SSO Overview

    This chapter describes how single sign on (SSO) works between the LINE WORKS system and the client system. The SSO supports two types: OAuth 2.0 and Security Assertion Markup Language 2.0 (SAML 2.0).

    OAuth 2.0 Based SSO

    SSO between LINE WORKS and the client system works based on OAuth 2.0.

    Figure 1 OAuth 2.0 based SSO between Works Mobile and Client

    Figure 1 OAuth 2.0 based SSO between LINE WORKS and Client

    1. Access LINE WORKS Home.
      The user accesses LINE WORKS Home or any other LINE WORKS services including Calendar, Contact, and Drive, or runs the LINE WORKS App or Drive Explorer.
    2. (As the user is not logged in LINE WORKS) Request a login page (redirect).
      LINE WORKS Home checks if the user is logged in LINE WORKS, and redirects the login request to the LINE WORKS authentication system if not logged in. The LINE WORKS App or Drive Explorer uses an in-app browser to redirect the login request to the LINE WORKS authentication system. It offers home services if the user is logged in.
    3. Request Authorization Code as well as login page (redirect).
      The LINE WORKS authentication system checks if the client has configured SSO; if it has, the system redirects a request to issue an authorization code to the client SSO system.
    4. (If the user is logged in the client system) Issue Authorization Code only.
      The client SSO system checks if the user is logged in, and issues an authorization code only and omit step 5 and 6 if the user is. Authorization code is a number that is used to return an access token and then deleted. It must be used only one time.
    5. Enter ID and Password.
      The client SSO system checks if the user is logged in, and if not, it provides the user with its own login page where the user then enters ID and password according to the client's login policy.
    6. (If the user is not logged in the client system) Issue Authorization Code after handling authentication and client SSO.
      After checking if the user is logged in with the ID and password he/she entered and processing SSO, the client system issues an authorization code.
    7. Return Authorization Code (redirect).
      The client system redirects the authorization code to the LINE WORKS authentication system's redirect_uri, which is included in the request where an authorization code was requested first.
    8. Request Access Token with Authorization Code (API call).
      The LINE WORKS authentication system requests an access token from the client SSO system, with the authorization code.
    9. Return Access Token.
      After verifying the authorization code, the client SSO system issues an access token and returns it.
    10. Request user information with Access Token (API call).
      The LINE WORKS authentication system requests the user information from the client SSO system, with the access token.
    11. Return user information.
      After verifying the access token, the client SSO returns the user information such as name and email address.
    12. Issue LINE WORKS authentication token and cookie (redirect).
      Based on the user information, the LINE WORKS authentication system issues an authentication token for LINE WORKS and a cookie for SSO.

    OAuth 2.0 Based API Authentication

    The authentication of LINE WORKS's IMAP/CalDAV is partially based on OAuth 2.0.

    Figure 2 OAuth 2.0 based API Authentication

    Figure 2 OAuth 2.0 based API Authentication

    1. Access the LINE WORKS after setting up ID/PWD at IMAP.
      The user accesses the LINE WORKS after setting up ID/PWD for LINE WORKS account through Outlook, Native apps etc.
    2. Request to verify login with ID/PWD (API call).
      LINE WORKS IMAP server requests to verify the user's ID/PWD through the LINE WORKS authentication system. All network connections must be secured with SSL.
    3. Request to issue Authorization Code and verify login with ID/PW (API call).
      The LINE WORKS authentication system checks if SSO is configured on the client system, and requests an authentication code from the client SSO system, with the user's ID and password, if it is. All network connections must be secured with SSL.
    4. Issue Authorization Code after authentication with ID/PW.
      The client's SSO system authenticates the user with the ID and password, and issues an authorization code if the authentication is successful. If it fails, the system returns an error code.
    5. Return Authorization Code (API response).
      As a response to the API call in step 5, the client SSO system returns the issued authorization code. If the authentication failed, the system returns an error code.
    6. Request Access Token with Authorization Code (API call).
      The LINE WORKS authentication system requests an access token from the client SSO system, with the authorization code.
    7. Return Access Token.
      After verifying the authorization code, the client SSO system issues an access token and returns it.
    8. Request user information with Access Token (API call). The LINE WORKS authentication system requests user information from the client SSO system, with the access token.
    9. Return user information.
      After verifying the access token, the client SSO system returns user information including name and email address.
    10. Issue LINE WORKS authentication token (API response).
      Based on the user information, the LINE WORKS authentication system issues an authentication token for LINE WORKS and a cookie, and returns them as a response to the API call in step 4.

    SAML 2.0 Based SSO

    The SSO between LINE WORKS and the client system works based on SAML 2.0.

    Figure 3 SAML 2.0 based SSO between Works Mobile and Client

    Figure 3 SAML 2.0 based SSO between LINE WORKS and Client

    1. Access LINE WORKS Home.
      The user accesses LINE WORKS Home or any other LINE WORKS services including Calendar, Contact, and Drive, or runs the LINE WORKS app or Drive Explorer.
    2. (As the user is not logged in LINE WORKS) Request a login page (redirect).
      LINE WORKS Home checks if the user is logged in LINE WORKS; it redirects the login request to the LINE WORKS authentication system if the user is not logged in. The LINE WORKS app or Drive Explorer uses an in-app browser to redirect the login request to the LINE WORKS authentication system. LINE WORKS Mail offers home services if the user is logged in.
    3. Request a login page with an SAML request (redirect).
      The LINE WORKS authentication system checks if the client has configured SSO; if it has, the system creates an SAML request and redirects it to the client SSO system.
    4. Verify the SAML request.
      The client SSO system checks if the SAML request is valid.
    5. (If the user is not logged in the client system) Provide a login page.
      The client SSO system checks if the user is logged in the client system, and if not, it provides the user with its own login page where the user then enters ID and password according to the client's login policy.
    6. Enter ID and password.
    7. Create an SAML response and return it. (redirect)
      After checking if the user is logged in with the ID and password he/she entered and processing SSO, the client system creates an SAML response and returns it through the LINE WORKS authentication system's ACS URL. The SAML response should be digitally signed with the certificate registered to LINE WORKS.
    8. Verify the SAML response.
      The LINE WORKS authentication system verifies the SAML response by decoding it with the certificate that the client previously registered.
    9. Issue a LINE WORKS authentication token and a cookie (redirect).
      Based on the user information, the LINE WORKS authentication system issues an authentication token for LINE WORKS and a cookie for SSO.

    SAML 2.0 Based API Authentication

    The authentication of LINE WORKS's IMAP/CalDAV is partially based on SAML 2.0.

    Figure 4 SAML 2.0 based API Authentication

    Figure 4 SAML 2.0 based API Authentication

    1. Uses the LINE WORKS after setting up ID/PWD.
      The user accesses the LINE WORKS after setting up ID/PWD for LINE WORKS through Outlook, Native apps etc.
    2. Request to verify login with ID/PWD. LINE WORKS IMAP server requests to verify the user's ID/PWD through the LINE WORKS authenciation system. All network connections must be secured by SSL.
    3. Create an SAML resquest and request to verify login with ID/PWD (API call).
      The LINE WORKS authentication system verifies the user's SSO setting and then delivers the SAML request to the client's SSO system with given user's ID/PWD when it is verified. All network connections must be secured by SSL.
    4. Create an SAML response after authenticating the user with the ID/PWD.
      The client's SSO system authenticates the user with the ID and password delivered from the LINE WORKS authentication system. It creates an SAML response if the authentication is successful, and returns an error code if not. The SAML response should be digitally signed with the certificate registered to LINE WORKS.
    5. Return the SAML response (API response).
      The client SSO system returns the SAML response, as a response to the API call in step 3, not through ACS URL. It returns an error code when the authentication fails.
    6. Verify the SAML response.
      The LINE WORKS authentication system verifies the SAML response by decoding it with the certificate that the client previously registered.
    7. Issue a LINE WORKS authentication token.
      Based on the user information, the LINE WORKS authentication system issues an authentication token for LINE WORKS and a cookie, and returns them as a response to the first API call.