Changes

Single Sign-On

110 bytes removed, 14:02, 27 September 2016
no edit summary
===Prerequisites===
* You must provision your own Identity Provider service, third-party or otherwise, for use with this feature. Enabling and maintaining the Identity Provider is your responsibility.* You must provide SmartSimple with a public key in base64-encoded X.509 Certificate format for digital signature validation.
===SSO Configuration in SmartSimple===
[[image:sso-002.png]]
 <ul><li>* "SSO Alias" is used to identify the SSO connection and should be configured by default to be 'SAML2'. If multiple SSO connections are to be configured then </li>this can be configured to the corresponding identifier on the client-side assertion.<li>* "Unique Identifier Field (UID)" is used to identify the user account and needs to be an attribute that is unique to each user in SmartSimple. This needs to be an attribute common to both the SmartSimple and the client-side system (typically e-mail address or employee ID).</li><li>* "X509Certificate (SAML2 Only)" is the signing certificate to be provided by the client. The formatting of this should be the certificate value without the "begin certificate" and "end certificate" header and footer lines. Also, depending on how the client-side system sends this value within the SAML assertion the certificate value will typically be formatted to just a single line but could also be multiple lines and so must be entered into SmartSimple in the same format.</li></ul>
===SSO Configuration in Client-Side System===
The elements required for setup of the client-side identity provider connection are listed below.
<ul><li>* Unique user identifier. Within the SAML assertion, this value can be sent in the standard <NameID> element, or optionally within an <Attribute> element named ''UID''.</li><li>* Assertion Consumer Service URL. This will be equal to '/SAML2/' suffixed to your SmartSimple instance URL, e.g. '''https://alias.smartsimple.com/SAML2/'''</li><li>* Service Provider's Entity ID. This can be equal to the same as above Assertion Consumer Service URL.</li><li>* Service Provider metadata XML. This is available upon request.</li></ul>
====Active Directory Federation Services====
If using ADFS refer to the below steps as related to SmartSimple for setup. Some steps unrelated to your SmartSimple configuration have been omitted.
<ul><li>* Add a new "Relying Party Trust".</li><li>* Select Data Source: Import the Service Provider metadata XML file obtained from SmartSimple.</li><li>* Display Name: Give the trust a display name, e.g. 'SmartSimple'.</li><li>* In the claim rules editor select the "Issuance Transform Rules" tab and add a new rule. The LDAP attribute should be mapped to the agreed upon user identifier and an Outgoing Claim Type of 'NameID'.</li><li>* To test or use this connection you will need to use the AD FS login URL and specify the loginToRp parameter as the SmartSimple SAML entity ID, e.g. '''https://adfs.yourlocaldomain.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://alias.smartsimple.com/SAML2/'''</li></ul>
===Optional Information===
The following optional attributes can be used in the assertion:
<ul><li>* UID (can be used instead of NameID as the user identifier)</li><li>* Email</li><li>* First name</li><li>* Last name</li><li>* Department</li><li>* Roles (comma delimited list of SmartSimple user roles (by name) to be assigned to the user)</li><li>* Language</li><li>* RedirectURL</li></ul>
===SAML Assertion Example===
Smartstaff, administrator
687
edits