Permalink: https://doc.oneportal.fi/x/bYAW

onePortal™ integrates to the most relevant identity protocols. Some of those are very old, like SAML and LDAP.

The supported protocols are SAML (ADFS and other SAML-based authentications), LDAP Server, LDAP Client, AD DS, and Simple REST API (SRA).

These auxiliary protocols make onePortal™ to integrate to numerous other identity platforms either as a client, trusting the external systems, or as a server being the master of identity for other systems.

The following image clarifies relationships of these protocols.

SAML-based techologies

onePortal™ includes gateway authentication functionality for external SAML user directories, including Microsoft Active Directory Federated Services (ADFS), and the national strong identification service “suomi.fi tunnistaminen” in Finland. Other SAML implementations are also supported, but less frequesntly used at the moment. Shall you find a compatibility issue, please contact support.

Please note, each namespace requires some setup in admin portal for the namespace to enable these authentication methods.

Microsoft ADFS

ADFS is perhaps the most common supported SAML IdP.

suomi.fi-tunnistaminen

This is the national, governmental strong authentication service in Finland. There are three common use cases for this service:

1. Identify strongly an existing user account. Confidential PII is retrieved for and stored to the user account. This PII includes Personal ID, legal address(es), official domicile (municipality infrmation), and other often very sensitive data. Some use cases do not allow for storing this confidential PII, yet others do,

2. Sign in to onePortal. This is not the most flexible method to sign in, so it is seldom used.

3. Create new strongly identified user account to onePortal™. The username of this account is by default SHA-1 of the Personal ID. Newly created user’s name information is retrieved from official data retrieved during identification.

This IdP can currently only be used by public sector organisations, such as municipalities, governmental offices, and similar organisations.

LDAP (Server and Client)

LDAP functionality in onePortal is comprehensive. onePortal contains an integrated LDAP Server based on OpenLDAP. This allows for external services to authenticate with LDAP against onePortal user accounts. This is very commonly used in enterprices, both internally, and over the internet.

In addition to the server side, onePortal also includes LDAP Client functionality. This allows for using external LDAP user directories as the master for onePortal. Normally user account will be created locally in onePortal during first sign-in. Also, password is cached locally in onePortal to cover external service disruptions. Passwords are hashed using SHA-512.

Implementation of LDAP Client is very close to ADDS implementation.

Please note, each namespace requires some setup in admin portal for the namespace to enable ths authentication method.

Microsoft ADDS

Microsoft Active Directory Domain Services (ADDS) is a supported authentication protocol.

This allows for using external ADDS user directories as the master for onePortal. Normally user account will be created locally in onePortal during first sign-in. Also, password is cached locally in onePortal to cover external service disruptions. Passwords are hashed using SHA-512.

Implementation of ADDS is very close to LDAP Client implementation.

Please note, each namespace requires some setup in admin portal for the namespace to enable ths authentication method.

Simple REST API (SRA)

This service is most often used to migrate passwords from external user directories to onePortal. Technically it is a simple REST API call to the external user directory with username and password in a JSON payload. The external dorectory is supposed to reply with HTTP response to indicate if the username + password was correct or not. IP address restriction should be applied for this API.

The format of the JSON is as follows:

{ "username": "value1", "password": "value2" }

Please note, each namespace requires some setup in admin portal for the namespace to enable this API.