Skip to main content

UI Integration with myKaarma

This document outlines the steps and process of Iframing inside myKaarma. Third party web application will be embedded within an iframe of myKaarma application. The expected user-experience is to have User already logged into third-party application with SAML integration.

Prerequisites:

  1. Third party web application should be embeddable as Iframe. For this the application should not have frame-ancestors set to none or deny to be able to iframed anywhere, or have myKaarma URLs whitelisted in frame-ancestors
  2. Third party web application should support SAML 2.0 integration and work as SAML Service Provider

SAML Integration Process

SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP)

Identity Provider (IdP)

An IdP is a system that manages user identities and authenticates users. It's responsible for verifying a user's credentials and issuing digital certificates or tokens that confirm the user's identity

myKaarma will work as IdP.

Service Provider (SP)

An SP is an entity that provides a service, typically in the form of an application or website. It relies on an IdP to authenticate users.

Third party web application will work as SP.

How SAML Flow works:

  • User logins into myKaarma Web Application via myKaarma IdP
  • User attempts to access a service protected by the SP (Third party application) within myKaarma Application
  • The SP redirects the user to the IdP.
  • As User is already authenticated as part of myKaarma application login thus creating a seamless experience without asking for user credentials again.
  • The IdP sends the SAML assertion containing information about the user to the SP.
  • The SP (Third party application) validates the assertion and grants the user access to the service.

Integration with myKaarma IdP

For Intergration with myKaarma IdP - SP needs to configure the following myKaarma IdP's metadata on their end.

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://accounts.mykaarma.com/saml2/idp/metadata.php">
  <md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:KeyDescriptor use="signing">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIElTCCA32gAwIBAgIJAJoWKsFrnIAvMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkxBMREwDwYDVQQKEwhteUthYXJtYTETMBEGA1UECxMKS2FhcnlhIExMQzERMA8GA1UEAxMIbXlLYWFybWExKTAnBgkqhkiG9w0BCQEWGm1vdWxpLmthdGh1bGFAbXlrYWFybWEuY29tMB4XDTE3MDYxMjEyNDYyNloXDTI3MDYxMjEyNDYyNlowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCTEExETAPBgNVBAoTCG15S2Fhcm1hMRMwEQYDVQQLEwpLYWFyeWEgTExDMREwDwYDVQQDEwhteUthYXJtYTEpMCcGCSqGSIb3DQEJARYabW91bGkua2F0aHVsYUBteWthYXJtYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSyCO5sBmJXFBMO6+szzin6SPXN4prqD7xU/G0rzAiKgXVPJ0iFaWfW95maO0NypRwwxeELabVqTnPPt8PqDs56vfH1LpshZ2mQLmZguIrCls6GDB2+gUszYdDV35ASoOe/9dGqEGeJvoN1fas22tEh55Gs2P3I2ZYRSMkkQrzbtrQTxdx0gpeW39SZjBK0E02vh3mU7HToFB5MDRxaURHbHASBBqdscAMK/orjx+PWL5PqmKUX5Asx/sUp4f13I5+dw0PnYjG5rHPfl+J+1xb5GEBdp82V34kzzX8t20htEHDlzwCcw+mqpylozedZCQUZbp7N5nlPpyR8wCCphnNAgMBAAGjgfUwgfIwHQYDVR0OBBYEFBcBVdGTJNJmywjKdvTgCVIs+y48MIHCBgNVHSMEgbowgbeAFBcBVdGTJNJmywjKdvTgCVIs+y48oYGTpIGQMIGNMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkxBMREwDwYDVQQKEwhteUthYXJtYTETMBEGA1UECxMKS2FhcnlhIExMQzERMA8GA1UEAxMIbXlLYWFybWExKTAnBgkqhkiG9w0BCQEWGm1vdWxpLmthdGh1bGFAbXlrYWFybWEuY29tggkAmhYqwWucgC8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAYWE7uBrAXrYMhY/PtkmDmGDOjt/327J8FTZf/TzPFwS98TDPlvrn12iZsQwwPc4PF5kLFMbtZZqGARz1RMoarlF/oMDJAmRROxDaLtxw1pT/eNS2Whuc5hVmUPFQybtvaht15pdrjFTO98ygE8foYeSGNf5CuppUGw16lJIJTTc3JjyWu5JiCdEKNxvdJNRVVzg4wm9WKdsYaP7S75tRiyd5WyZXgLA5xm6APwCmu1yzS73sVVtmzbzfIMyf1+1Q1xK9q/jmfWF/mIurj+5/BuqY45Az+seXBiNSS7X3xbHBEtl46TeUWb0rHPZz5MKfp9JV2DFDOEBxjlgI/1ocOg==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:KeyDescriptor use="encryption">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:X509Data>
          <ds:X509Certificate>MIIElTCCA32gAwIBAgIJAJoWKsFrnIAvMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkxBMREwDwYDVQQKEwhteUthYXJtYTETMBEGA1UECxMKS2FhcnlhIExMQzERMA8GA1UEAxMIbXlLYWFybWExKTAnBgkqhkiG9w0BCQEWGm1vdWxpLmthdGh1bGFAbXlrYWFybWEuY29tMB4XDTE3MDYxMjEyNDYyNloXDTI3MDYxMjEyNDYyNlowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCTEExETAPBgNVBAoTCG15S2Fhcm1hMRMwEQYDVQQLEwpLYWFyeWEgTExDMREwDwYDVQQDEwhteUthYXJtYTEpMCcGCSqGSIb3DQEJARYabW91bGkua2F0aHVsYUBteWthYXJtYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSyCO5sBmJXFBMO6+szzin6SPXN4prqD7xU/G0rzAiKgXVPJ0iFaWfW95maO0NypRwwxeELabVqTnPPt8PqDs56vfH1LpshZ2mQLmZguIrCls6GDB2+gUszYdDV35ASoOe/9dGqEGeJvoN1fas22tEh55Gs2P3I2ZYRSMkkQrzbtrQTxdx0gpeW39SZjBK0E02vh3mU7HToFB5MDRxaURHbHASBBqdscAMK/orjx+PWL5PqmKUX5Asx/sUp4f13I5+dw0PnYjG5rHPfl+J+1xb5GEBdp82V34kzzX8t20htEHDlzwCcw+mqpylozedZCQUZbp7N5nlPpyR8wCCphnNAgMBAAGjgfUwgfIwHQYDVR0OBBYEFBcBVdGTJNJmywjKdvTgCVIs+y48MIHCBgNVHSMEgbowgbeAFBcBVdGTJNJmywjKdvTgCVIs+y48oYGTpIGQMIGNMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkxBMREwDwYDVQQKEwhteUthYXJtYTETMBEGA1UECxMKS2FhcnlhIExMQzERMA8GA1UEAxMIbXlLYWFybWExKTAnBgkqhkiG9w0BCQEWGm1vdWxpLmthdGh1bGFAbXlrYWFybWEuY29tggkAmhYqwWucgC8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAYWE7uBrAXrYMhY/PtkmDmGDOjt/327J8FTZf/TzPFwS98TDPlvrn12iZsQwwPc4PF5kLFMbtZZqGARz1RMoarlF/oMDJAmRROxDaLtxw1pT/eNS2Whuc5hVmUPFQybtvaht15pdrjFTO98ygE8foYeSGNf5CuppUGw16lJIJTTc3JjyWu5JiCdEKNxvdJNRVVzg4wm9WKdsYaP7S75tRiyd5WyZXgLA5xm6APwCmu1yzS73sVVtmzbzfIMyf1+1Q1xK9q/jmfWF/mIurj+5/BuqY45Az+seXBiNSS7X3xbHBEtl46TeUWb0rHPZz5MKfp9JV2DFDOEBxjlgI/1ocOg==</ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </md:KeyDescriptor>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.mykaarma.com/saml2/idp/SingleLogoutService.php"/>
    <md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
    <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.mykaarma.com/saml2/idp/SSOService.php"/>
  </md:IDPSSODescriptor>
  <md:ContactPerson contactType="technical">
    <md:GivenName>myKaarma</md:GivenName>
    <md:SurName>Administrator</md:SurName>
    <md:EmailAddress>sso@mykaarma.com</md:EmailAddress>
  </md:ContactPerson>
</md:EntityDescriptor>

Going over the important fields from IdP metadata

Field NameValueDescription
entityIDhttps://accounts.mykaarma.com/saml2/idp/metadata.phpUnique identifier of the IdP
SingleSignOnServicehttps://accounts.mykaarma.com/saml2/idp/SSOService.phpendpoint where the Service Provider (SP) will send SAML authentication requests
SingleLogoutServicehttps://accounts.mykaarma.com/saml2/idp/SingleLogoutService.phpendpoint(s) where the SP will send logout requests and responses

After configuring IdPs metadata , SP need to share their metadata to sso@mykaarma.com

Iframing Application

Once SAML Setup is completed. myKaarma Engineering team can embed the Third party url iframe into myKaarma application.