Changes

Single Sign-On

166 bytes added, 20 February

→‎Active Directory Federation Services (ADFS)

: '''Assertion Target URL''' - target site url

: '''Assertion Private Key''' - private key to establish connection with the target site.

=====User Creation Option(JIT Provisioning)=====

When users need to be created on the fly after SSO authentication, the following configuration settings are available:

* '''Default Organization <span style="color: #ff0000;">*</span>'''– assigned user’s parent organization for new users

* '''Default New Organization Status'''– assigned parent organization’s status for new organizations

'''<span style="color: #ff0000;">* <span style="color: #000000;">- mandatory fields when creating users thru SSO.</span></span>'''

~~'''<span style="color: #ff0000;">* <span style="color: #000000;">- mandatory~~ In addition, optional attributes can be added in the assertion to create the user and these standard fields ~~when creating users thru SSO~~(First name, Last name, Email) will be populated.If the selected Unique Identifier Field (UID) is not the standard email address, the custom field selected will also be populated in the JIT provisioning.~~</span></span>'''~~

[[File:SSO_UserCreation.png|thumb|none|500px|SSO User Creation Settings.]]

=====Optional Attibutes=====

The following optional attributes can be used in the assertion. Please note that they are case sensitive and should be labelled exactly.

* '''SSOModule''' - used to specify the SmartSimple SSO connection when there are multiple connections configured. i.e. "SAML2" for prod, "SSOBK" for backup instance, "SSODEV" for dev instance, "SSOTest" for test instance. Note that the attribute name and attribute value are case sensitive

* '''Email'''

* '''First name'''

* '''Last name'''

* '''Department''' - used to update the user's organization. This will attempt to match an organization by name and will move the user to that organization if found.

* '''Roles''' - used to update the user's roles in SmartSimple for new users. This should be a comma delimited list of SmartSimple user roles (by name) to be assigned to the user.

* '''Language''' - used to specify the initial language displayed to the user. This should be an integer value that corresponds with a language ID value in SmartSimple (e.g. 1=English).

=====Role Mapping=====

Detailed expected behaviour of this settings can be found in Section 4

'''Example of attribute values in''' '''''Roles'''''

Example 1 - Attribute format from ADFS

<pre>

</Attribute>

</pre></div>

Example 2 - Attribute format from Azure

<pre>

</Attribute>

</pre></div>

=====Multi Environment Support=====

Additional settings to be configured is from the main login page ('''''Waffle''''' → '''''Global Settings''''' → '''''Branding''''' → '''''Login Pages''''') under the Single Sign-On section, select the MES Group Identifier from the dropdown list, and add button label i.e. ''Employee Login''.

====~~Optional Attibutes~~X.509 Certificate on the SP-Initiated SSO====~~The following optional attributes can be used in the assertion. Please note that they are case sensitive and should be labelled exactly.~~ * '''SSOModule''' <!- ~~used to specify the SmartSimple SSO connection when there are multiple connections configured.~~* '''Email'''* '''First name'''* '''Last name'''* '''Department''' - ~~used to update the user's organization. This will attempt to match an organization by name and will move the user to that organization if found.~~* '''Roles''' 148020 - ~~used to update the user's roles in SmartSimple~~ Adding SP x509 signing certificate for ~~new users. This should be a comma delimited list of SmartSimple user roles (by name) to be assigned to the user.~~* '''Language''' SSO metadata and SSO authorization request - ~~used to specify the initial language displayed to the user. This should be an integer value that corresponds with a language ID value in SmartSimple (e.g. 1=English).~~ ~~====X.509 Certificate on the Service Provider~~-~~Initiated Single Sign-On====~~>In the July 2023 upgrade, a new feature to support X.509 signing certificate for single sign-on (SSO) authorization requests has been added. ~~</br>~~If you are using a service provider-initiated SSO, a signed authentication request embedded with the signed value and the X.509 certificate will be sent to the identity provider (IdP). ~~</br>~~The new setting is located at Global Settings > Integrations tab > Single Sign-on > Edit a SP-initiated SSO and toggle on Sign authentication request sent to identity provider (IdP). ~~</br>~~

===Identity Provider Configuration - Client-Side System===

</md:ContactPerson>

</md:EntityDescriptor>

</pre>

~~</pre>~~The following steps are a high-level approximation and example of how one may setup minimal SSO functionality.Additional steps may be needed for your Identity Provider.These do may constitute recommended best practices, and we recommend you consult the documentation offered by your Identity Provider.

====Active Directory Federation Services (ADFS)====

* "Display Name" - Give the trust a display name, e.g. 'SmartSimple'.

* Finish the setup, and then return to the "Claim Rules" editor, and select the "Issuance Transform Rules" tab and add a new rule. Set the "Rule Type" to use the 'Send LDAP Attributes as Claims' template and configure the mapping to the agreed upon user identifier (e.g. LDAP attribute 'E-Mail-Addresses' to Outgoing Claim Type 'NameID'). Depending on your ADFS version and setup you may instead need to create two rules, one to map the attributes E-mail to E-mail, and then a second rule to transform the E-mail to the outgoing NameID.

* To test or use this connection use your internal ADFS URL and specify the loginToRp parameter as the SmartSimple SAML entity ID, e.g. '''https://adfs.yourlocaldomain.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://alias.smartsimple.com/'''.<br/> If you aren't automatically redirected into SmartSimple you may need to have RelayState enabled in ADFS, and then use a RelayState parameter to achieve this, e.g. '''https://adfs.yourlocaldomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=~~RPID%3Dhttps%3A%2F%2Falias~~https://alias.smartsimple.com~~%2F%26RelayState%3Dhttps%253A%252F%252Falias.smartsimple.com%252F~~/'''.

====Azure Identity Provider====

</samlp:AuthnRequest>

</pre></div>

==Adding URL Redirect in the Login Page==

From the [[Login Page]], the SSO URL redirect can be added to redirect internal users to the client's Identity Provider login page.

To configure, go to

1. Waffle → Global Settings → Branding → Login Pages

2. From the Login Pages listview, select the default login page to add the SSO URL redirect to.

3. Go to the Singe Sign-On section, select the MES Group Identifier and add the Link Label i.e. Employee Login

4. Click Save

Variables to use in a custom page layout:

* @ssodisplaylink@ - the variable to use to add the Link Label and hyperlink in the login template

* @ssotargetlink@ - the variable to use to retrieve the SSO login URL<br /> <br />

==Troubleshooting==

==Expected Behaviour for Role Mapping==

'''~~Scenerio 1: '~~Role Mapping'~~User Access Mapping~~'' set to '''Disabled''' / '''Create New User'' on ''No Match'' is 'is '~~OFF~~''OFF'''

* User will not be created if user does not exist in the SmartSimple instance

* Only existing users in the SmartSimple instance will be able to login and no role/status updates for existing users

<br /> '''Role Mapping '''set to '''Disabled''' / '''Create New User on No Match''' is '''ON'''

* '''~~Scenerio 2:~~ ''Define User ~~Access Mapping~~Roles Through Custom Attribute '' ~~set to~~ ''~~Disabled~~'is' / ''~~Create New User~~'' on OFF''~~No Match~~'' ~~is ''ON~~'~~' '''~~ * User will be created with default new user role / default new user status settings ~~if users does not exist in the SmartSimple instance~~* No role updates based on default new user role / default new user status if user exists ~~'''Scenerio 3: ''User Access Mapping'' set to ''Enabled'' / ''Create New User'' on ''No Match'' is ''OFF'' / No Assertion defined '''~~ * User will not be created if user does not exist in the SmartSimple instance* ~~No role updates if accessing SSO with existing users~~ '''~~Scenerio 4:~~ ''Define User ~~Access Mapping'' set to ''Enabled'' / ''Create New User'~~Roles Through Custom Attribute ' on ''~~No Match~~'' ~~is ''OFF'' / Assertion~~ is ~~defined '''~~ * User will not be created if user does not exist in the SmartSimple instance* No role updates if accessing with existing account* No role updates if it is not referenced in the defined assertion* Role updates if accessing with existing account only if they are defined in the ''User Roles Assertion Mapping''. Role update will be based on the mappings defined under ''Mapping''. '~~''Scenerio 5: ''User Access Mapping'' set to ''Enabled'' / ''Create New User'' on ''No Match'' is~~ ''ON'' ~~/ No Assertion defined~~''' * User will be created with ~~default new user role / default new user status settings if user does not exist in~~ the ~~SmartSimple instance~~* No role updates if accessing with existing account that does not have roles ~~defined~~ listed in ~~the~~ SSO assertion '~~'User~~ Roles ~~Assertion Mapping~~'' ~~'''Scenerio 6: ''User Access Mapping'' set to ''Enabled'' / ''Create New User'' on ''No Match'' is ''ON'' / Assertion is defined '''~~ * User will be created with roles defined in the assertion if ~~user~~ users does not ~~exists~~ exist in the SmartSimple instance ~~and assertion roles are defined in the ''User Roles Assertion Mapping''~~* User (role ~~updates based on the defined assertion if accessing~~ names should align with ~~existing accounts that has roles defined~~ system role names in ~~the assertion~~instance)* No ~~role updates if accessing with existing accounts that has no roles defined in the assertion or if roles in assertion was not mapped in the ''User Roles Assertion Mapping''~~ ~~'''Scenerio 7: ''User Access Mapping'' set to ''Classic Mode'' / ''Create New User'' on ''No Match'' is ''ON'' / No Assertion is defined'''~~ * User will be created with default new user role / ~~default new user~~ status ~~settings if user does not exist in the SmartSimple instance~~* No role updates ~~if accessing with user account that already exists in the SmartSimple instance~~ ~~'''Scenerio 8: ''User Access Mapping'' set to ''Classic Mode'' / ''Create New User'' on ''No Match'' is ''ON'' / Assertion is defined'''~~for existing users

* User will be created with roles defined in the assertion if user does not exist in the SmartSimple instance and assertion roles are defined in the <br /> '''~~User Roles Assertion~~ Role Mapping''* User will be created with default new user role ' set to '''Enabled''' / ~~default new user status settings if user does not exists in the SmartSimple instance and if assertion roles do not exist in the~~ '''Create New User ~~Roles Assertion Mapping~~on No Match'''* When Access Mapping is set to Classic Mode and there is no mapping section, role updates will only happen in user creation and the roles in assertion has to have the same user role names matching value with the SmartSimple role names. '''OFF'''

* '''''Create New User''''' on ''No Match'' is '''''OFF''''' User should not be created on the system if not already created when using SSO to access system

* '''''Create New User''''' on ''No Match'' is '''''ON''''' User will be created with default new user role / default new user status settings if user does not exist in the SmartSimple instance

* Existing users: no change for existing roles that are '''NOT''' within the list of "'''Roles to be Monitored'''"

* Existing users: roles that are in the list of "'''Roles to be Monitored'''" will be updated, based on Role Mapping, the user will be provisioned with all the roles as defined by the assertion attributes, and will be stripped of any roles that they may currently possess that are listed in this setting but were not defined in the assertion attributes.

==Example of SSO configuration in SmartSimple==

← Older edit

Lalaine Songalia

Smartstaff

1,391

edits

Changes

Single Sign-On

SmartWiki