[Index]

Model: relation/HcsSsoSpREL

SSO Identity Provider

Full HTML Help

Before You Begin

Create a self-signed or third-party-signed system certificate before you configure self-service SSO. For more information, see SSO Certificate Management.

The VOSS Automate server and the IdP (identify provider) server must be configured so that their clocks are synchronized.

Follow these steps to configure self-service Single Sign-On (SSO) for VOSS Automate. The configuration applies to the customers and customer administrators associated with the IdP.

Note

Administrators are configured for SSO use via the Users form (default menu User Management > Users).

Procedure

  1. Log in to VOSS Automate as hcsadmin.

  2. Choose Single Sign On > SSO SP Settings.

  3. Click Add.

    Note: Configure only one instance of SSO SP Settings.

  4. On the Base tab, from the mandatory System Certificate drop-down, choose the System Certificate to use. To allow the SSO SP Setting to expire, enter a number of hours in the Validity (Hours) field.

    Note:

  5. On the SAML SP Settings tab, enter the mandatory FQDN of the Server.

    Note

    The FQDN of the Server is stored in the SP metadata that is uploaded to the IdP.

    The SSO login URL then contains the fully qualified domain name (FQDN) :

    https://<FQDN of the Server>/sso/<login_URI>/login

    If you have configured a custom hostname for SSO user login, enter it here.

    Upon login, the IdP will redirect you to this FQDN.

    Select the Sign Authn Requests and Want Assertions Signed check boxes as required by your security environment.

    Note that if a secure connection is required with the secure attribute set on the cookies, the URL values for bindings of End Points must be specified with https.

  6. Click Save.

  7. To view the location of the VOSS Automate SP metadata that you will upload to the IdP, choose Single Sign On > SSO SP Metadata. Point your browser to the URL shown here, and then save a copy of the SP metadata.

  8. Upload the SP metadata to the IdP.

    Refer to your IdP documentation for details on configuring SSO on your IdP.

    Note:

    The IdP must release the UID and map it to an appropriate attribute. For example, an IdP that authenticates with Active Directory can map the uid SAML attribute to sAMAccountName in the Active Directory server.

  9. Download the IdP metadata from the IdP server.

    Refer to your IdP documentation for details on downloading IdP metadata.

    Note:

    If an expired SSO certificate is being renewed and the IdP metadata has not changed, then the download, configure and upload of the IdP metadata is not required.

  10. Log in as provider, reseller, or customer administrator, depending on your IdP configuration level.

  11. Choose Administration Tools > File Management and upload the IdP metadata.

  12. Choose Single Sign On > SSO Identity Provider.

  13. Click Add to add the SSO Identity Provider configuration.

    Note: Only one instance of an SSO Identity Provider can be configured for a hierarchy node.

  14. On the SSO Identity Provider screen, complete at minimum, the mandatory SSO Identity Provider fields (see SSO Identity Provider fields).

  15. Click Save to save the SSO Identity Provider Configuration and enable SSO if selected.

  16. Choose User Management > Users and filter on Auth Method equals SSO to display enabled SSO users.

Use this URL for your SSO login:

https://<FQDN of the Server>/sso/<login_URI>/login

Upon login, the IdP will redirect you to this FQDN.

SSO Identity Provider Fields

Field Description
Entity Id * Entity ID of the IdP. This can be extracted from the IdP metadata file. This field is mandatory.
Login URI * Login URI for the IdP. This is the URI that will be embedded in SSO Login URL. It can contain only alphanumeric characters and forward slashes. This field is mandatory.
Local Metadata File * Choose the IdP metadata file. This field is mandatory and must be unique across the system.
SSO Enabled Select the check box to enable SSO for users synced in or created at the current hierarchy level. Clear this check box to disable SSO for the users associated with the defined IdP.
Note Reminder to upload the IdP metadata file
SSO Login URL Read-only field displays the SSO Login URL to use.

SSO SP Settings

Full HTML Help

Configure SSO for VOSS Automate

This procedure configures self-service Single Sign-On (SSO) for VOSS Automate.

Note

Prerequisites:

To configure self-service Single Sign-On (SSO) for VOSS Automate:

  1. Log in to VOSS Automate as hcsadmin.

  2. Go to (default menus) Single Sign On > SSO SP Settings.

  3. Click Add.

    Note

    Configure only one instance of SSO SP Settings.

  4. On the Base tab (or pane):

  5. On the SAML SP Settings tab (or panel):

    Note

    If a secure connection is required with the secure attribute set on the cookies, the URL values for bindings of end points must be specified with https.

    The Assertion Consumer Service fields define how SAML requests and responses map on to standard messaging and communications protocols.

  6. Save your changes.

    Note

    Saved SSO settings are published by the VOSS Automate service provider and are available from metadata URL, for example: http://mydomain/sso/metadata. SSO service provider configuration requests to this URL automatically trigger an xml file download of the specified SSO service provider configuration.

  7. View the location of the VOSS Automate SP metadata that you will upload to the IdP:

    • Go to (default menus) Single Sign On > SSO SP Metadata.
    • Point your browser to the URL shown here.
    • Save a copy of the SP metadata.
  8. Upload SP metadata to the IdP:

    Refer to your IdP documentation for details on configuring SSO on your IdP..

    The IdP must release the UID and map it to an appropriate attribute. For example, an IdP that authenticates with Active Directory can map the UID SAML attribute to sAMAccountName in the Active Directory server.

  9. Download IdP metadata from the IdP server.

    Refer to your IdP documentation for details on downloading IdP metadata.

    If an expired SSO certificate is being renewed and the IdP metadata has not changed, then the download, configure, and upload of the IdP metadata is not required.

Model Details: relation/HcsSsoSpREL

Title Description Details
Entity Id Usually your subdomain plus the url to the metadata
  • Field Name: entity_id
  • Type: String
Service Provider Settings Defines the settings that apply to the system when used as a Service Provider
  • Field Name: sp
  • Type: Object
Name * A friendly identifier for the Service Provider
  • Field Name: sp.name
  • Type: String
Sign Authn Requests Determines whether outgoing authentication messages will be signed. If so, the specified private key will be used. This attribute is false by default. If one of your identity providers has WantAuthnRequestsSigned set in its meta data, this attribute should be set to true.
  • Field Name: sp.authn_requests_signed
  • Type: Boolean
SignatureMethod Set the SignatureMethod of the authentication request. Only used when 'Sign Authn Requests' is enabled. Defaults to rsa-sha1. Default: rsa-sha1
  • Field Name: sp.request_signature_method
  • Type: String
  • Default: rsa-sha1
  • Choices: ["rsa-sha1", "rsa-sha224", "rsa-sha256", "rsa-sha384", "rsa-sha512"]
DigestMethod Set the DigestMethod of the authentication request. Only used when 'Sign Authn Requests' is enabled. Defaults to sha1. Default: sha1
  • Field Name: sp.request_digest_method
  • Type: String
  • Default: sha1
  • Choices: ["sha1", "sha224", "sha256", "sha384", "sha512"]
Want Assertions Signed Determines whether assertions should be signed. Don't set this attribute to false unless you are sure that checking the integrity of the assertions is not needed in your environment.
  • Field Name: sp.want_assertions_signed
  • Type: Boolean
Want Reponse Signed Determines whether responses should be signed. Don't set this to true unless you are sure that all Identity Providers do sign responses.
  • Field Name: sp.want_response_signed
  • Type: Boolean
End Points Specifies the various end points that provide an external interface to the service provider.
  • Field Name: endpoints
  • Type: Object
Assertion Consumer Service
  • Field Name: assertion_consumer_service.[n]
  • Type: Array
Binding * Determines how SAML requests and responses map onto standard messaging or communications protocols.
  • Field Name: sp.endpoints.assertion_consumer_service.[n].binding
  • Type: String
  • Choices: ["HTTP-POST"]
URL *
  • Field Name: sp.endpoints.assertion_consumer_service.[n].url
  • Type: String
Single Logout Service
  • Field Name: single_logout_service.[n]
  • Type: Array
Binding * Determines how SAML requests and responses map onto standard messaging or communications protocols.
  • Field Name: sp.endpoints.single_logout_service.[n].binding
  • Type: String
  • Choices: ["HTTP-REDIRECT"]
URL *
  • Field Name: sp.endpoints.single_logout_service.[n].url
  • Type: String
Required Attributes Additional attributes required to identify a user
  • Field Name: required_attributes.[n]
  • Type: Array
Use Custom Certificate for Signing Indicates if previously uploaded public/private keys must be used for signing. If true, the 'Public Key' and 'Private Key' fields are required. If false, a system-generated Public/Private key pair is used.
  • Field Name: use_custom_cert_for_signing
  • Type: Boolean
System Generated Certificate A reference to the data/Certificate instance that contains the system generated certificate to be used.
  • Field Name: system_cert
  • Type: String
  • Target: data/Certificate
  • Format: uri
Private Key The private key that is used for signing AuthnRequests
  • Field Name: key_file
  • Type: String
  • Target: data/File
  • Format: uri
Public Key The public key that should be used for decrypting signed AuthnRequests
  • Field Name: cert_file
  • Type: String
  • Target: data/File
  • Format: uri
Validity (Hours) The number of hours for which the metadata is valid for
  • Field Name: valid_for
  • Type: Integer
Accepted Time Difference (seconds) The maximum acceptable difference in clock times (in seconds) between this system and any IDP.
  • Field Name: accepted_time_diff
  • Type: Integer
Contact Person Service Provider contact details
  • Field Name: contact_person.[n]
  • Type: Array
First Name Contact's first name
  • Field Name: contact_person.[n].givenname
  • Type: String
Last Name Contact's last name
  • Field Name: contact_person.[n].surname
  • Type: String
Company Contact's company
  • Field Name: contact_person.[n].company
  • Type: String
Email Address Contact's email address
  • Field Name: contact_person.[n].email_address
  • Type: String
Contact Type Type of contact
  • Field Name: contact_person.[n].contact_type
  • Type: String
Block unencrypted assertions Block unencrypted assertions
  • Field Name: block_unencrypted_assertions
  • Type: Boolean
Sp Md
  • Field Name: spMd
  • Type: Object
Note
  • Field Name: spMd.note
  • Type: String
  • MaxLength: 1024
Metadata URL The URL to SSO SP metadata
  • Field Name: spMd.md_url
  • Type: String
  • MaxLength: 1024