[Index]
Integrating with an SSO Identity Provider
This procedure configures integration with a SSO identity provider (IdP).
Note
These steps include the default menus paths that ship with the system. You can also search for a page via the toolbar Search field.
Log in as Provider, Reseller, or Customer administrator (depending on your IdP configuration level).
Go to (default menus) Administration Tools > File Management and upload the IdP metadata.
Go to (default menus) Choose Single Sign On > SSO Identity Provider.
Click Add to add the SSO Identity Provider configuration.
Note
Only one instance of an SSO Identity Provider can be configured for a hierarchy node.
On the SSO Identity Provider screen, complete at least the mandatory fields (Entity ID, Login URI, Local Metadata File, User lookup field at minimum, the mandatory SSO Identity Provider fields (see SSO Identity Provider fields).
If custom attribute is used as the UID from Identity Provider, enter this attribute as the UID Attribute Name. This value is then evaluated first by VOSS Automate as the UID to identify the user and is for example used as an alternative user identifier when the default UID record is not present. If this value is not present, the default UID record is used to identify the user.
For example, if the UID attribute is not mapped on the Identity Provider and an attribute ElectronicMail is mapped to mail on the Identity Provider, the User Lookup Field on SSO Identity Provider should be email (the field in VOSS Automate) and the UID Attribute Name should be ElectronicMail (the attribute returned by IdP).
If a customer is using a custom domain, the Service Provider Domain Name is filled in at the hierarchy level and the login and metadata URLs used will be tied to the IdP as follows:
SSO Login URL: ``https://<Service Provider Domain Name>/sso/<Login URI>/login`` Admin Portal: ``https://<Service Provider Domain Name>/admin/sso/<Login URI>/login``
The metadata is obtained from: https://<Service Provider Domain Name>/sso/<Login URI>/metadata
If the Service Provider Domain Name is specified, the metadata XML file from VOSS-4UC then contains Service.Provider.Domain.Name in the assertion consumer service URL as shown in the example below:
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://Service.Provider.Domain.Name/sso/acs/"
index="1"/>
This metadata needs to be uploaded to the IdP (not the generic metadata obtained from SSO Service Provider Configuration).
Important
If you have previously uploaded metadata to the IDP and you subsequently complete this Service Provider Domain Name field, you need to remove the previous record from the IDP and re-upload the metadata so that it contains this field.
Click Save to save the SSO Identity Provider Configuration and enable SSO if selected.
Choose User Management > Users and filter on Auth Method equals SSO to display enabled SSO users.
When the Service Provider Domain Name is not specified for a given IDP, these URLs are used for SSO login:
SSO Login URL: ``https://<FQDN of the Service Provider>/sso/<login_URI>/login`` Admin Portal: ``https://<FQDN of the Service Provider>/admin/sso/<Login URI>/login``
See SAML SP Settings FQDN in SSO SP Settings.
The IdP redirects to this FQDN on login.
Note
While an IdP may exist at more than one hierarchy in VOSS Automate, a user will only be permitted to log in if the user exists at or below the hierarchy of a single IdP.
SSO Identity Provider: Field Reference
| Field | Description |
|---|---|
| Entity Id | Mandatory. Entity ID of the IDP. This field must exactly match the entity ID in the IdP metadata file. |
| Login URI | Mandatory. Login URI for the IDP. This is the URI that will be embedded in SSO Login URL. It can contain only alphanumeric characters and forward slashes. |
| Service Provider Domain Name | The FQDN that will be embedded in the SP metadata for this IdP for URLs that refer back to the Service Provider. |
| Local Metadata File | Mandatory. Choose the IdP metadata file. This field must be unique across the system. |
| SSO Enabled | Select the check box to enable SSO for users synced in or created at the current hierarchy level. Clear this check box to disable SSO for the users associated with the defined IDP. |
| Note | Reminder to upload the IdP metadata file |
| SSO Login URL | Read-only field displays the SSO Login URL to use. Users with selfservice role and no Authorized Admin Hierarchy will be redirected to Self-service. |
| Admin SSO Login URL | Read-only. Displays the new Admin Portal SSO Login URL to use. |
| Business Admin SSO Login URL | Read-only. Displays the new Business Admin Login URL to use. From release 21.4, this will always redirect to the new Admin Portal. |
| User lookup field | Mandatory. Select the field to bind the VOSS and SSO user - typically username. |
| UID Attribute Name | An optional attribute name string value configured on the Identity Provider to be used as UID for authentication. If present, this value is evaluated first by VOSS Automate as the UID and used as an alternative user identifier when the default UID record is not present. If this value is not present, the default UID record is used to identify the user. |
| Authentication Scope | Hierarchical scope this server applies to.
|
| User sync type | Type of users that can authenticate against this server.
|
For Authentication Scope, also see User Login Options by Authentication Method and Server Authentication Scope.
SSO Scenarios for User Roles
The table maps user roles to the log in URLs - single role or multiple role (includes Authorized Admin Hierarchy):
| User Role | Auth Admin? | URL used | UI (Session Limiting) | Expected Behavior |
|---|---|---|---|---|
| selfservice | Yes | https:/<hostname>/sso/<login-uri>/login | administrator | Redirect to Admin Portal |
| selfservice | Yes | https:/<hostname>/admin/sso/<login-uri>/login | administrator | Redirect to Admin Portal |
| selfservice | No | https:/<hostname>/sso/<login-uri>/login | selfservice | Redirect to Self-service |
| administration | Yes | https:/<hostname>/sso/<login-uri>/login | administrator | Redirect to Admin Portal |
| administration | Yes | https:/<hostname>/admin/sso/<login-uri>/login | administrator | Redirect to Admin Portal |
| administration | No | https:/<hostname>/sso/<login-uri>/login | administrator | Redirect to Admin Portal |
| administration | No | https:/<hostname>/admin/sso/<login-uri>/login | administrator | Redirect to Admin Portal |
Administrators set up with SSO but who have multiple user roles and who wish to access the Self-service interface must navigate to the Self-service portal URL upon login:
https://<Hostname>/selfservice/#/
| Title | Description | Details | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Entity Id * | The unique identifier of the Identity Provider. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Login URI | This is a URI that will be embedded in the base SSO login URL in order to authenticate specifically with this IDP. This field must only contain alphanumeric characters and forward slashes, and should match the following regular expression ^\w+(/\w+)*$ Eg. Given a login URI of provider1/customer1, end users wishing to authenticate against this IDP will login via the following URL: http://hostname/sso/provider1/customer1/login/. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Service Provider Domain Name | This is a FQDN that will be embedded in the SP metadata for this IDP for URLs that refer back to the Service Provider (eg ACS). It should match the customer-specific FQDN used for the VOSS-4-UC server. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| User lookup field | User field used to bind SSO user with VOSS user. Default: username |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| UID Attribute Name | Attribute configured on Identity Provider to be used as UID. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Metadata | Indicates where metadata can be found. This can be either a file accessible locally on the system or somewhere on the network. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Local Metadata File |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Remote Metadata URL |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| URL | Location where metadata is to be downloaded from. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Certificate | To verify the authenticity of the file downloaded from the net the local copy of the public key should be used. This public key must be acquired by some out-of-band method. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Authentication settings | Authentication settings. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Authentication Scope | Hierarchical scope this server applies to Default: Down |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| User Sync Type | Type of users that can authenticate against this server. Default: All |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Login Url |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| IDP Entity ID | The SSO IDP Entity ID |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| SSO Login URL | The URL will be updated after you add SSO IDP . |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Business Admin SSO Login URL | The BAP URL will be updated after you add SSO IDP . |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Admin SSO Login URL | The Admin URL will be updated after you add SSO IDP . |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Note | Reminder for Uploading IDP Metadata file first. |
|
|||||||||||||||||||||||||||||||||||||||||||||||