[Index]
Configure SSO for VOSS Automate
This procedure configures self-service Single Sign-On (SSO) for VOSS Automate.
Note
The configuration applies to customers and customer administrators associated with the identify provider (IdP).
Administrators are configured for SSO use via the Users form (default menu, User Management > Users).
Administrators can also be configured with multiple user roles, that is, have a user type "End User + Admin" (see: Add admin user).
While the role of such an administrator user is "selfservice", the user's association with an Authorized Hierarchy model instance redirects such an administrator to the same interface as a single role administrator when using the SSO URLs for login. See Integrating with an SSO Identity Provider.
Administrators with multiple user roles who wish to access the Self-service interface, need to explicitly switch to the Self-service portal URL upon login:
https://<Hostname>/selfservice/#/
Prerequisites:
Create a self-signed or third-party-signed system certificate. See SSO Certificate Management.
The VOSS Automate server and the IdP server must be configured so that their clocks are synchronized.
You can define the number of seconds of permitted clock drift between VOSS Automate and the IdP. The number of seconds for tolerance is customizable, and this value must be set in accordance with the deployment's security policy. By default, VOSS Automate uses a value of 0 for clock drift; that is, assume clocks are exactly in sync.
You must be a high-level administrators logging in above the Provider admin level to perform this procedure.
To configure self-service Single Sign-On (SSO) for VOSS Automate:
Log in to VOSS Automate as hcsadmin.
Go to (default menus) Single Sign On > SSO SP Settings.
Click Add.
Note
Configure only one instance of SSO SP Settings.
On the Base tab (or pane):
(Mandatory). From the System Certificate drop-down, choose the signed third-party system certificate to use.
Note
Choosing an unsigned third-party-signed certificate will result in an error. For details around renewing an expired certificate, see Renew Single Sign-On Certificate for Automate.
At Validity (Hours), to allow the SSO SP setting to expire, enter a number of hours. This is the validity period (in hours) that the metadata is valid for.
On the SAML SP Settings tab (or panel):
(Mandatory). At FQDN of the Server, fill out the server FQDN.
Note
The FQDN that will be embedded in the SP metadata for this IdP for URLs that refer back to the Service Provider. The FQDN of the server is stored in the SP metadata that is uploaded to the IdP. The SSO login URL then contains the fully qualified domain name (FQDN):
https://<FQDN of the Server>/sso/<login_URI>/login
If you have configured a custom hostname for SSO user login, enter it here. Upon login, the IdP will redirect you to this FQDN.
Select the relevant checkboxes, based on your security environment and requirements:
Sign Authn Requests
Defines whether outgoing authentication messages will be signed. If yes, the specified private key will be used. By default, this is False (unchecked). If one of your identity providers has WantAuthnRequestsSigned set in its metadata, then select this checkbox (set to True).
Want Assertions Signed
Defines whether assertions should be signed. Only select Want Reponse Signed if you’re sure that all IdPs sign responses.
Note
If a secure connection is required with the secure attribute set on the cookies, the URL values for bindings of end points must be specified with https.
The Assertion Consumer Service fields define how SAML requests and responses map on to standard messaging and communications protocols.
Save your changes.
Note
Saved SSO settings are published by the VOSS Automate service provider and are available from metadata URL, for example: http://mydomain/sso/metadata. SSO service provider configuration requests to this URL automatically trigger an xml file download of the specified SSO service provider configuration.
View the location of the VOSS Automate SP metadata that you will upload to the IdP:
Upload SP metadata to the IdP:
Refer to your IdP documentation for details on configuring SSO on your IdP..
The IdP must release the UID and map it to an appropriate attribute. For example, an IdP that authenticates with Active Directory can map the UID SAML attribute to sAMAccountName in the Active Directory server.
Download IdP metadata from the IdP server.
Refer to your IdP documentation for details on downloading IdP metadata.
If an expired SSO certificate is being renewed and the IdP metadata has not changed, then the download, configure, and upload of the IdP metadata is not required.
| Title | Description | Details | |||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Entity Id | Usually your subdomain plus the url to the metadata |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Service Provider Settings | Defines the settings that apply to the system when used as a Service Provider |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Name * | A friendly identifier for the Service Provider |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Sign Authn Requests | Determines whether outgoing authentication messages will be signed. If so, the specified private key will be used. This attribute is false by default. If one of your identity providers has WantAuthnRequestsSigned set in its meta data, this attribute should be set to true. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| SignatureMethod | Set the SignatureMethod of the authentication request. Only used when 'Sign Authn Requests' is enabled. Defaults to rsa-sha1. Default: rsa-sha1 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| DigestMethod | Set the DigestMethod of the authentication request. Only used when 'Sign Authn Requests' is enabled. Defaults to sha1. Default: sha1 |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Want Assertions Signed | Determines whether assertions should be signed. Don't set this attribute to false unless you are sure that checking the integrity of the assertions is not needed in your environment. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Want Reponse Signed | Determines whether responses should be signed. Don't set this to true unless you are sure that all Identity Providers do sign responses. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| End Points | Specifies the various end points that provide an external interface to the service provider. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Assertion Consumer Service |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Binding * | Determines how SAML requests and responses map onto standard messaging or communications protocols. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| URL * |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Single Logout Service |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Binding * | Determines how SAML requests and responses map onto standard messaging or communications protocols. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| URL * |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Required Attributes | Additional attributes required to identify a user |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Use Custom Certificate for Signing | Indicates if previously uploaded public/private keys must be used for signing. If true, the 'Public Key' and 'Private Key' fields are required. If false, a system-generated Public/Private key pair is used. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| System Generated Certificate | A reference to the data/Certificate instance that contains the system generated certificate to be used. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Private Key | The private key that is used for signing AuthnRequests |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Public Key | The public key that should be used for decrypting signed AuthnRequests |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Validity (Hours) | The number of hours for which the metadata is valid for |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Accepted Time Difference (seconds) | The maximum acceptable difference in clock times (in seconds) between this system and any IDP. |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Contact Person | Service Provider contact details |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| First Name | Contact's first name |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Last Name | Contact's last name |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Company | Contact's company |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Email Address | Contact's email address |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Contact Type | Type of contact |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Block unencrypted assertions | Block unencrypted assertions |
|
|||||||||||||||||||||||||||||||||||||||||||||||
| Sp Md |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Note |
|
||||||||||||||||||||||||||||||||||||||||||||||||
| Metadata URL | The URL to SSO SP metadata |
|
|||||||||||||||||||||||||||||||||||||||||||||||