Smartstaff
1,385
edits
Changes
→User Creation Option (JIT Provisioning)
===Service Provider Configuration - SmartSimple===
Within SmartSimple, SSO settings are accessed through the '''''Global Setting -> Integration Settings''''' →''''' Integration''' ''tab.
[[File:sso-001.png|thumb|none|600px|Navigating to the SSO configuration.]]
* '''Third-Party Identity Provider'''- specify what SSO authentication method is used (Identity-Provider initiated or Service Provider-initiated)
** '''Endpoint''' - specify the redirect IdP-initiated or SP-Initiated endpoint. This redirect will be rendered in the [[Login Page]].
* It is also recommended to disable the Session Timeout Alert setting within the '''''Global Settings -> ''''' → '''''Security ''' ''section as that feature would not be applicable to users logged in through single sign-on.* By default, SSO acts as an additional method of authentication. If you wish to enforce the use of SSO, and restrict the regular username and password authentication, you can do so with the '''''Global Settings -> ''''' → '''''Integration -> ''''' → '''''Enforce SSO ''''' setting which allows you to restrict a set of user roles to only be able to login through SSO.
====Additional Settings====
* '''Bypass Two Factor Authentication''' - [[Multi-Factor Authentication|Bypass Two Factor Authentication ]] when logged in with SSO
* '''Enable Debug Mode''' - When enabled, it ignores the SSO time stamp and output SSO assertion message in the [[Configuration_Error_Log|Congifuration Error Log]]
* '''Default Landing Page''' - used to specify an initial landing page within SmartSimple instance. This should be a relative path (e.g. /iface/ex/ax_index.jsp).
<!--Ticket#52854 - SSO logout assertion SLO-->
* '''Logout Redirect URL''' - redirect url when SSO users logout
* '''Enable Logout Assertion''' - will send a logout assertion to the Identity Provider to log out of that session
: Additional settings for ''Enable Logout Assertion'':: '''Assertion Target URL''' - target site url: '''Assertion Private Key''' - private key to establish connection with the target site.=====User Creation Option(JIT Provisioning)=====
When users need to be created on the fly after SSO authentication, the following configuration settings are available:
* '''Create New User on No Match'''– when enabled, it will create new user when no matching is found and will allow login for new user upon successful authentication
* '''Define User Roles Through Custom Attribute'''– when enabled, it will use the SSO assertion “Roles” attribute to define users’ system roles.
* '''Default User Role When No Matching Role Found<span style="color: #ff0000;">*</span>'''– selected role from this dropdown will be assigned to new created users only if “Roles” attribute in the assertion is empty, excluded or if the role name value does not match any existing role in your SmartSimple instance.* '''Default New User StatusStatus '''– assigned user’s status for new users only* '''Create New Organization When No Match FoundFound '''– when enabled, it will create a new parent organization when no matching organization exists your SmartSimple instance.* '''Default OrganizationOrganization <span style="color: #ff0000;">*</span>'''– assigned user’s parent organization for new users
* '''Default New Organization Status'''– assigned parent organization’s status for new organizations
'''<span style="color: #ff0000;">* <span style="color: #000000;">- mandatory fields when creating users thru SSO.</span></span>'''
=====Optional Attibutes=====
The following optional attributes can be used in the assertion. Please note that they are case sensitive and should be labelled exactly.
* '''SSOModule''' - used to specify the SmartSimple SSO connection when there are multiple connections configured.i.e. "SAML2" for prod, "SSOBK" for backup instance, "SSODEV" for dev instance, "SSOTest" for test instance. Note that the attribute name and attribute value are case sensitive
* '''Email'''
* '''First name'''
* '''Roles''' - used to update the user's roles in SmartSimple for new users. This should be a comma delimited list of SmartSimple user roles (by name) to be assigned to the user.
* '''Language''' - used to specify the initial language displayed to the user. This should be an integer value that corresponds with a language ID value in SmartSimple (e.g. 1=English).
=====Role Mapping=====
<!--Ticket#124791 - SSO to update roles for existing users for a fully federated SSO-->
Apply Role Mapping to new and existing users to control user roles within your SmartSimple system. Define the list of system roles you wish to be monitored upon each SSO authentication by a user. With external role mapping enabled, a user's roles within the system will be adjusted according to the role attributes explicitly provided by the assertion. Based upon the role mapping below, the user will be provisioned with all the roles as defined by the assertion attributes, and will also be stripped of any roles that they may currently possess that are listed in this setting but were not defined in the assertion attributes system.
* '''Roles to be Monitored '''– define the list of system roles you wish to be monitored upon each SSO authentication by a user
* '''Mapping '''– map all roles indicated above to the external role name from the client Identity Provider service
Detailed expected behaviour of this settings can be found in Section 4
=====Multi Environment Support=====
<!--Ticket# 134892 - Service Provider initiated Single Sign On (SP-initiated SSO)-->
When you have multiple environments with unique SSO configurations (such as production, testing, development and backup), group them under the same MES group identifier. This will give you a consistent configuration of your login page across multiple environments. The system will then detect and render the appropriate SSO login link using the MES Environment Identifier.
* '''MES Group Identifier''' – assign the same MES Group Identifier name to the SSO configuration for your development, production, testing and backup environments.
* '''MES Environment Identifier '''– enter the domain of the SmartSimple environment that will display tis SSO service endpoint on the login page i.e. alias.smartsimple.com or alias.smartsimplebk.com
Additional settings to be configured is from the main login page ('''''Waffle''''' → '''''Global Settings''''' → '''''Branding''''' → '''''Login Pages''''') under the Single Sign-On section, select the MES Group Identifier from the dropdown list, and add button label i.e. ''Employee Login''.
====X.509 Certificate on the SP-Initiated SSO====
<!-- 148020 - Adding SP x509 signing certificate for SSO metadata and SSO authorization request -->
In the July 2023 upgrade, a new feature to support X.509 signing certificate for single sign-on (SSO) authorization requests has been added.
If you are using a service provider-initiated SSO, a signed authentication request embedded with the signed value and the X.509 certificate will be sent to the identity provider (IdP).
The new setting is located at Global Settings > Integrations tab > Single Sign-on > Edit a SP-initiated SSO and toggle on Sign authentication request sent to identity provider (IdP).
===Identity Provider Configuration - Client-Side System===
</md:ContactPerson>
</md:EntityDescriptor>
</pre>
====Active Directory Federation Services (ADFS)====
* To test or use this connection use your internal ADFS URL and specify the loginToRp parameter as the SmartSimple SAML entity ID, e.g. '''https://adfs.yourlocaldomain.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://alias.smartsimple.com/'''.<br/> If you aren't automatically redirected into SmartSimple you may need to have RelayState enabled in ADFS, and then use a RelayState parameter to achieve this, e.g. '''https://adfs.yourlocaldomain.com/adfs/ls/idpinitiatedsignon.aspx?RelayState=RPID%3Dhttps%3A%2F%2Falias.smartsimple.com%2F%26RelayState%3Dhttps%253A%252F%252Falias.smartsimple.com%252F'''.
====AzureIdentity Provider====
Configuration items listed are specifics SSO to work in SmartSimple:
:: '''Roles''': user.assignedroles
:: '''SSOModule''': constant value that is going to be used in the SmartSimple configuration "SSO Alias"
: Note that all attribute names are case sensitive and should be named are named as indicated above. First name, Last name and Email are mandatory to create a new user. * To test, go to ''Single sign-on'', click on ''Test this application'' from the tab header. Select "''Sign in as current user''" and click on the ''Test sign in'' button. Please make sure that the current user is existing in the SmartSimple instance to have a successful SSO login.
After configuration has been completed, provide the following to SmartSimple:
# URL Redirect
#* "User Access URL" for IdP-initiated SSO (Found under "''Properties''")
#* "Logon Login URL" for SP-initiated SSO (Found under ''Single Sign-on'' → ''Set up 'Application Name')''
====OKTA====
** '''Name ID format''': EmailAddress
** '''Application username''': Email
* Configuration Settings below are have default value:
** '''Update application username on''': Create and update
** '''Response''': SIgned
** '''SSOModule'''
Note that all attribute names are case sensitive and should be named are indicated as indicated above. First name, Last name and Email are mandatory to create a new user.
</samlp:AuthnRequest>
</pre></div>
==Adding URL Redirect in the Login Page==
From the [[Login Page]], the SSO URL redirect can be added to redirect internal users to the client's Identity Provider login page.
To configure, go to
1. Waffle → Global Settings → Branding → Login Pages
2. From the Login Pages listview, select the default login page to add the SSO URL redirect to.
3. Go to the Singe Sign-On section, select the MES Group Identifier and add the Link Label i.e. Employee Login
4. Click Save
Variables to use in a custom page layout:
* @ssodisplaylink@ - the variable to use to add the Link Label and hyperlink in the login template
* @ssotargetlink@ - the variable to use to retrieve the SSO login URL<br /> <br />
==Troubleshooting==
In order to retrieve information about why SSO is failing, first toggle the "Debug Mode" option within the SSO configuration in SmartSimple, and then test the SSO in order to generate log data within the Configuration Error Log.
* '''SAML failed. No user account found'''
: This means that a corresponding active user was not found in the SmartSimple instance. Check the [Unique Identifier Field] that is configured in the SSO setting, and then compare the value of the "NameID" node sent within the SAML assertion to see if a user with that field value exists in SmartSimple. Check that the user is activated and allows login.
* '''SAML failed. Login session is null / Invalid SAML Response'''
: Check that a matching user account exist
: Check x509 certificate
: Verify that the endpoint in the SSO assertion is correct. There should be a Response node with a parameter like Destination="https://alias.smartsimple.com/SAML2/"
* '''SAML signature validation failed'''
: This means that the x509 certificate does not match between the SAML Assertion and the value configured in the instance SSO settings.
* '''SAML response expired'''
: Check the datetime value of the parameter named ''NotAfter'' and ''NotBefore'' within the SAML Assertion and compare these with the expected datetime that the assertion was sent. It is possible to adjust the '''Timestamp Time Zone''' dropdown settings.
* '''Invalid response format. Unparseable date'''.
: Check that the SAML Assertion contains both parameters: ''NotAfter'' and ''NotBefore''
* '''SAML processing error'''
: Check that the value for the ''SSO Alias'' is "SAML2" for SSO in production instance
: If it is for a Multi Environment, value in the ''SSO Alias'' should be the value in the attribute ''SSOModule''
* '''No log file is found in SmartSimple'''
: Verify the parameter: Destination="https://alias.smartsimple.com/SAML2/" from the SSO Assertion.
: Check that the value for the ''SSO Alias'' is "SAML2" for SSO in production instance.
: If it is for a Multi Environment, value in the ''SSO Alias'' should be the value in the attribute ''SSOModule''
* '''After logging thru SSO, you are redirected to "mesagetype=30"'''
: Verify that the alias of the instance is correct. To verify the alias, go to '''''Waffle''''' → '''''Global Settings''''' → '''''Branding''''' → '''''Web Alias'''''. Make sure that the Web Alias value is the same as the domain alias.
* '''SAML InReponseTo does not match any of the possible Request IDs'''
: Verify the alias of the instance is correct.
: Verify that the SSO configuration for multiple environment do not have duplicate MES Environment Identifier.
==Expected Behaviour for Role Mapping==
<!--Ticket#124791 - SSO to update roles for existing users for a fully federated SSO-->
'''Scenerio 1: ''User Access Mapping'' set to ''Disabled'' / ''Create New User'' on ''No Match'' is ''OFF'''''
* User will not be created if user does not exist in the SmartSimple instance
* Only existing users in the SmartSimple instance will be able to login and no role/status updates for existing users
'''Scenerio 2: ''User Access Mapping'' set to ''Disabled'' / ''Create New User'' on ''No Match'' is ''ON'' '''
* User will be created with default new user role / default new user status settings if users does not exist in the SmartSimple instance
* No role updates based on default new user role / default new user status if user exists
'''Scenerio 3: ''User Access Mapping'' set to ''Enabled'' / ''Create New User'' on ''No Match'' is ''OFF'' / No Assertion defined '''
* User will not be created if user does not exist in the SmartSimple instance
* No role updates if accessing SSO with existing users
'''Scenerio 4: ''User Access Mapping'' set to ''Enabled'' / ''Create New User'' on ''No Match'' is ''OFF'' / Assertion is defined '''
* User will not be created if user does not exist in the SmartSimple instance
* No role updates if accessing with existing account
* No role updates if it is not referenced in the defined assertion
* Role updates if accessing with existing account only if they are defined in the ''User Roles Assertion Mapping''. Role update will be based on the mappings defined under ''Mapping''.
'''Scenerio 5: ''User Access Mapping'' set to ''Enabled'' / ''Create New User'' on ''No Match'' is ''ON'' / No Assertion defined'''
* User will be created with default new user role / default new user status settings if user does not exist in the SmartSimple instance
* No role updates if accessing with existing account that does not have roles defined in the ''User Roles Assertion Mapping''
'''Scenerio 6: ''User Access Mapping'' set to ''Enabled'' / ''Create New User'' on ''No Match'' is ''ON'' / Assertion is defined '''
* User will be created with roles defined in the assertion if user does not exists in the SmartSimple instance and assertion roles are defined in the ''User Roles Assertion Mapping''
* User role updates based on the defined assertion if accessing with existing accounts that has roles defined in the assertion
* No role updates if accessing with existing accounts that has no roles defined in the assertion or if roles in assertion was not mapped in the ''User Roles Assertion Mapping''
'''Scenerio 7: ''User Access Mapping'' set to ''Classic Mode'' / ''Create New User'' on ''No Match'' is ''ON'' / No Assertion is defined'''
* User will be created with default new user role / default new user status settings if user does not exist in the SmartSimple instance
* No role updates if accessing with user account that already exists in the SmartSimple instance
'''Scenerio 8: ''User Access Mapping'' set to ''Classic Mode'' / ''Create New User'' on ''No Match'' is ''ON'' / Assertion is defined'''
* User will be created with roles defined in the assertion if user does not exist in the SmartSimple instance and assertion roles are defined in the ''User Roles Assertion Mapping''
* User will be created with default new user role / default new user status settings if user does not exists in the SmartSimple instance and if assertion roles do not exist in the ''User Roles Assertion Mapping''
* When Access Mapping is set to Classic Mode and there is no mapping section, role updates will only happen in user creation and the roles in assertion has to have the same user role names matching value with the SmartSimple role names.
==Example of SSO configuration in SmartSimple==
===Configuration for SSO in production instance===
SmartSimple SSO Configuration as the Service Provider in the client's SmartSimple production instance.
'''A. SSO Configuration'''
1. Navigate to '''Global Settings''' → '''Integrations''' tab → '''Single Sign-On''' section
2. Click on the “'''+'''” icon to create a new SSO configuration on the instance
3. Fill out the mandatory fields:
: '''SSO Alias''': '''''SAML2''''' (default alias for production instance)
: '''Signing Certificate (X.509)''': cut and paste the x509 certificate after configuration of the client's Identity Provider
: '''Timestamp Time Zone''': '''''--UTC/GMT--''''' (default from the dropdown)
: '''MES Group Identifier''': '''''SSOProd''''' (open text field)
: '''MES Environment Identifier''': '''''alias.smartsimple.com''''' (client's url production instance)
: '''Method''': '''''Identity Provider-initiated''''' (default setting)
: '''Identity Provider Service Endpoint''': this is the url login redirect.
:: For Azure, the value in '''''User Access URL''''' (Found under '''''Properties''''')
:: For OKTA, the value in '''''Embed Link''''' (Found under '''''General''''' tab in the '''''App Embed Link''''' Section)
:: For ADFS, the redirect is '''''https://adfs.yourlocaldomain.com/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://alias.smartsimple.com/'''''
: '''Unique Identifier FIeld (UID)''': from the dropdown, select '''''*E-Mail''''' (Default value but it can also be the Employee ID or any unique identifier in the user profile)
: '''Bypass Multi-Factor Authentication (MFA)''': enabled
4. Click Save
'''B. Login Page Configuration'''
1. Navigate to '''Global Settings''' → '''Branding''' tab → '''Login Pages''' section
2. From the '''Primary''' tab, click on the pencil icon for the first item on the list view - the default Login Page
3. From the '''General''' tab, go to the '''Single Sign-On''' section and complete fields:
: '''MES Group Identifier''': from the dropdown, select '''''SSOProd'''''
: '''Link Label''': '''''Employee Login''''' (open text field)
4. Click Save
Upon logout, the SSO button will be visible below the the username/password.
[[File:SSO_Login.png|thumb|none|300px|SSO User Creation Settings.]]
===Configuration for multi-environment SSO===
If client has 4 environments (Prod, Backup, Dev, Test), settings above will be created one for each environment.
Note that these settings will need to be copied over to different instances so as when T2P occurs, all settings are existing and copied over and no editing is necessary after T2P.
{| class="wikitable"
|-
!|
!|SSO Alias
!|Description
!|MES Group Identifier
!|MES Environment Identifier
|-
||1
||<span style="color: #ff0000;">SAML2</span>
||This is used for production instance
||SSOID1
||alias.smartsimple.com
|-
||2
||BKSSO
||SSO for backup instance
||SSOID1
||alias.smartsimplebk.com
|-
||3
||DevSSO
||SSO for DEV instance
||SSOID1
||alias-dev.smartsimple.com
|-
||4
||TestSSO
||SSO for TEST instance
||SSOID1
||alias-test.smartsimple.com
|}
Notes:
1. All columns above are open text fields and can be renamed as desired. Item 1's alias name is the only default/required value for prod.
2. For items 2 to 4, the attribute name "'''''SSOModule'''''" with the '''''SSO Alias''''' value should be included in the Identity Provider configuration. Note that the SSO Alias is case sensitive and should be labelled exactly.
3. From the Login Page, the MES Group Identifier will be the same as shown "'''''SSOID1'''''". It will redirect to the correct Redirect URL Endpoint as it will recognize what instance the user is trying to use the SSO in.
===Configuration for two IdP within production instance===
Example configuration below is when a client has two existing Identity Provider Services.
All SSO configuration below are used for client's production instance:
{| class="wikitable"
|-
!|
!|SSO Alias
!|Description
!|MES Group Identifier
!|MES Environment Identifier
|-
||1
||<span style="color: #ff0000;">SAML2</span>
||IdP Service 1
||SSOID1
||alias.smartsimple.com
|-
||2
||SSOProd2
||IdP Service 2
||SSOID2
||alias.smartsimple.com
|}
Notes:
1. Item 1 is for client's first Identity Provider Service.
2.Item 2 is the second configuration for the client's second Identity Provider Service. The attribute name "'''''SSOModule'''''" with the '''''SSO Alias''''' value should be included in the Identity Provider configuration. Note that the SSO Alias is case sensitive and should be labelled exactly.
[[Category:Integration]][[Category:System Integration]]
[[Category:Identity and Access Management]]
[[Category:Security]]
