Configure Single Sign-On for VOSS-4-UC¶
Before You Begin
Create a self-signed or third-party-signed system certificate before you configure self-service SSO. For more information, see SSO Certificate Management.
The VOSS-4-UC server and the IDP (identify provider) server must be configured so that their clocks are synchronized.
Follow these steps to configure self-service Single Sign-On (SSO) for VOSS-4-UC. The configuration applies to the customers and customer administrators associated with the IDP.
Note
Administrators are configured for SSO use via the Users form (default menu User Management > Users).
SSO Service Provider Configuration¶
Log in to VOSS-4-UC as system administrator.
Choose Single Sign On > SSO SP Settings.
Click Add.
Note: Configure only one instance of SSO SP Settings.
On the Base tab, from the mandatory System Certificate drop-down, choose the System Certificate to use. See SSO Certificate Management.
To allow the SSO SP Setting to expire, enter a number of hours in the Validity (Hours) field.
Note
- Specifying an unsigned third-party-signed certificate will result in an error.
- To renew an expired certificate, follow the steps: Renew Single Sign-On Certificate for VOSS-4-UC.
On the SAML SP Settings tab, enter the mandatory FQDN of the Server. Select the Sign Authn Requests and Want Assertions Signed check boxes as required by your security environment.
Note
Only select Want Reponse Signed if you are sure that all Identity Providers sign responses.
Note that if a secure connection is required with the secure attribute set on the cookies, the URL values for bindings of End Points must be specified with
https
.Click Save.
To view the location of the VOSS-4-UC SP metadata that you will upload to the IDP, choose Single Sign On > SSO SP Metadata. Point your browser to the URL shown here, and then save a copy of the SP metadata.
Upload the SP metadata to the IDP.
Refer to your IDP documentation for details on adding VOSS-4-UC as a service provider.
Note:
The IDP must release the UID and map it to an appropriate attribute. For example, an IDP that authenticates with Active Directory can map the uid SAML attribute to sAMAccountName in the Active Directory server.
Download the IDP metadata from the IDP server.
Refer to your IDP documentation for details on downloading IDP metadata.
Note:
If an expired SSO certificate is being renewed and the IDP metadata has not changed, then the download, configure and upload of the IDP metadata is not required.
Integrating with an SSO Identity Provider¶
Log in as provider, reseller, or customer administrator, depending on your IDP configuration level.
Choose Administration Tools > File Management and upload the IDP metadata.
Choose Single Sign On > SSO Identity Provider.
Click Add to add the SSO Identity Provider configuration.
Note: Only one instance of an SSO Identity Provider can be configured for a hierarchy node.
On the SSO Identity Provider screen, complete at minimum, the mandatory SSO Identity Provider fields (see SSO Identity Provider fields).
If a customer is using a custom domain, the Service Provider Domain Name is filled in at the hierarchy level and the login and metadata URLs used will be tied to the IDP as follows:
https://<Service Provider Domain Name>/sso/<Login URI>/login
The metadata is obtained from:
https://<Service Provider Domain Name>/sso/<Login URI>/metadata
If the Service Provider Domain Name is specified, the metadata XML file from VOSS-4UC then contains
Service.Provider.Domain.Name
in the assertion consumer service URL as shown below:<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://Service.Provider.Domain.Name/sso/acs/" index="1"/>
This metadata needs to be uploaded to the IDP as opposed to the generic metadata obtained from SSO Service Provider Configuration.
Important
If you have previously uploaded metadata to the IDP and you subsequently complete this Service Provider Domain Name field, you need to remove the previous record from the IDP and re-upload the metadata so that it contains this field.
Click Save to save the SSO Identity Provider Configuration and enable SSO if selected.
Choose User Management > Users and filter on Auth Method equals
SSO
to display enabled SSO users.
When the Service Provider Domain Name is not specified for a given IDP, the following URL is to be used for SSO login:
https://<FQDN of the Service Provider>/sso/<login_URI>/login
(See SAML SP Settings FQDN in SSO Service Provider Configuration.)
Upon login, the IDP will redirect to this FQDN.
Note
While an IDP may exist at more than one hierarchy in VOSS-4-UC, a user will only be permitted to log in if the user exists at or below the hierarchy of a single IDP.
SSO Identity Provider Fields¶
Field | Description |
---|---|
Entity Id * | Entity ID of the IDP. This field must exactly match the entity ID in the IDP metadata file. This field is mandatory. |
Login URI * | Login URI for the IDP. This is the URI that will be embedded in SSO Login URL. It can contain only alphanumeric characters and forward slashes. This field is mandatory. |
Service Provider Domain Name | The FQDN that will be embedded in the SP metadata for this IDP for URLs that refer back to the Service Provider. |
Local Metadata File * | Choose the IDP metadata file. This field is mandatory and must be unique across the system. |
SSO Enabled | Select the check box to enable SSO for users synced in or created at the current hierarchy level. Clear this check box to disable SSO for the users associated with the defined IDP. |
Note | Reminder to upload the IdP metadata file |
SSO Login URL | Read-only field displays the SSO Login URL to use. |
User lookup field | Select the field to bind the VOSS and SSO user - typically username . |
Authentication Scope | Hierarchical scope this server applies to.
|
User sync type | Type of users that can authenticate against this server.
|
[1] | See also: User Login Options by Authentication Method and Server Authentication Scope. |