Difference between revisions of "Single Sign-On (SSO)"

From IVS Wiki
Jump to: navigation, search
Line 1: Line 1:
{{Aside | content = VALT is compatible with SAML 2.0}}
 
 
__NOTOC__
 
__NOTOC__
 
{{Article | title = VALT SSO | content =  
 
{{Article | title = VALT SSO | content =  
 +
{{Aside - Warning | hue = 50 | content = VALT is compatible with <b>SAML 2.0</b>.}}
 
{{Aside | content = To access SSO on your system, you may need to reach out to our support team. [https://ivs.help IVS Support]}}
 
{{Aside | content = To access SSO on your system, you may need to reach out to our support team. [https://ivs.help IVS Support]}}
*Browse to the the Fully qualified domain name and sign in with a local account
 
*Click on admin
 
*Click on Users & Groups
 
*Along the top click on SSO and add SAML config
 
  
<hr>
+
{{hr}}
  
==To configure SSO VALT needs the following information:==
+
==Required Information from IdP==
*Certificate in .cer format
+
{{Aside - Helpful | content = As of VALT 6, the metadata file from the IdP will be required for configuring SSO.}}
*Identity Provider (IDP)
+
<dl>
*Remote Sign-In URL
+
<dt>Identity Provider (IdP) URL</dt>
*Remote Sign-Out URL
+
<dd class="singleLineHeight">This refers to the service or application that manages and authenticates user identities, which VALT will use to verify login credentials.</dd>
*Display Name Attribute
+
<dt>Remote Sign-In URL</dt>
*Any other custom attributes needed
+
<dd class="singleLineHeight">This is the URL provided by the IdP where users are redirected to initiate the login process.</dd>
[[File:SsoConfigInformation.png|link=]]
+
<dt>Remote Sign-Out URL</dt>
 +
<dd class="singleLineHeight">This URL leads to the IdP's logout page, where users can safely end their sessions, ensuring a secure sign-out process from VALT.</dd>
 +
<dt>Certificate in .cer format</dt>
 +
<dd class="singleLineHeight">VALT requires a digital certificate in .cer format from the IDP to establish a secure, encrypted communication channel.</dd>
 +
</dl>
  
After SSO is configured browse to <code>https://<b><Server Address></b>/saml/metadata.xml</code> to grab the VALT metadata to add to your system
+
{{hr}}
}}
 
  
{{Article | title = User Mapping | content =
+
<h2>User Mapping</h2>
<div class="floating_card">User mapping is used to map groups in the customer's system to groups within VALT</div>
+
User mapping is used to map users to groups. This mapping is done through the attributes and values being passed from the IdP. VALT's SSO uses a <b>1:1 mapping</b> for groups.
{{Aside | content = <b>NOTE:</b> SSO in VALT is a one to one mapping for groups}}
 
  
===Required===
+
{{hr - 2}}
Users are mapped to VALT groups using attributes and values being passed from the IdP.
+
 
 +
<h3>Required</h3>
 
<dl>
 
<dl>
 
<dt>Name</dt>
 
<dt>Name</dt>
<dd>The value to define the mapping. <em>Used only in this section of VALT.</em>
+
<dd class="singleLineHeight">The value to define the mapping.</dd>
 +
<dd><em>Used only in this section of VALT.</em></dd>
 
<dt>Attribute</dt>  
 
<dt>Attribute</dt>  
<dd>The item that gets passed back to VALT.</dd>
+
<dd class="singleLineHeight">The item that gets passed back to VALT.</dd>
 
<dt>User Value<dt>
 
<dt>User Value<dt>
<dd>The value of the item that gets passed back to VALT.</dd>
+
<dd class="singleLineHeight">The value of the item that gets passed back to VALT.</dd>
 
<dt>Group to Add</dt>
 
<dt>Group to Add</dt>
<dd>The group created on the VALT side that defines the user's rights in the application.</dd>
+
<dd class="singleLineHeight">The group created on the VALT side that defines the user's rights in the application.</dd>
 +
</dl>
 +
 
 +
{{hr}}
 +
 
 +
<h3>Optional Items</h3>
 +
VALT is also able to map custom attributes to some of the following fields for a user. Below are the user account fields that can be assigned through SSO.
 +
{{hr - 2}}
 +
 
 +
<dl>
 +
<dt>Display Name Attribute</dt>
 +
<dd class="singleLineHeight">This specifies the user attribute (such as username or email) that VALT displays within the application.</dd>
 +
<dd class="singleLineHeight"><em>Helpful when people are not easy to recognize by the username field</em>.</dd>
 +
<dt>Pin Code</dt>
 +
<dd class="singleLineHeight">This specifies the code used for authentication into [[BEAM]].</dd>
 +
<dd class="singleLineHeight"><em>Without one set, no pin is needed to enter BEAM</em>.</dd>
 +
<dt>Card Number</dt>
 +
<dd class="singleLineHeight">This specifies the card number associated with a user.</dd>
 +
<dd class="singleLineHeight"><em>Only applies to customers with [[VALT Card Reader]]</em>.</dd>
 +
<dt>Email</dt>
 +
<dd class="singleLineHeight">The users email can also be pulled into the system.</dd>
 +
<dd class="singleLineHeight"><em>If the VALT application is not connected to mail server, this field is not used for anything.</em></dd>
 
</dl>
 
</dl>
[[File:SAML_UserMapping.png|link=]]
 
}}
 
{{Article| title = Other Notes | content =
 
<h2>Custom Attributes</h2>
 
*Custom Attributes can be usernames if you want to map to something specific or other information that you want to pull into VALT
 
  
<hr>
+
{{hr}}
  
 
<h2>Additional Settings</h2>
 
<h2>Additional Settings</h2>
*Shibboleth IDP's need the following settings specified:
+
Shibboleth needs the following settings configured to function with VALT.
 +
 
 +
{{hr - 2}}
 +
 
 
<dl>
 
<dl>
 
<dt>signAssertions:</dt>
 
<dt>signAssertions:</dt>
   <dd>true</dd>
+
   <dd class="singleLineHeight">true</dd>
 
<dt>signResponses:<dt>
 
<dt>signResponses:<dt>
   <dd>true</dd>
+
   <dd class="singleLineHeight">true</dd>
 
<dt>encryptNameIDs:</dt>
 
<dt>encryptNameIDs:</dt>
   <dd>true</dd>
+
   <dd class="singleLineHeight">true</dd>
 
<dt>encryptAssertions:</dt>
 
<dt>encryptAssertions:</dt>
   <dd>false</dd>
+
   <dd class="singleLineHeight">false</dd>
 
</dl>
 
</dl>
 
}}
 
}}

Revision as of 08:59, 1 April 2024

VALT SSO

VALT is compatible with SAML 2.0.

To access SSO on your system, you may need to reach out to our support team. IVS Support


Required Information from IdP

🕮As of VALT 6, the metadata file from the IdP will be required for configuring SSO.

Identity Provider (IdP) URL
This refers to the service or application that manages and authenticates user identities, which VALT will use to verify login credentials.
Remote Sign-In URL
This is the URL provided by the IdP where users are redirected to initiate the login process.
Remote Sign-Out URL
This URL leads to the IdP's logout page, where users can safely end their sessions, ensuring a secure sign-out process from VALT.
Certificate in .cer format
VALT requires a digital certificate in .cer format from the IDP to establish a secure, encrypted communication channel.

User Mapping

User mapping is used to map users to groups. This mapping is done through the attributes and values being passed from the IdP. VALT's SSO uses a 1:1 mapping for groups.


Required

Name
The value to define the mapping.
Used only in this section of VALT.
Attribute
The item that gets passed back to VALT.
User Value
The value of the item that gets passed back to VALT.
Group to Add
The group created on the VALT side that defines the user's rights in the application.

Optional Items

VALT is also able to map custom attributes to some of the following fields for a user. Below are the user account fields that can be assigned through SSO.


Display Name Attribute
This specifies the user attribute (such as username or email) that VALT displays within the application.
Helpful when people are not easy to recognize by the username field.
Pin Code
This specifies the code used for authentication into BEAM.
Without one set, no pin is needed to enter BEAM.
Card Number
This specifies the card number associated with a user.
Only applies to customers with VALT Card Reader.
Email
The users email can also be pulled into the system.
If the VALT application is not connected to mail server, this field is not used for anything.

Additional Settings

Shibboleth needs the following settings configured to function with VALT.


signAssertions:
true
signResponses:
true
encryptNameIDs:
true
encryptAssertions:
false