Difference between revisions of "Single Sign-On (SSO)"

From IVS Wiki
Jump to: navigation, search
(To configure SSO VALT needs the following information:)
 
(30 intermediate revisions by the same user not shown)
Line 1: Line 1:
VALT is compatible with SAML 2.0
+
__NOTOC__
 +
{{Article | title = SSO Configuration | content =
 +
{{Aside - Helpful | content = VALT is compatible with <b>SAML 2.0</b>.}}
 +
{{Aside | content = To access SSO on your system, you may need to reach out to our support team. [https://ivs.help IVS Support]}}
  
- Browse to the the Fully qualified domain name and sign in with a local account
+
{{hr}}
  
- Click on admin
+
==Scheduling an SSO Configuration==
 +
{{Aside - Warning | hue = 50 | content = Before configuring SSO in VALT, please make sure you've completed our [[SSO Check List]].}}
  
- Click on Users & Groups
+
You can also schedule a <b>SSO Discovery</b> at our [https://ivs.help booking site] under <b>Schedule a Support Session</b>. During that call, we will discuss the prerequisites for configuring your VALT server to utilize SSO Authentication.
  
- Along the top click on SSO and add SAML config
+
{{hr}}
  
==To configure SSO VALT needs the following information:==
+
<h2>SSO Authentication</h2>
*Certificate in .cer format
+
SSO accounts are automatically created when a user logs in for the first time. The user can be placed in the proper group automatically upon login by mapping SSO attributes to a user group within VALT.
*Identity Provider (IDP)
 
*Remote Sign-In URL
 
*Remote Sign-Out URL
 
*Display Name Attribute
 
*Any other custom attributes needed
 
[[File:SsoConfigInformation.png|link=]]
 
  
After SSO is configured browse to <code><Replace with VALT Server Address>/saml/metadata.xml</code> to grab the VALT metadata to add to your system
+
*VALT's SSO uses <b>Just-In-Time (JIT) Provisioning</b>.
 +
**<em>Users are reevaluated and assigned to groups each time they log in, based on a [[Single_Sign-On_(SSO)#User_Mapping | group membership]] attribute being passed.</em>
 +
*If a user does <u>NOT</u> have a user mapping associated with their account, the user gets moved to "<b>Users without Group</b>" and has restricted access.
 +
*If a user's user mapping changes, they will be moved to the correct group upon their next SSO sign-in.
 +
**<em>Correct mapping is based on the SSO mapping created in VALT and the attribute/pair value being passed from the IdP.</em>
  
Items to Note:
+
{{hr - 2}}
*If moving from LDAP to SSO you have to add a custom attribute to map to the username so the usernames will match correctly
 
*To migrate current users to SSO the SQL command needs to be run on the database with the correct group ID
 
UPDATE users set ldap_sync_id = NULL, saml_config_id = 1, userType = 'local'  where deleted_at is null and group_id =
 
*Custom Attributes can be usernames if you want to map to something specific or other information that you want to pull into VALT
 
*Shibboleth IDP's need the following settings specified:
 
signAssertions: true
 
signResponses: true
 
encryptNameIDs: true
 
  
==User Mapping==
+
{{img - resize | file = SSO Flow Chart.png}}
User mapping is used to map groups in the customer's system to groups within VALT
 
  
Required:
+
{{hr}}
*Attribute (The item that gets passed back to VALT)
 
*User Value (The value of the item that gets passed back to VALT)
 
[[File:SAML_UserMapping.png|link=]]
 
  
Items to Note:
+
==Required Information from IdP==
*SSO in VALT is a one to one mapping for groups
+
<dt>IdP Metadata File</dt>
 +
<dd class="singleLineHeight">To integrate your IdP with VALT, the metadata files from both will need to be exchanged. The VALT metadata file will be generated after the IdP metadata file is uploaded to VALT.</dd>
 +
<dt>User Mapping</dt>
 +
<dd class="singleLineHeight">VALT's SSO uses a 1:1 mapping to add users to the correct groups. To achieve this, we require the following attributes:
 +
 
 +
<b>Unique User Identifier</b> - This attribute will be used as the username
 +
 
 +
<b>Groups</b> - This attribute will be used to define which group the user is assigned to within VALT. In addition to the name of the Group attribute, VALT will need the value associated with each group that will be logging into VALT
 +
 
 +
<b>Display Name</b> - If the Unique User identifier does not correspond with the person's name, this attribute will set an easy-to-identify display name for the user</dd>
 +
{{hr - 2}}
 +
 
 +
<h3>Optional Items</h3>
 +
VALT is also able to map custom attributes to some of the following fields for a user. Below are the user account fields that can be assigned through SSO.
 +
{{hr - 2}}
 +
 
 +
<dl>
 +
<dt>PIN</dt>
 +
<dd class="singleLineHeight">This specifies the code used for authentication into [[BEAM]].</dd>
 +
<dd class="singleLineHeight"><em>Without one set, no pin is needed to enter BEAM</em>.</dd>
 +
<dt>Card Number</dt>
 +
<dd class="singleLineHeight">This specifies the card number associated with a user.</dd>
 +
<dd class="singleLineHeight"><em>Only applies to customers with [[VALT Card Reader]]</em>.</dd>
 +
<dt>Email</dt>
 +
<dd class="singleLineHeight">The users email can also be pulled into the system.</dd>
 +
<dd class="singleLineHeight"><em>If the VALT application is not connected to mail server, this field is not used for anything.</em></dd>
 +
</dl>
 +
 
 +
{{hr}}
 +
 
 +
<h2>Additional Settings</h2>
 +
Shibboleth needs the following settings configured to function with VALT.
 +
 
 +
{{hr - 2}}
 +
 
 +
<dl>
 +
<dt>signAssertions:</dt>
 +
  <dd class="singleLineHeight">true</dd>
 +
<dt>signResponses:<dt>
 +
  <dd class="singleLineHeight">true</dd>
 +
<dt>encryptNameIDs:</dt>
 +
  <dd class="singleLineHeight">true</dd>
 +
<dt>encryptAssertions:</dt>
 +
  <dd class="singleLineHeight">false</dd>
 +
</dl>
 +
 
 +
{{hr}}
 +
 
 +
[[VALT SSO| &#x293A; Back to VALT SSO Main Page]]
 +
}}

Latest revision as of 11:57, 22 November 2024

SSO Configuration

🕮VALT is compatible with SAML 2.0.

To access SSO on your system, you may need to reach out to our support team. IVS Support


Scheduling an SSO Configuration

Before configuring SSO in VALT, please make sure you've completed our SSO Check List.

You can also schedule a SSO Discovery at our booking site under Schedule a Support Session. During that call, we will discuss the prerequisites for configuring your VALT server to utilize SSO Authentication.


SSO Authentication

SSO accounts are automatically created when a user logs in for the first time. The user can be placed in the proper group automatically upon login by mapping SSO attributes to a user group within VALT.

  • VALT's SSO uses Just-In-Time (JIT) Provisioning.
    • Users are reevaluated and assigned to groups each time they log in, based on a group membership attribute being passed.
  • If a user does NOT have a user mapping associated with their account, the user gets moved to "Users without Group" and has restricted access.
  • If a user's user mapping changes, they will be moved to the correct group upon their next SSO sign-in.
    • Correct mapping is based on the SSO mapping created in VALT and the attribute/pair value being passed from the IdP.

SSO Flow Chart.png


Required Information from IdP

IdP Metadata File
To integrate your IdP with VALT, the metadata files from both will need to be exchanged. The VALT metadata file will be generated after the IdP metadata file is uploaded to VALT.
User Mapping
VALT's SSO uses a 1:1 mapping to add users to the correct groups. To achieve this, we require the following attributes:

Unique User Identifier - This attribute will be used as the username

Groups - This attribute will be used to define which group the user is assigned to within VALT. In addition to the name of the Group attribute, VALT will need the value associated with each group that will be logging into VALT

Display Name - If the Unique User identifier does not correspond with the person's name, this attribute will set an easy-to-identify display name for the user


Optional Items

VALT is also able to map custom attributes to some of the following fields for a user. Below are the user account fields that can be assigned through SSO.


PIN
This specifies the code used for authentication into BEAM.
Without one set, no pin is needed to enter BEAM.
Card Number
This specifies the card number associated with a user.
Only applies to customers with VALT Card Reader.
Email
The users email can also be pulled into the system.
If the VALT application is not connected to mail server, this field is not used for anything.

Additional Settings

Shibboleth needs the following settings configured to function with VALT.


signAssertions:
true
signResponses:
true
encryptNameIDs:
true
encryptAssertions:
false

⤺ Back to VALT SSO Main Page