Smartstaff
1,385
edits
Changes
→Service Provider Configuration - SmartSimple
[[File:sso-001.png|thumb|none|600px|Navigating to the SSO configuration.]]
[[File:sso-002.png|thumb|none|400px800px|SSO configuration settings.]]
====Mandatory Settings====
* '''Use UID as Unique Identifier''' - use node name UID as unique identifier for users. Default is NameID.
* '''Bypass Two Factor Authentication''' - Bypass Two Factor Authentication when logged in with SSO
* '''Enable Debug Mode''' - Ignore the SSO time stamp and output error messages SSO message in the [[Configuration_Error_Log|Congifuration Error Log]] * '''Default Landing Page''' - used to specify an initial landing page in SmartSimple. This should be a relative patch (e.g. /iface/ex/ax_index.jsp).
* '''IP Mask''' -
* '''Logout Redirect URL''' - redirect url when SSO users logout
<!--Ticket#52854 - SSO logout assertion SLO-->
* '''Enable Logout Assertion''' - will send a logout assertion to the Identity Provider to log out of that session
*: '''Assertion Target URL''' - target site url
*: '''Assertion Private Key''' - private key to establish connection with the target site
====Optional Attibutes====
The following optional attributes can be used in the assertion. Please note that they are case sensitive and should be labelled exactly.
* SSOModule - used to specify the SmartSimple SSO connection when there are multiple connections configured.
* UID - can be used instead of NameID as the user identifier.
* Email
* First name
* Last name
* Department - used to update the user's organization. This will attempt to match an organization by name and will move the user to that organization if found.
* Roles - used to update the user's roles in SmartSimple. This should be a comma delimited list of SmartSimple user roles (by name) to be assigned to the user.
* Language - used to specify the initial language displayed to the user. This should be an integer value that corresponds with a language ID value in SmartSimple (e.g. 1=English).
===Identity Provider Configuration - Client-Side System===
* Finish the setup, and then return to the "Claim Rules" editor, and select the "Issuance Transform Rules" tab and add a new rule. Set the "Rule Type" to use the 'Send LDAP Attributes as Claims' template and configure the mapping to the agreed upon user identifier (e.g. LDAP attribute 'E-Mail-Addresses' to Outgoing Claim Type 'NameID'). Depending on your ADFS version and setup you may instead need to create two rules, one to map the attributes E-mail to E-mail, and then a second rule to transform the E-mail to the outgoing NameID.
* To test or use this connection use your internal ADFS URL and specify the loginToRp parameter as the SmartSimple SAML entity ID, e.g. '''https://adfs.yourlocaldomain.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://alias.smartsimple.com/'''.<br/> If you aren't automatically redirected into SmartSimple you may need to have RelayState enabled in ADFS, and then use a RelayState parameter to achieve this, e.g. '''https://adfs.yourlocaldomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%3A%2F%2Falias.smartsimple.com%2F%26RelayState%3Dhttps%253A%252F%252Falias.smartsimple.com%252F'''.
===SAML Assertion Example===
