UI Integration with myKaarma
This document outlines the steps and process of Iframing inside myKaarma. Third party web application will be embedded within an iframe of myKaarma application. The expected user-experience is to have User already logged into third-party application with SAML integration.
Prerequisites:
- Third party web application should be embeddable as Iframe. For this the application should not have frame-ancestors set to none or deny to be able to iframed anywhere, or have myKaarma URLs whitelisted in frame-ancestors
- Third party web application should support SAML 2.0 integration and work as SAML Service Provider
SAML Integration Process
SAML (Security Assertion Markup Language) is an XML-based open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP)
Identity Provider (IdP)
An IdP is a system that manages user identities and authenticates users. It's responsible for verifying a user's credentials and issuing digital certificates or tokens that confirm the user's identity
myKaarma will work as IdP.
Service Provider (SP)
An SP is an entity that provides a service, typically in the form of an application or website. It relies on an IdP to authenticate users.
Third party web application will work as SP.
How SAML Flow works:
- User logins into myKaarma Web Application via myKaarma IdP
- User attempts to access a service protected by the SP (Third party application) within myKaarma Application
- The SP redirects the user to the IdP.
- As User is already authenticated as part of myKaarma application login thus creating a seamless experience without asking for user credentials again.
- The IdP sends the SAML assertion containing information about the user to the SP.
- The SP (Third party application) validates the assertion and grants the user access to the service.
Integration with myKaarma IdP
For Integration with myKaarma IdP - SP needs to configure the following myKaarma IdP's metadata on their end.
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#" entityID="https://accounts.mykaarma.com/saml2/idp/metadata.php">
<md:IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIElTCCA32gAwIBAgIJAJoWKsFrnIAvMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkxBMREwDwYDVQQKEwhteUthYXJtYTETMBEGA1UECxMKS2FhcnlhIExMQzERMA8GA1UEAxMIbXlLYWFybWExKTAnBgkqhkiG9w0BCQEWGm1vdWxpLmthdGh1bGFAbXlrYWFybWEuY29tMB4XDTE3MDYxMjEyNDYyNloXDTI3MDYxMjEyNDYyNlowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCTEExETAPBgNVBAoTCG15S2Fhcm1hMRMwEQYDVQQLEwpLYWFyeWEgTExDMREwDwYDVQQDEwhteUthYXJtYTEpMCcGCSqGSIb3DQEJARYabW91bGkua2F0aHVsYUBteWthYXJtYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSyCO5sBmJXFBMO6+szzin6SPXN4prqD7xU/G0rzAiKgXVPJ0iFaWfW95maO0NypRwwxeELabVqTnPPt8PqDs56vfH1LpshZ2mQLmZguIrCls6GDB2+gUszYdDV35ASoOe/9dGqEGeJvoN1fas22tEh55Gs2P3I2ZYRSMkkQrzbtrQTxdx0gpeW39SZjBK0E02vh3mU7HToFB5MDRxaURHbHASBBqdscAMK/orjx+PWL5PqmKUX5Asx/sUp4f13I5+dw0PnYjG5rHPfl+J+1xb5GEBdp82V34kzzX8t20htEHDlzwCcw+mqpylozedZCQUZbp7N5nlPpyR8wCCphnNAgMBAAGjgfUwgfIwHQYDVR0OBBYEFBcBVdGTJNJmywjKdvTgCVIs+y48MIHCBgNVHSMEgbowgbeAFBcBVdGTJNJmywjKdvTgCVIs+y48oYGTpIGQMIGNMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkxBMREwDwYDVQQKEwhteUthYXJtYTETMBEGA1UECxMKS2FhcnlhIExMQzERMA8GA1UEAxMIbXlLYWFybWExKTAnBgkqhkiG9w0BCQEWGm1vdWxpLmthdGh1bGFAbXlrYWFybWEuY29tggkAmhYqwWucgC8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAYWE7uBrAXrYMhY/PtkmDmGDOjt/327J8FTZf/TzPFwS98TDPlvrn12iZsQwwPc4PF5kLFMbtZZqGARz1RMoarlF/oMDJAmRROxDaLtxw1pT/eNS2Whuc5hVmUPFQybtvaht15pdrjFTO98ygE8foYeSGNf5CuppUGw16lJIJTTc3JjyWu5JiCdEKNxvdJNRVVzg4wm9WKdsYaP7S75tRiyd5WyZXgLA5xm6APwCmu1yzS73sVVtmzbzfIMyf1+1Q1xK9q/jmfWF/mIurj+5/BuqY45Az+seXBiNSS7X3xbHBEtl46TeUWb0rHPZz5MKfp9JV2DFDOEBxjlgI/1ocOg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>MIIElTCCA32gAwIBAgIJAJoWKsFrnIAvMA0GCSqGSIb3DQEBBQUAMIGNMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkxBMREwDwYDVQQKEwhteUthYXJtYTETMBEGA1UECxMKS2FhcnlhIExMQzERMA8GA1UEAxMIbXlLYWFybWExKTAnBgkqhkiG9w0BCQEWGm1vdWxpLmthdGh1bGFAbXlrYWFybWEuY29tMB4XDTE3MDYxMjEyNDYyNloXDTI3MDYxMjEyNDYyNlowgY0xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTELMAkGA1UEBxMCTEExETAPBgNVBAoTCG15S2Fhcm1hMRMwEQYDVQQLEwpLYWFyeWEgTExDMREwDwYDVQQDEwhteUthYXJtYTEpMCcGCSqGSIb3DQEJARYabW91bGkua2F0aHVsYUBteWthYXJtYS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDSyCO5sBmJXFBMO6+szzin6SPXN4prqD7xU/G0rzAiKgXVPJ0iFaWfW95maO0NypRwwxeELabVqTnPPt8PqDs56vfH1LpshZ2mQLmZguIrCls6GDB2+gUszYdDV35ASoOe/9dGqEGeJvoN1fas22tEh55Gs2P3I2ZYRSMkkQrzbtrQTxdx0gpeW39SZjBK0E02vh3mU7HToFB5MDRxaURHbHASBBqdscAMK/orjx+PWL5PqmKUX5Asx/sUp4f13I5+dw0PnYjG5rHPfl+J+1xb5GEBdp82V34kzzX8t20htEHDlzwCcw+mqpylozedZCQUZbp7N5nlPpyR8wCCphnNAgMBAAGjgfUwgfIwHQYDVR0OBBYEFBcBVdGTJNJmywjKdvTgCVIs+y48MIHCBgNVHSMEgbowgbeAFBcBVdGTJNJmywjKdvTgCVIs+y48oYGTpIGQMIGNMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExCzAJBgNVBAcTAkxBMREwDwYDVQQKEwhteUthYXJtYTETMBEGA1UECxMKS2FhcnlhIExMQzERMA8GA1UEAxMIbXlLYWFybWExKTAnBgkqhkiG9w0BCQEWGm1vdWxpLmthdGh1bGFAbXlrYWFybWEuY29tggkAmhYqwWucgC8wDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAQEAYWE7uBrAXrYMhY/PtkmDmGDOjt/327J8FTZf/TzPFwS98TDPlvrn12iZsQwwPc4PF5kLFMbtZZqGARz1RMoarlF/oMDJAmRROxDaLtxw1pT/eNS2Whuc5hVmUPFQybtvaht15pdrjFTO98ygE8foYeSGNf5CuppUGw16lJIJTTc3JjyWu5JiCdEKNxvdJNRVVzg4wm9WKdsYaP7S75tRiyd5WyZXgLA5xm6APwCmu1yzS73sVVtmzbzfIMyf1+1Q1xK9q/jmfWF/mIurj+5/BuqY45Az+seXBiNSS7X3xbHBEtl46TeUWb0rHPZz5MKfp9JV2DFDOEBxjlgI/1ocOg==</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.mykaarma.com/saml2/idp/SingleLogoutService.php"/>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://accounts.mykaarma.com/saml2/idp/SSOService.php"/>
</md:IDPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>myKaarma</md:GivenName>
<md:SurName>Administrator</md:SurName>
<md:EmailAddress>sso@mykaarma.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
Going over the important fields from IdP metadata
| Field Name | Value | Description |
|---|---|---|
entityID | https://accounts.mykaarma.com/saml2/idp/metadata.php | Unique identifier of the IdP |
SingleSignOnService | https://accounts.mykaarma.com/saml2/idp/SSOService.php | endpoint where the Service Provider (SP) will send SAML authentication requests |
SingleLogoutService | https://accounts.mykaarma.com/saml2/idp/SingleLogoutService.php | endpoint(s) where the SP will send logout requests and responses |
After configuring IdP's metadata, SP needs to share their metadata to sso@mykaarma.com
Sample SP Metadata to Share with myKaarma
The Service Provider (third-party application) needs to provide their SAML metadata to myKaarma. Below is a sample SP metadata structure that should be sent to sso@mykaarma.com:
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
xmlns:ds="http://www.w3.org/2000/09/xmldsig#"
entityID="https://your-third-party-app.com/saml/metadata">
<md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
YOUR_SIGNING_CERTIFICATE_HERE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:KeyDescriptor use="encryption">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
YOUR_ENCRYPTION_CERTIFICATE_HERE
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
<md:NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://your-third-party-app.com/saml/acs"
index="0"/>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://your-third-party-app.com/saml/acs"
index="1"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://your-third-party-app.com/saml/sls"/>
</md:SPSSODescriptor>
<md:ContactPerson contactType="technical">
<md:GivenName>Technical</md:GivenName>
<md:SurName>Contact</md:SurName>
<md:EmailAddress>technical@your-third-party-app.com</md:EmailAddress>
</md:ContactPerson>
</md:EntityDescriptor>
Important fields in SP metadata:
| Field Name | Description | Example |
|---|---|---|
entityID | Unique identifier for the Service Provider | https://your-third-party-app.com/saml/metadata |
AssertionConsumerService | Endpoint where the IdP will send SAML authentication responses after successful authentication | https://your-third-party-app.com/saml/acs |
SingleLogoutService | Endpoint where the IdP will send logout requests and responses | https://your-third-party-app.com/saml/sls |
X509Certificate | Public certificate used for signing and/or encrypting SAML messages | Base64-encoded certificate |
Note: Replace the placeholder values (URLs, certificates, contact information) with your actual third-party application details before sending to myKaarma.
Iframing Application
Once SAML Setup is completed. myKaarma Engineering team can embed the Third party url iframe into myKaarma application.