[Index]
Before You Begin
Create a self-signed or third-party-signed system certificate before you configure self-service SSO. For more information, see SSO Certificate Management.
The VOSS-4-UC server and the IdP (identify provider) server must be configured so that their clocks are synchronized.
Follow these steps to configure self-service Single Sign-On (SSO) for VOSS-4-UC. The configuration applies to the customers and customer administrators associated with the IdP.
Note
SSO support for administrative users is defined as follows:
Procedure
Log in to VOSS-4-UC as entadmin.
Choose Single Sign On > SSO SP Settings.
Click Add.
Note: Configure only one instance of SSO SP Settings.
On the Base tab, from the mandatory System Certificate drop-down, choose the System Certificate to use. To allow the SSO SP Setting to expire, enter a number of hours in the Validity (Hours) field.
Note:
On the SAML SP Settings tab, enter the mandatory FQDN of the Server.
Select the Sign Authn Requests and Want Assertions Signed check boxes as required by your security environment.
Note that if a secure connection is required with the secure attribute set on the cookies, the URL values for bindings of End Points must be specified with https.
Click Save.
To view the location of the VOSS-4-UC SP metadata that you will upload to the IdP, choose Single Sign On > SSO SP Metadata. Point your browser to the URL shown here, and then save a copy of the SP metadata.
Upload the SP metadata to the IdP.
Refer to your IdP documentation for details on configuring SSO on your IdP.
Note:
The IdP must release the UID and map it to an appropriate attribute. For example, an IdP that authenticates with Active Directory can map the uid SAML attribute to sAMAccountName in the Active Directory server.
Download the IdP metadata from the IdP server.
Refer to your IdP documentation for details on downloading IdP metadata.
Note:
If an expired SSO certificate is being renewed and the IdP metadata has not changed, then the download, configure and upload of the IdP metadata is not required.
Log in as provider, reseller, or customer administrator, depending on your IdP configuration level.
Choose Administration Tools > File Management and upload the IdP metadata.
Choose Single Sign On > SSO Identity Provider.
Click Add to add the SSO Identity Provider configuration.
Note: Only one instance of an SSO Identity Provider can be configured for a hierarchy node.
On the SSO Identity Provider screen, complete at minimum, the mandatory SSO Identity Provider fields (see SSO Identity Provider fields).
Click Save to save the SSO Identity Provider Configuration and enable SSO if selected.
Choose Single Sign On > SSO User to display enabled SSO users.
Use this URL for your SSO login:
https://<FQDN of the Server>/sso/<login_URI>/login
Upon login, the IdP will redirect you to this FQDN.
SSO Identity Provider Fields
| Field | Description |
|---|---|
| Entity Id * | Entity ID of the IdP. This can be extracted from the IdP metadata file. This field is mandatory. |
| Login URI * | Login URI for the IdP. This is the URI that will be embedded in SSO Login URL. It can contain only alphanumeric characters and forward slashes. This field is mandatory. |
| Local Metadata File * | Choose the IdP metadata file. This field is mandatory and must be unique across the system. |
| SSO Enabled | Select the check box to enable SSO for users synced in or created at the current hierarchy level. Clear this check box to disable SSO for the users associated with the defined IdP. |
| Note | Reminder to upload the IdP metadata file |
| SSO Login URL | Read-only field displays the SSO Login URL to use. |
| Title | Description | Details | |||||||||||||||||||||||||||||||||||||||||||||||
| Entity Id * | The unique identifier of the Identity Provider. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Login URI | This is a URI that will be embedded in the base SSO login URL in order to authenticate specifically with this IDP. This field must only contain alphanumeric characters and forward slashes, and should match the following regular expression ^\w+(/\w+)*$ Eg. Given a login URI of provider1/customer1, end users wishing to authenticate against this IDP will login via the following URL: http://hostname/sso/provider1/customer1/login/. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Metadata | Indicates where metadata can be found. This can be either a file accessible locally on the system or somewhere on the network. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Local Metadata File |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Remote Metadata URL |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| URL | Location where metadata is to be downloaded from. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Certificate | To verify the authenticity of the file downloaded from the net the local copy of the public key should be used. This public key must be acquired by some out-of-band method. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Login Url |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| IDP Entity ID | The SSO IDP Entity ID |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| SSO Login URL | The URL will be updated after you add SSO IDP . |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Note | Reminder for Uploading IDP Metadata file first. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| SSO Enabled | This boolean indicates SSO has been enabled for this IDP or not? |
|
|||||||||||||||||||||||||||||||||||||||||||||||