP to enable SSO.

You can optionally configure Redtrust to digitally sign SAML authentication requests. This is required by some IdPs. You can enable this during domain creation or later by editing the domain settings in Redtrust.

Before you start

Before continuing with this tutorial make sure you have access to Redtrust and the IdP you'll be configuring and you have permissions to edit the configuration files.

info

If you already have a SAML domain and want to add the sign request configuration, go to the optional item in Step 2 and then Step 3.

Step 1: Configure the domain in the IdP for SSO

To configure the application you must access the relevant portal as administrator and follow these steps depending on whether you want to configure SSO for Entra ID or Google Workspace.

Microsoft Entra ID

1. Go to Microsoft Entra ID > Enterprise applications.

2. Select + New Application > Create your own application.

3. Add a Redtrust as name for the application and click Create.

4. Click Set up single sign on > SAML.

5. In section 1, Basic SAML Configuration, click the pencil icon and add the information as follows:

   1. Identifier (EntityId): https://REDTRUST-URL/DOMAIN

   2. Reply URL (Assertion Consumer Service URL): https://REDTRUST-URL/Auth/SamlConsumer

6. Proceed to the next step without closing the current window.

Google Workspace

1. Access Google Workspace Admin Console and go to Apps > Web and mobile apps.

2. Click Add app and select Add custom SAML app.

3. Add the name Redtrust and click Continue.

4. Copy the SSO URL and Entity ID, and download the certificate and click Continue. The information you copied is needed in step 2.

5. Add add the information as follows.

   1. ACS URL: https://REDTRUST-URL/Auth/SamlConsumer

   2. EntityId: https://REDTRUST-URL/DOMAIN

Step 2: Create the domain in Redtrust

To configure Redtrust server, follow these steps.

1. Access Redtrust, navigate to Access > Domains and click New.
2. In the dialog box:
   1. Add the alias you want to give to the domain. The domain can match the email domain of the users, that is, the part of the email after the @.
   2. Select SAML 2 as the the domain type and click Next to see all configuration options.

Microsoft Entra ID

3. Use the Entra ID application setup that you left open in step 1 to fill the information.

   Redtrust configuration name	Location in Microsoft Entra ID
   Login URL (HTTP-redirect)	Section 4 > Login URL.
   IDP X509 certificate (for signature)	Section 3 > Certificate (Base64). Download the file, open it, and copy the content.
   Email	Section 2 > emailaddress.
   Name	Section 2 > givenname (the Entra ID user must have a name configured).
   Surname	Section 2 > surname (the Entra ID user must have a configured last name).

4. (Optional) Select Signed request if you want to sign SAML authentication requests. In the Certificate source you can select Generate self-signed certificate or Upload PFX/P12 certificate. This file is the public part of the signing request certificate and you will need it for the next step. If you use a self-signed certificated, you need to download it as explain in the next step.

Google Workspace

3. Use the data copied in Step 1 to field Redtrust configuration.

4. Fill the rest of the data as follows:

   • Domain: Name of the Entra ID domain in which you want to SSO.
   • Is it case sensitive? : No
   • ACS by index: No

Step 3 (Optional): Add signed request configuration

Microsoft Entra ID

1. If you generated a self-signed certificate, go to Access > Domain. Select the domain you just created. Download the certificate.

2. Go back to the Entra ID application section 3, Verification certificates (optional). Click the pencil icon.

   1. Select Require verification certificates.

   2. Click Upload certificate, select your certificate and then click Ok and Save.

Google Workspace

info

Google Workspace does not support validating signed SAML authentication requests, so it is not possible to enable this option when integrating with Google as the Identity Provider (IdP).

Summary

In this tutorial, you configured Redtrust as a SP and integrated it with an IdP using SAML 2.0 to enable SSO. You set up the IdP by defining the necessary authentication parameters and then configured Redtrust to trust the IdP. This integration allows users to authenticate seamlessly using their existing credentials, improving security and user experience.

For more details on SAML configuration options, refer to the Domain documentation.