Model: data/SsoUser

SSO Identity Provider

Before You Begin

Create a self-signed or third-party-signed system certificate before you configure self-service SSO. For more information, see SSO Certificate Management.

The VOSS Automate server and the IdP (identify provider) server must be configured so that their clocks are synchronized.

Follow these steps to configure self-service Single Sign-On (SSO) for VOSS Automate. The configuration applies to the customers and customer administrators associated with the IdP.

Note

Administrators are configured for SSO use via the Users form (default menu User Management > Users).

Procedure

Log in to VOSS Automate as hcsadmin.
Choose Single Sign On > SSO SP Settings.
Click Add.

Note: Configure only one instance of SSO SP Settings.
On the Base tab, from the mandatory System Certificate drop-down, choose the System Certificate to use. To allow the SSO SP Setting to expire, enter a number of hours in the Validity (Hours) field.

Note:
- Specifying an unsigned third-party-signed certificate will result in an error.
- To renew an expired certificate, follow the steps: Renew Single Sign-On Certificate for VOSS Automate.
On the SAML SP Settings tab, enter the mandatory FQDN of the Server.

Note

The FQDN of the Server is stored in the SP metadata that is uploaded to the IdP.

The SSO login URL then contains the fully qualified domain name (FQDN) :

https://<FQDN of the Server>/sso/<login_URI>/login

If you have configured a custom hostname for SSO user login, enter it here.

Upon login, the IdP will redirect you to this FQDN.

Select the Sign Authn Requests and Want Assertions Signed check boxes as required by your security environment.

Note that if a secure connection is required with the secure attribute set on the cookies, the URL values for bindings of End Points must be specified with https.
Click Save.
To view the location of the VOSS Automate SP metadata that you will upload to the IdP, choose Single Sign On > SSO SP Metadata. Point your browser to the URL shown here, and then save a copy of the SP metadata.
Upload the SP metadata to the IdP.

Refer to your IdP documentation for details on configuring SSO on your IdP.

Note:

The IdP must release the UID and map it to an appropriate attribute. For example, an IdP that authenticates with Active Directory can map the uid SAML attribute to sAMAccountName in the Active Directory server.
Download the IdP metadata from the IdP server.

Refer to your IdP documentation for details on downloading IdP metadata.

Note:

If an expired SSO certificate is being renewed and the IdP metadata has not changed, then the download, configure and upload of the IdP metadata is not required.
Log in as provider, reseller, or customer administrator, depending on your IdP configuration level.
Choose Administration Tools > File Management and upload the IdP metadata.
Choose Single Sign On > SSO Identity Provider.
Click Add to add the SSO Identity Provider configuration.

Note: Only one instance of an SSO Identity Provider can be configured for a hierarchy node.
On the SSO Identity Provider screen, complete at minimum, the mandatory SSO Identity Provider fields (see SSO Identity Provider fields).
Click Save to save the SSO Identity Provider Configuration and enable SSO if selected.
Choose User Management > Users and filter on Auth Method equals SSO to display enabled SSO users.

Use this URL for your SSO login:

https://<FQDN of the Server>/sso/<login_URI>/login

Upon login, the IdP will redirect you to this FQDN.

SSO Identity Provider Fields

Field	Description
Entity Id *	Entity ID of the IdP. This can be extracted from the IdP metadata file. This field is mandatory.
Login URI *	Login URI for the IdP. This is the URI that will be embedded in SSO Login URL. It can contain only alphanumeric characters and forward slashes. This field is mandatory.
Local Metadata File *	Choose the IdP metadata file. This field is mandatory and must be unique across the system.
SSO Enabled	Select the check box to enable SSO for users synced in or created at the current hierarchy level. Clear this check box to disable SSO for the users associated with the defined IdP.
Note	Reminder to upload the IdP metadata file
SSO Login URL	Read-only field displays the SSO Login URL to use.

SSO Identity Provider

Full HTML Help

Integrating with an SSO Identity Provider

This procedure configures integration with a SSO identity provider (IdP).

Note

These steps include the default menus paths that ship with the system. You can also search for a page via the toolbar Search field.

Log in as Provider, Reseller, or Customer administrator (depending on your IdP configuration level).
Go to (default menus) Administration Tools > File Management and upload the IdP metadata.
Go to (default menus) Choose Single Sign On > SSO Identity Provider.
Click Add to add the SSO Identity Provider configuration.

Note

Only one instance of an SSO Identity Provider can be configured for a hierarchy node.
On the SSO Identity Provider screen, complete at least the mandatory fields (Entity ID, Login URI, Local Metadata File, User lookup field at minimum, the mandatory SSO Identity Provider fields (see SSO Identity Provider fields).

If custom attribute is used as the UID from Identity Provider, enter this attribute as the UID Attribute Name. This value is then evaluated first by VOSS Automate as the UID to identify the user and is for example used as an alternative user identifier when the default UID record is not present. If this value is not present, the default UID record is used to identify the user.

If a customer is using a custom domain, the Service Provider Domain Name is filled in at the hierarchy level and the login and metadata URLs used will be tied to the IdP as follows:
```
SSO Login URL:         ``https://<Service Provider Domain Name>/sso/<Login URI>/login``
Admin Portal:          ``https://<Service Provider Domain Name>/admin/sso/<Login URI>/login``
```
The metadata is obtained from: https://<Service Provider Domain Name>/sso/<Login URI>/metadata

If the Service Provider Domain Name is specified, the metadata XML file from VOSS-4UC then contains Service.Provider.Domain.Name in the assertion consumer service URL as shown in the example below:
```
<md:AssertionConsumerService
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
    Location="https://Service.Provider.Domain.Name/sso/acs/"
    index="1"/>
```
This metadata needs to be uploaded to the IdP (not the generic metadata obtained from SSO Service Provider Configuration).

Important

If you have previously uploaded metadata to the IDP and you subsequently complete this Service Provider Domain Name field, you need to remove the previous record from the IDP and re-upload the metadata so that it contains this field.
Click Save to save the SSO Identity Provider Configuration and enable SSO if selected.
Choose User Management > Users and filter on Auth Method equals SSO to display enabled SSO users.

When the Service Provider Domain Name is not specified for a given IDP, these URLs are used for SSO login:

SSO Login URL:         ``https://<FQDN of the Service Provider>/sso/<login_URI>/login``
Admin Portal:          ``https://<FQDN of the Service Provider>/admin/sso/<Login URI>/login``

See SAML SP Settings FQDN in SSO SP Settings.

The IdP redirects to this FQDN on login.

Note

While an IdP may exist at more than one hierarchy in VOSS Automate, a user will only be permitted to log in if the user exists at or below the hierarchy of a single IdP.

SSO Identity Provider: Field Reference

Field	Description
Entity Id	Mandatory. Entity ID of the IDP. This field must exactly match the entity ID in the IdP metadata file.
Login URI	Mandatory. Login URI for the IDP. This is the URI that will be embedded in SSO Login URL. It can contain only alphanumeric characters and forward slashes.
Service Provider Domain Name	The FQDN that will be embedded in the SP metadata for this IdP for URLs that refer back to the Service Provider.
Local Metadata File	Mandatory. Choose the IdP metadata file. This field must be unique across the system.
SSO Enabled	Select the check box to enable SSO for users synced in or created at the current hierarchy level. Clear this check box to disable SSO for the users associated with the defined IDP.
Note	Reminder to upload the IdP metadata file
SSO Login URL	Read-only field displays the SSO Login URL to use. Users with `selfservice` role and no Authorized Admin Hierarchy will be redirected to Self-service.
Admin SSO Login URL	Read-only. Displays the new Admin Portal SSO Login URL to use.
Business Admin SSO Login URL	Read-only. Displays the new Business Admin Login URL to use. From release 21.4, this will always redirect to the new Admin Portal.
User lookup field	Mandatory. Select the field to bind the VOSS and SSO user - typically `username`.
UID Attribute Name	An optional attribute name string value configured on the Identity Provider to be used as UID for authentication. If present, this value is evaluated first by VOSS Automate as the UID and used as an alternative user identifier when the default UID record is not present. If this value is not present, the default UID record is used to identify the user.
Authentication Scope	Hierarchical scope this server applies to. Full tree authentication (default): All nodes at and below this node in its tree can authenticate against this server. Local authentication: Only users at this node can authenticate against this server.
User sync type	Type of users that can authenticate against this server. Synced users only: Only users synced in from LDAP can authenticate against this server. All users

For Authentication Scope, also see User Login Options by Authentication Method and Server Authentication Scope.

SSO Scenarios for User Roles

The table maps user roles to the log in URLs - single role or multiple role (includes Authorized Admin Hierarchy):

User Role	Auth Admin?	URL used	UI (Session Limiting)	Expected Behavior
selfservice	Yes	https:/<hostname>/sso/<login-uri>/login	administrator	Redirect to Admin Portal
selfservice	Yes	https:/<hostname>/admin/sso/<login-uri>/login	administrator	Redirect to Admin Portal
selfservice	No	https:/<hostname>/sso/<login-uri>/login	selfservice	Redirect to Self-service
administration	Yes	https:/<hostname>/sso/<login-uri>/login	administrator	Redirect to Admin Portal
administration	Yes	https:/<hostname>/admin/sso/<login-uri>/login	administrator	Redirect to Admin Portal
administration	No	https:/<hostname>/sso/<login-uri>/login	administrator	Redirect to Admin Portal
administration	No	https:/<hostname>/admin/sso/<login-uri>/login	administrator	Redirect to Admin Portal

Administrators set up with SSO but who have multiple user roles and who wish to access the Self-service interface must navigate to the Self-service portal URL upon login:

https://<Hostname>/selfservice/#/

Maps an SSO user to a data user instance (data/User).

Model Details: data/SsoUser

An asterisk * in the title indicates the field is mandatory.
If a field has a default value, it is shown in the Description column.
If the field type is an array, the Field Name has a .[n] suffix, where n is the array index placeholder.
Object and array field names are listed to provide context. If a field belongs to an object or an array, the full field name is shown in dot separated notation.

Title	Description	Details
SSO Identity Provider *	The entity id of the SSO Identity Provider.	Field Name: sso_idp Type: String Target: data/SsoIdentityProvider Target attr: entity_id Format: uri
SSO Username *	The name identifier that is used for an SSO authenticated user.	Field Name: sso_username Type: String
Data Username	The data username that is mapped to the associated SSO authenticated user.	Field Name: data_username Type: String Target: data/User Target attr: username Format: uri