SAML Setup

This forum allows users to post and respond to "How Do I Do ....." questions. The information contained in this forum has not been validated by K-Rise Systems and, as such, K-Rise Systems cannot guarantee the accuracy of the information.
SteveCap
Posts: 329
Joined: August 26th, 2021, 9:18 am
Contact:

SAML Setup

Unread post by SteveCap »

Under security there is a link for Identity Providers.
image.png
image.png (23.11 KiB) Viewed 1448 times
image.png
image.png (23.11 KiB) Viewed 1448 times
Here you will see an entry for saml.
image.png
image.png (26.75 KiB) Viewed 1448 times
image.png
image.png (26.75 KiB) Viewed 1448 times
If active and Auto Add User is checked if a user logs in using saml and the user does not exist in our system the user will automatically be created using the Add User Process which can be viewed by clicking on the gear.

The login ui link gives you options to change parts of the login page. This will only work if the default logic has not been changed in the login page.
image.png
image.png (23.56 KiB) Viewed 1448 times
image.png
image.png (23.56 KiB) Viewed 1448 times
Primary Entity Id / MetaData is what will be used in most cases. We give you an entity id and assertion consumer service url based on the tenant name. This cannot be changed and needs to match in your provider (see below). You will then need to paste the metadata from your system into the metadata textarea.
image.png
image.png (43.74 KiB) Viewed 1448 times
image.png
image.png (43.74 KiB) Viewed 1448 times
If you want to use something different then you would use the alternate, designtime, or runtime which will let you enter values in.
image.png
image.png (10.25 KiB) Viewed 1448 times
image.png
image.png (10.25 KiB) Viewed 1448 times
Primary and Alternate will be used both by the ide for development login and the end app. To have them use separate instances you would use the DesignTime/RunTime options.

SAML returns a list of claims. Whatever is returned for the user principle is what will be used as the userid in EASYProcess.

Every user has to have an authorization set in EASYProcessfor them to be able to access the site. Their authorizations can be set and maintained from the User Management page of any application. You also have the ability to maintain the authorization in your provider.

You have a few options for setting an authorization type. For specific applications you would create a claim called UserProperty_AuthorizationType_[AppName] Where [AppName] is replaced by the name of the app you want to add the authorization for. If you want to add an authorization for all apps, create a claim called AllAppUserProperty_AuthorizationType. App specific authorizations will override this. Then when a user logs in it will add the user if they do not exist then update their authorization to this value in the easyprocess system. This is done from the SAMLResponse page which first calls the security login process which will call the saml Add User identity provider process.Then it will call the applications Auto Add / Set Authorization Process to save the authorization.


You can also use claims to assign values to the user in our system. For example: if you wanted to set the users email you would create a claim called UserProperty_Email_[AppName] or AllAppUserProperty_Email
  • Azure
    • select Azure Active Directory
      image.png
      image.png (294.65 KiB) Viewed 1448 times
      image.png
      image.png (294.65 KiB) Viewed 1448 times
    • Select Enterprise Applications from the left menu
      image.png
      image.png (12.75 KiB) Viewed 1448 times
      image.png
      image.png (12.75 KiB) Viewed 1448 times
    • Select your application from the list or create a new one
    • Select Single Sign On from the left menu
      image.png
      image.png (9.03 KiB) Viewed 1448 times
      image.png
      image.png (9.03 KiB) Viewed 1448 times
    • Edit the basic saml configuration. This needs to match the information from the identity providers page
      image.png
      image.png (22.61 KiB) Viewed 1448 times
      image.png
      image.png (22.61 KiB) Viewed 1448 times
      image.png
      image.png (47.78 KiB) Viewed 1448 times
      image.png
      image.png (47.78 KiB) Viewed 1448 times
    • Under SAML Signing Certificate download the Federation Metadata XML. This will need to be pasted into EASYProcess
      image.png
      image.png (35.16 KiB) Viewed 1448 times
      image.png
      image.png (35.16 KiB) Viewed 1448 times
    Setting Up Claims
    image.png
    image.png (24.76 KiB) Viewed 1448 times
    image.png
    image.png (24.76 KiB) Viewed 1448 times
    image.png
    image.png (48.9 KiB) Viewed 1448 times
    image.png
    image.png (48.9 KiB) Viewed 1448 times
    image.png
    image.png (45.75 KiB) Viewed 1448 times
    image.png
    image.png (45.75 KiB) Viewed 1448 times
  • Google
    • select Apps
      image.png
    • Select SAML Apps
      image.png
    • Click on the Plus icon in the bottom right to add a new app
      image.png
      image.png (1.33 KiB) Viewed 1438 times
      image.png
      image.png (1.33 KiB) Viewed 1438 times
    • Select Setup my own custom app
      image.png
    • Download the IDP metadata then click next. This will need to be copied into EASYProcess
      image.png
      image.png (8.09 KiB) Viewed 1438 times
      image.png
      image.png (8.09 KiB) Viewed 1438 times
    • Give you application a name and click next
      image.png
    • Set the Identifier (Entity ID) and the ACS Url. This information can be found from the identity providers page. Click Next.
      image.png
    • This step is optional and you can come back to it later. See option setup below. After adding mapping or if you choose not to click Finish
      image.png
    • This step is optional and you can come back to it later. See option setup below. After adding mapping or if you choose not to click Finish
      image.png
    Setting Up Claims
    • Once you have the saml app selected. Click Configure SAML attribute mapping.
      image.png
    • Now you can add new claims to return by clicking add mapping
      image.png
      image.png
  • OKTA
    • Login to your okta domain.
    • Click on Add App next to Use Single sign on
      image.png
    • Click on Create New App
      image.png
      image.png (8.5 KiB) Viewed 1436 times
      image.png
      image.png (8.5 KiB) Viewed 1436 times
    • Select Saml 2.0 and click create
      image.png
    • Give it a name and click next
      image.png
    • Fill out the single sign on url and entity id. This information is found from the identity providers page then the Primary Entity Id/Meta Data link. After this is filled out scroll to the bottom and click next.
      image.png
    • Fill out the feedback and click the finish button.
    • Click on the Identity Provider metadata link. This will open a new tab with the metadata that is needed to be copied to EASYProcess
      image.png
    Setting Up Claims
    • Under the directory header select Profile Editor
      image.png
    • Click on the profile button next to your app. You can also follow the same steps to add attribute to the base okta user.
      image.png
    • Click on Add Attribute
      image.png
      image.png
    • Once all attributes are added from the profile editor page click on the Mappings button
      image.png
    • Select the Okta User to AppName tab where AppName is the name of your application.
      image.png
      image.png (6.91 KiB) Viewed 1436 times
      image.png
      image.png (6.91 KiB) Viewed 1436 times
  • Active Directory Federation Services (ADFS)
    • Open ADFS Console and on the left hand side browse to Relying Party Trusts
      image.png
      image.png (14.43 KiB) Viewed 1435 times
      image.png
      image.png (14.43 KiB) Viewed 1435 times
    • On the righthand side under Actions select Add Relying Party Trust
      image.png
      image.png (21.97 KiB) Viewed 1435 times
      image.png
      image.png (21.97 KiB) Viewed 1435 times
    • Select Claims Aware and Start
      image.png
    • Select Enter Data About The Relying Party Trust Manually and click Next
      image.png
    • Choose a Relevant Display Name and Add A Description and click Next
      image.png
    • Skip the Certificate configuration and click Next
    • Select the Enable Support For The SAML 2.0 WebSSO Protocol and enter in the Relying Party SAML 2.0 SSO Service URL (Obtained from the EasyProcess Application) and click Next
      image.png
    • Enter the Relying Party Trust Identifier (This is obtained from the Easy Process Application) click Add and then click Next
      image.png
    • Select Permit Everyone and then click Next
      image.png
    • Click Next at the Ready To Add Trust screen
    • Ensure Configure Claims Issuance Policy For This Application is selected and click Close
      image.png
    • An Edit Claims Rule window appears select Add Rule
      image.png
    • Select Send LDAP Attributes as Claims and click Next
      image.png
    • In the configure claim rule window give your Claim Rule a unique name, select Active Directory as the Attribute Store and select User-principal-
      • name as LDAP Attribute and Name_ID as the Outgoing Claim and click Finish
        image.png
      • Click Apply and OK
        image.png
word count: 1363

Tags:
Post Reply