16 Jul 2019

High Level Overview of Single Sign-On (SSO) via HighQ Hub

Product Filter HighQ Collaborate
Product Area Filter Security

The integration between Microsoft Active Directory Federation Services 2.0 (ADFS 2.0) and HighQ Hub via SAML 2.0 protocol will allow any user with a valid corporate Active Directory account to seamlessly access not only their own firm’s but any other firm’s HighQ Collaborate or HighQ Publisher instances where they have a been invited.

All that is required is for the firm to install ADFS 2.0 server within their internal infrastructure in order to allow internal users within their own corporate network to be able to authenticate against the active directory via the ADFS 2.0 server using the Automatic Windows Authentication feature built-in to most common browsers.

The ADFS 2.0 server does not need to be accessible from the internet as all requests to the ADFS 2.0 server are made from the internal network via users' browsers.

Once the ADFS 2.0 Server has been installed, a new trusted relying party must be configured in order for the newly installed ADFS server to trust HighQ Hub communications. HighQ will provide instructions for how this can be configured.

The firm must provide a list of all valid email domains and internet-facing IP addresses for their corporate network from which internal users are likely to access the Collaborate or Publisher services. These IP addresses are likely to be the internet-facing IP addresses of the firm's proxy servers.

The following are the high-level steps involved in the creation of a valid SSO session:

  1. The user navigates to the URL of any SSO enabled Collaborate or Publisher instance.
  2. Collaborate or Publisher detects the IP address for the incoming user.
  3. If the IP address is from a valid firm's list of  IP addresses then the user is redirected to the relevant firm's internal ADFS server for authentication. There is a many to one mapping between IP address and ADFS server. Any IP address can only be mapped to a single ADFS server.
  4. If the authentication is successful, the user is redirected back to the specific Collaborate or Publisher instance where a valid session is created with seamless access to the service.

More detailed information about the requirements for integration with ADFS can be found in these instructions.

Was this article helpful?