Changes

Jump to: navigation, search

Single Sign-On

1,736 bytes added, 17:59, 5 December 2019
Service Provider Configuration - SmartSimple
Within SmartSimple, SSO settings are accessed through the Global Setting -> Integration tab.
[[File:sso-001.png|thumb|none|middle|600px|Navigating to the SSO configuration.]]
[[File:sso-002.png|thumb|none|middle|400px|SSO configuration settings.]]
====Mandatory Settings====* "'''SSO Alias" ''' - used to identify the SSO connection and should be configured by default to be 'SAML2'. If multiple SSO connections are to be configured then you may include an additional <Attribute> element on the client-side assertion named 'SSOModule' to specify the SmartSimple connection by matching a unique "SSO Alias" value.* "'''Unique Identifier Field (UID)" ''' - used to identify the user account and needs to be an attribute that is unique to each user in SmartSimple. This needs to be an attribute common to both the SmartSimple and the client-side system (typically e-mail address or employee ID).* "'''X509Certificate (SAML2 Only)" ''' - the signing certificate to be provided by the client. The formatting of this should be the certificate value without the "begin certificate" and "end certificate" header and footer lines. Also, depending on how the client-side system sends this value within the SAML assertion the certificate value will typically be formatted to just a single line but could also be multiple lines and so must be entered into SmartSimple in the same format.
* It is also recommended to disable the Session Timeout Alert setting within the Global Settings -> Security section as that feature would not be applicable to users logged in through single sign-on.
* By default, SSO acts as an additional method of authentication. If you wish to enforce the use of SSO, and restrict the regular username and password authentication, you can do so with the Global Settings -> Integration -> Enforce SSO setting which allows you to restrict a set of user roles to only be able to login through SSO.
 
====Additional Settings====
To enable adding new users/organizations, the following '''Options''' should be enabled:
* '''Create New User on No Match''' - create new user when no matching is found and will allow login for new user upon successful authentication
* '''Create New Organization on No Match''' - create new parent organization when no matching organization is found
* '''Enable Updates To User Role''' - allow the SSO assertion to change user's system role
* '''Enable Updates To User Organization''' - allow the SSO assertion to change user's parent organization
 
These settings are used to add new users and/or new organizations.
* '''Default New User Role''' - assigned system role for new users
* '''Default New User Status''' - assigned user's status for new users
* '''Default Organization''' - assigned user's parent organization
* '''Default New Organization Status''' - assigned parent organization's status for new organizations
 
Other settings:
* '''Use UID as Unique Identifier''' - use node name UID as unique identifier for users. Default is NameID.
* '''Bypass Two Factor Authentication''' - Bypass Two Factor Authentication when logged in with SSO
* '''Enable Debug Mode''' - Ignore the SSO time stamp and output error messages in the [[Configuration_Error_Log|Congifuration Error Log]]
* '''IP Mask''' -
* '''Logout Redirect URL''' - redirect url when SSO users logout
<--Ticket#52854 - SSO logout assertion SLO-->
* '''Enable Logout Assertion''' - will send a logout assertion to the Identity Provider to log out of that session
:: Additional settings:
:: '''Assertion Target URL''' - target site url
:: '''Assertion Private Key''' - private key to establish connection with the target site
===Identity Provider Configuration - Client-Side System===
Smartstaff
1,390
edits

Navigation menu