SAML

From AgileApps Support Wiki
Revision as of 05:55, 12 March 2021 by imported>Aeric (→‎Role and Team Sync)

Security Assertion Markup Language (SAML) is an XML based standard for exchanging authentication and authorization data between security domains. The Service Provider must enroll with an Identity Provider (IdP) and obtain an Issuer URL.

Working with SAML

An enterprise application contains a link to the AgileApps Cloud platform. When a user who has logged on to the enterprise platform clicks the link, he can automatically log in to the AgileApps Cloud platform without any additional authentication. For example, if an employee who has logged on the ABC Company corporate website clicks the link to the AgileApps Cloud platform on the landing page, he can log on to the AgileApps Cloud platform automatically without a second log in.

The following diagram explains the process:

SSO-SAML.png
User Your organization's web application Platform IdP
1. Log in to a web application provided by your organization
  • Provides a link to the platform's SAML handler (generated by the platform when SAML is configured)
  • Includes the desired platform target page as an argument in the link
2. Click the link that directs to the SAML handler
3. Send an assertion to the IdP
4. Retrieve and validate the user's identity
5. Send the user's identity to the platform
6. Redirect the user to the appropriate page

Enabling SAML

  1. Click GearIcon.png > Administration > Account Management > Single Sign-On Settings.
  2. Click the [Edit] button.
  3. Choose SAML from the Single Sign-On Using drop-down list. Selecting SAML automatically displays the Platform Authentication Service URL and the Assertion Consumer Service EndPoint fields below the drop-down list.
  4. Fill in the SAML Settings.
  5. Click [Save].

SAML Settings

SAML Version
The default SAML version is 2.0
Issuer
This field contains the IdP's URL. After configuring the IdP for the tenant, copy the URL and paste it in this field. This URL is the SAML-response-issuer-URL.
SAML Third Party authentication URL
This field contains a URL (IdP single sign-on URL) which is used to authenticate a user or maintain a user's credentials. You might want to configure the IdP before you fill this field.
  • Syntax:The URL and Port Number must be specified using a FQDN or an IP address, for example:
  • www.abc.com:9090
  • 192.168.1.10
  • abc.def.com
SAML Request Issuer URL
This field contains an unique value which identifies the service provider, for example: http://yourCompany.agileappscloud.com.
User Id Type
Determines the type of identifier.
  • Choose either Platform User Id or Federated Id.
  • Platform User Id is the username of the user that is logged in, while Federated Id acts as the user's authentication across multiple IT systems or organizations.
For more information on Federated ID, see Federated Identity.
User Id Location
Specifies an attribute tag that defines the location of the User Id.
  • Choose either Subject or Attribute.
Attribute for User ID
Specify the IdP attribute that contains a platform User ID.
If the User ID attribute is empty or does not match an existing user, either login fails or AgileApps creates a new user based on the Create Users flag.
Create Users
Check this box to create a new user if AgileApps does not recognize the User ID.
  • Attribute for First Name - The name of the SAML attribute that designates the user's first name.
  • Attribute for Last Name - The name of the SAML attribute that designates the user's last name.
  • Attribute for Email - The name of the SAML attribute that designates the user's email address.

  • Default User Type - This field is used to specify the type of the user to be created.
  • Choose either Platform User or Site User. The platform users are regular users in the platform while the site users have the similar behavior as portal users in the platform.
When Site User is selected as the Default User in this SAML-SSO screen
a. Only the Default Team is used for user creation. Other settings like default access profile, default application, and default role will be ignored.
b. The created users will have same default settings as Access Profile (Portal User Profile) and Primary Team (Portal Users and Customers). Meanwhile, the user will also be a member of selected team in Default Team field (or any valid team-name provided through SAML attribute in ‘Attribute for Team’ field).
  • Attribute for User Type- This field is used to specify the user-type to be created through SAML attribute. It is SITE for Site User and PLATFORM for Platform User. You might want to send the value for this attribute in the SAML response from the IdP.

  • Default Team - This field is used to specify the default Team for the created user. For site users, the team will be a non-primary team.
  • Attribute for Team- The name of the SAML attribute that designates the user's default team. For site users, the team will be a non-primary team.
The attribute should contain a team name.

  • Default Access Profile - This field is used to specify the default Access Profile for the created user. It is applicable only for Platform users.
  • Attribute for Access Profile - The name of the SAML attribute that designates the user's access profile. It is applicable only for Platform Users.
The attribute must contain an access profile's record ID.
To get a record ID:
a. Go to GearIcon.png > Access Management > Access Profiles.
b. Modify the view to display Record ID, and copy the one you need.

  • Default Application - This field is used to specify the default Application for the created user. It is applicable only for Platform users.
This setting can be changed in the platform after user login.
The user can change it in their Personal Settings. The admin can do the same in the Users page.
To grant access to additional applications:
a. A user record is created for the user in the platform after login.
b. Use the Application Access page to specify the applications the user can access.
  • Attribute for Application - The name of the SAML attribute that designates the user's application. It is applicable only for Platform users.
The attribute should contain the application's name.

  • Default Role - This field is used to specify the default Role for the created user. It is applicable only for Platform users.
A user record is created for the user in the platform after login.
The user can change it in their Personal Settings. The admin can do the same in the Users page.
You can select multiple roles in this field.
  • Attribute for Role - The name of the SAML attribute that designates the user's role in the application. It is applicable only for Platform users.
This field can contain multiple role names separated by _::_
For example, Agent_::_Manager

_

Issuer Certificate
Issuer certificate is used to sign and verify SAML messages. The certificate should be a valid x509 issuer certificate.
  • Choose one of the following options:
  • Navigate to the Issuer Certificate section, then select and load a file containing the Issuer Certificate (recommended)
  • Paste the Issuer Certificate in the text area

User sync via SSO (SAML)

Overview

AgileApps now supports synchronizing user detail changes from identity providers. The following attributes are now synchronized:

  1. User related changes in:
    • First name
    • Last Name
    • Email address
  2. Any Team updates in identity provider
  3. Any role updates in identity provider
  4. If user is a member of multiple teams and these teams are already present in AgileApps, then these will now reflect in AgileApps on user creation as well as user login with Create User flag enabled.

Sync fail situations

User sync will fail in the below situations:

  1. The provided team or role does not exist in AgileApps.
  2. Role sync is not applicable for site users, since their default access is restricted to Service Desk Application.
  3. The primary team for Site user is Portal Users and Customers, and this cannot be changed. However, site users can be synchronized to multiple teams based on the values provided in the SAML response.

In these circumstances when user sync fails, open the browser's console and look for the response header SSOErrorMessage in order to analyze the fault.

Serviceability

  • For attributes configured in SSO screen, Team Name, Role Name, and Application Name are accepted as attribute values.
  • Record Ids are also accepted as attribute values for Team Name, Role Name, and Application Name.
  • Access Profile attribute continues to accept only access profile record-Id.
  • All formatted errors can be viewed in browser console Response header SSOErrorMessage.

Role and Team Sync

  • For the user sync to function properly, the role and team should be delimited with the following character set _::_


Notepad.png

Note:

  • Change to user-type is not allowed, since the strategies applied to Site user and Platform user are separate.
  • Username does not get synchronized or updated, since it is the only attribute as the source of truth for authentication.
  • AgileApps only supports sync of configurable attributes in the SSO configuration page. Hence below attributes do not get synchronized:
  • Locale Information: Time zone, date format
  • Active/Inactive
  • Mobile access accessibility mode
  • User sync is applicable only when Create User checkbox is enabled.
  • To support multiple team assignments, the dropdown box only contains a single value. However, the attributes should contain multiple teams as value.

Using SAML

To use single sign-on with SAML, create links that directs you to the platform's SAML handler and pass the desired destination page as an argument.

To create a link to the platform in your enterprise application:

  1. Copy the SAML link generated as the Platform Authentication Service URL while configuring SAML
  2. Add a done= argument to the link that specifies the target page in the platform

To create the done= argument:

  1. Go to the standard initial page using Service?t=1&targetpage=ViewPort.jsp
  2. Go to the page that you want to target
  3. Copy the URL from the browser's address bar
  4. Edit the URL to remove https://{yourDomain}/networking/
    Now, the URL will have the argument. For example: pages/yourPage.jsp
  5. URL encode the link

For more information, see URL Encoding.

Important Notes

  1. AgileApps supports authentication for Platform Users and Site Users through any IdP like Azure AD, OKTA, OAM, PING, and so on
  2. If the user doesn't exist in AgileApps, a new user can be created by selecting Create Users check box and configuring the AgileApps-SSO-SAML screen
  3. AgileApps has an option for creating Platform Users and Site Users using the pre-stored attributes or parameters in the IdP
  4. Any unique name or ID provided as an attribute value in the 'Attribute for User ID' field in AgileApps-SSO screen is the username of the newly created user
  5. Any Attribute value sent from the IdP should contain Names instead of IDs, for example, Application Name, Team Name, Access Profile Name, and Role Name
  6. The default field value in SSO screen will be overridden with the corresponding attribute values if a valid attribute value is provided through the IdP
  7. First Name, Last Name, Email, and Username fields are read-only fields for the users created in AgileApps through SSO-SAML because the IdP will only be the source of identity for such users, hence these identification must not be modified from any other source except the IdP
    Note: Once a user is created through SSO-SAML, then any changes made in First Name, Last Name, or Email in the IdP will not be reflected in the AgileApps user profile.
  8. The users created in AgileApps through SSO cannot reset their password