Difference between revisions of "Single Sign-On (SSO)"

From IVS Wiki
Jump to: navigation, search
 
(39 intermediate revisions by the same user not shown)
Line 1: Line 1:
VALT is compatible with SAML 2.0
+
__NOTOC__
 +
{{Article | title = SSO Configuration | content =
 +
{{Aside - Warning | hue = 50 | content = VALT is compatible with <b>SAML 2.0</b>.}}
 +
{{Aside | content = To access SSO on your system, you may need to reach out to our support team. [https://ivs.help IVS Support]}}
  
==To configure SSO VALT needs the following information:==
+
{{hr}}
*Certificate in .cer format
 
*Identity Provider (IDP)
 
*Remote Sign-In URL
 
*Remote Sign-Out URL
 
*Display Name Attribute
 
*Any other custom attributes needed
 
[[File:SsoConfigInformation.png]]
 
  
After SSO is configured browse to <code>Replace with VALT Server Address/saml/metadata.xml</code> to grab the VALT metadata to add to your system
+
==The Basics==
 +
Before configuring SSO in VALT, please make sure you've completed our [[SSO Check List]].
  
Items to Note:
+
You can also schedule a <b>SSO Discovery</b> at our [https://ivs.help booking site] under <b>Schedule a Support Session</b>. There, we will discuss the prerequisites for configuring your VALT server to utilize SSO Authentication.
*If moving from LDAP to SSO you have to add a custom attribute to map to the username so the usernames will match correctly
 
  
 +
{{hr}}
  
==User Mapping==
+
==Required Information from IdP==
User mapping is used to map groups in the customer's system to groups within VALT
+
{{Aside - Helpful | content = As of VALT 6, the metadata file from the IdP will be required for configuring SSO.}}
 +
<dl>
 +
<dt>Account Name Attribute</dt>
 +
<dd class="singleLineHeight">This refers to the attribute that the IdP will send VALT for the account username.</dd>
 +
<dd class="singleLineHeight"><em>This must be a unique identitfier.</em></dd>
 +
{{Aside - Warning | hue = 50 | content = If users already have accounts in VALT, please ensure the IdP can pass an attribute that matches the existing username.}}
 +
<dt>Identity Provider (IdP) URL</dt>
 +
<dd class="singleLineHeight">This refers to the service or application that manages and authenticates user identities, which VALT will use to verify login credentials.</dd>
 +
<dt>Remote Sign-In URL</dt>
 +
<dd class="singleLineHeight">This is the URL provided by the IdP where users are redirected to initiate the login process.</dd>
 +
<dt>Remote Sign-Out URL</dt>
 +
<dd class="singleLineHeight">This URL leads to the IdP's logout page, where users can safely end their sessions, ensuring a secure sign-out process from VALT.</dd>
 +
<dt>Certificate in .cer format</dt>
 +
<dd class="singleLineHeight">VALT requires a digital certificate in .cer format from the IdP to establish a secure, encrypted communication channel.</dd>
 +
</dl>
  
Required:
+
{{hr}}
*Attribute
+
 
*User Value
+
<h2>User Mapping</h2>
[[File:SAML_UserMapping.png]]
+
User mapping is used to map users to groups. This mapping is done through the attributes and values being passed from the IdP. VALT's SSO uses a <b>1:1 mapping</b> for groups.
 +
 
 +
{{hr - 2}}
 +
 
 +
<h3>Required</h3>
 +
<dl>
 +
<dt>Name</dt>
 +
<dd class="singleLineHeight">Arbitrary descriptive name for the mapping rule.</dd>
 +
<dd><em>Used only in this section of VALT.</em></dd>
 +
<dt>Attribute</dt>
 +
<dd class="singleLineHeight">FriendyName of the attribute being sent from the IdP for group information.</dd>
 +
<dt>User Value<dt>
 +
<dd class="singleLineHeight">The value of the attribute that we will use to map users to a particular group.</dd>
 +
<dt>Group to Add</dt>
 +
<dd class="singleLineHeight">The VALT group that the user will be placed in when there is a match for the "User Value" field.</dd>
 +
</dl>
 +
 
 +
{{hr}}
 +
 
 +
<h3>Optional Items</h3>
 +
VALT is also able to map custom attributes to some of the following fields for a user. Below are the user account fields that can be assigned through SSO.
 +
{{hr - 2}}
 +
 
 +
<dl>
 +
<dt>Display Name Attribute</dt>
 +
<dd class="singleLineHeight">This specifies the user attribute (such as username or email) that VALT displays within the application.</dd>
 +
<dd class="singleLineHeight"><em>Helpful when people are not easy to recognize by the username field</em>.</dd>
 +
<dt>PIN</dt>
 +
<dd class="singleLineHeight">This specifies the code used for authentication into [[BEAM]].</dd>
 +
<dd class="singleLineHeight"><em>Without one set, no pin is needed to enter BEAM</em>.</dd>
 +
<dt>Card Number</dt>
 +
<dd class="singleLineHeight">This specifies the card number associated with a user.</dd>
 +
<dd class="singleLineHeight"><em>Only applies to customers with [[VALT Card Reader]]</em>.</dd>
 +
<dt>Email</dt>
 +
<dd class="singleLineHeight">The users email can also be pulled into the system.</dd>
 +
<dd class="singleLineHeight"><em>If the VALT application is not connected to mail server, this field is not used for anything.</em></dd>
 +
</dl>
 +
 
 +
{{hr}}
 +
 
 +
<h2>Additional Settings</h2>
 +
Shibboleth needs the following settings configured to function with VALT.
 +
 
 +
{{hr - 2}}
 +
 
 +
<dl>
 +
<dt>signAssertions:</dt>
 +
  <dd class="singleLineHeight">true</dd>
 +
<dt>signResponses:<dt>
 +
  <dd class="singleLineHeight">true</dd>
 +
<dt>encryptNameIDs:</dt>
 +
  <dd class="singleLineHeight">true</dd>
 +
<dt>encryptAssertions:</dt>
 +
  <dd class="singleLineHeight">false</dd>
 +
</dl>
 +
 
 +
{{hr}}
 +
 
 +
[[VALT SSO| &#x293A; Back to VALT SSO Main Page]]
 +
}}

Latest revision as of 10:48, 6 November 2024

SSO Configuration

VALT is compatible with SAML 2.0.

To access SSO on your system, you may need to reach out to our support team. IVS Support


The Basics

Before configuring SSO in VALT, please make sure you've completed our SSO Check List.

You can also schedule a SSO Discovery at our booking site under Schedule a Support Session. There, we will discuss the prerequisites for configuring your VALT server to utilize SSO Authentication.


Required Information from IdP

🕮As of VALT 6, the metadata file from the IdP will be required for configuring SSO.

Account Name Attribute
This refers to the attribute that the IdP will send VALT for the account username.
This must be a unique identitfier.

If users already have accounts in VALT, please ensure the IdP can pass an attribute that matches the existing username.

Identity Provider (IdP) URL
This refers to the service or application that manages and authenticates user identities, which VALT will use to verify login credentials.
Remote Sign-In URL
This is the URL provided by the IdP where users are redirected to initiate the login process.
Remote Sign-Out URL
This URL leads to the IdP's logout page, where users can safely end their sessions, ensuring a secure sign-out process from VALT.
Certificate in .cer format
VALT requires a digital certificate in .cer format from the IdP to establish a secure, encrypted communication channel.


User Mapping

User mapping is used to map users to groups. This mapping is done through the attributes and values being passed from the IdP. VALT's SSO uses a 1:1 mapping for groups.


Required

Name
Arbitrary descriptive name for the mapping rule.
Used only in this section of VALT.
Attribute
FriendyName of the attribute being sent from the IdP for group information.
User Value
The value of the attribute that we will use to map users to a particular group.
Group to Add
The VALT group that the user will be placed in when there is a match for the "User Value" field.

Optional Items

VALT is also able to map custom attributes to some of the following fields for a user. Below are the user account fields that can be assigned through SSO.


Display Name Attribute
This specifies the user attribute (such as username or email) that VALT displays within the application.
Helpful when people are not easy to recognize by the username field.
PIN
This specifies the code used for authentication into BEAM.
Without one set, no pin is needed to enter BEAM.
Card Number
This specifies the card number associated with a user.
Only applies to customers with VALT Card Reader.
Email
The users email can also be pulled into the system.
If the VALT application is not connected to mail server, this field is not used for anything.

Additional Settings

Shibboleth needs the following settings configured to function with VALT.


signAssertions:
true
signResponses:
true
encryptNameIDs:
true
encryptAssertions:
false

⤺ Back to VALT SSO Main Page