SAML Setup

SteveCap · Unread post by **SteveCap** » March 18th, 2022, 8:54 am

Under security there is a link for Identity Providers.

: image.png (23.11 KiB) Viewed 1447 times

: image.png (23.11 KiB) Viewed 1447 times

Here you will see an entry for saml.

: image.png (26.75 KiB) Viewed 1447 times

: image.png (26.75 KiB) Viewed 1447 times

If active and Auto Add User is checked if a user logs in using saml and the user does not exist in our system the user will automatically be created using the Add User Process which can be viewed by clicking on the gear.

The login ui link gives you options to change parts of the login page. This will only work if the default logic has not been changed in the login page.

: image.png (23.56 KiB) Viewed 1447 times

: image.png (23.56 KiB) Viewed 1447 times

Primary Entity Id / MetaData is what will be used in most cases. We give you an entity id and assertion consumer service url based on the tenant name. This cannot be changed and needs to match in your provider (see below). You will then need to paste the metadata from your system into the metadata textarea.

: image.png (43.74 KiB) Viewed 1447 times

: image.png (43.74 KiB) Viewed 1447 times

If you want to use something different then you would use the alternate, designtime, or runtime which will let you enter values in.

: image.png (10.25 KiB) Viewed 1447 times

: image.png (10.25 KiB) Viewed 1447 times

Primary and Alternate will be used both by the ide for development login and the end app. To have them use separate instances you would use the DesignTime/RunTime options.

SAML returns a list of claims. Whatever is returned for the user principle is what will be used as the userid in EASYProcess.

Every user has to have an authorization set in EASYProcessfor them to be able to access the site. Their authorizations can be set and maintained from the User Management page of any application. You also have the ability to maintain the authorization in your provider.

You have a few options for setting an authorization type. For specific applications you would create a claim called UserProperty_AuthorizationType_[AppName] Where [AppName] is replaced by the name of the app you want to add the authorization for. If you want to add an authorization for all apps, create a claim called AllAppUserProperty_AuthorizationType. App specific authorizations will override this. Then when a user logs in it will add the user if they do not exist then update their authorization to this value in the easyprocess system. This is done from the SAMLResponse page which first calls the security login process which will call the saml Add User identity provider process.Then it will call the applications Auto Add / Set Authorization Process to save the authorization.

You can also use claims to assign values to the user in our system. For example: if you wanted to set the users email you would create a claim called UserProperty_Email_[AppName] or AllAppUserProperty_Email

Azure
- Go to https://portal.azure.com/#home
- select Azure Active Directory
  
  image.png (294.65 KiB) Viewed 1447 times
  
  image.png (294.65 KiB) Viewed 1447 times
- Select Enterprise Applications from the left menu
  
  image.png (12.75 KiB) Viewed 1447 times
  
  image.png (12.75 KiB) Viewed 1447 times
- Select your application from the list or create a new one
- Select Single Sign On from the left menu
  
  image.png (9.03 KiB) Viewed 1447 times
  
  image.png (9.03 KiB) Viewed 1447 times
- Edit the basic saml configuration. This needs to match the information from the identity providers page
  
  image.png (22.61 KiB) Viewed 1447 times
  
  image.png (22.61 KiB) Viewed 1447 times
  
  image.png (47.78 KiB) Viewed 1447 times
  
  image.png (47.78 KiB) Viewed 1447 times
- Under SAML Signing Certificate download the Federation Metadata XML. This will need to be pasted into EASYProcess
  
  image.png (35.16 KiB) Viewed 1447 times
  
  image.png (35.16 KiB) Viewed 1447 times
Setting Up Claims

image.png (24.76 KiB) Viewed 1447 times

image.png (24.76 KiB) Viewed 1447 times

image.png (48.9 KiB) Viewed 1447 times

image.png (48.9 KiB) Viewed 1447 times

image.png (45.75 KiB) Viewed 1447 times

image.png (45.75 KiB) Viewed 1447 times

Google
- Go to https://admin.google.com/
- select Apps
- Select SAML Apps
- Click on the Plus icon in the bottom right to add a new app
  
  image.png (1.33 KiB) Viewed 1437 times
  
  image.png (1.33 KiB) Viewed 1437 times
- Select Setup my own custom app
- Download the IDP metadata then click next. This will need to be copied into EASYProcess
  
  image.png (8.09 KiB) Viewed 1437 times
  
  image.png (8.09 KiB) Viewed 1437 times
- Give you application a name and click next
- Set the Identifier (Entity ID) and the ACS Url. This information can be found from the identity providers page. Click Next.
- This step is optional and you can come back to it later. See option setup below. After adding mapping or if you choose not to click Finish
- This step is optional and you can come back to it later. See option setup below. After adding mapping or if you choose not to click Finish
Setting Up Claims
- Once you have the saml app selected. Click Configure SAML attribute mapping.
- Now you can add new claims to return by clicking add mapping

OKTA
- Login to your okta domain.
- Click on Add App next to Use Single sign on
- Click on Create New App
  
  image.png (8.5 KiB) Viewed 1435 times
  
  image.png (8.5 KiB) Viewed 1435 times
- Select Saml 2.0 and click create
- Give it a name and click next
- Fill out the single sign on url and entity id. This information is found from the identity providers page then the Primary Entity Id/Meta Data link. After this is filled out scroll to the bottom and click next.
- Fill out the feedback and click the finish button.
- Click on the Identity Provider metadata link. This will open a new tab with the metadata that is needed to be copied to EASYProcess
Setting Up Claims
- Under the directory header select Profile Editor
- Click on the profile button next to your app. You can also follow the same steps to add attribute to the base okta user.
- Click on Add Attribute
- Once all attributes are added from the profile editor page click on the Mappings button
- Select the Okta User to AppName tab where AppName is the name of your application.
  
  image.png (6.91 KiB) Viewed 1435 times
  
  image.png (6.91 KiB) Viewed 1435 times

Active Directory Federation Services (ADFS)
- Open ADFS Console and on the left hand side browse to Relying Party Trusts
  
  image.png (14.43 KiB) Viewed 1434 times
  
  image.png (14.43 KiB) Viewed 1434 times
- On the righthand side under Actions select Add Relying Party Trust
  
  image.png (21.97 KiB) Viewed 1434 times
  
  image.png (21.97 KiB) Viewed 1434 times
- Select Claims Aware and Start
- Select Enter Data About The Relying Party Trust Manually and click Next
- Choose a Relevant Display Name and Add A Description and click Next
- Skip the Certificate configuration and click Next
- Select the Enable Support For The SAML 2.0 WebSSO Protocol and enter in the Relying Party SAML 2.0 SSO Service URL (Obtained from the EasyProcess Application) and click Next
- Enter the Relying Party Trust Identifier (This is obtained from the Easy Process Application) click Add and then click Next
- Select Permit Everyone and then click Next
- Click Next at the Ready To Add Trust screen
- Ensure Configure Claims Issuance Policy For This Application is selected and click Close
- An Edit Claims Rule window appears select Add Rule
- Select Send LDAP Attributes as Claims and click Next
- In the configure claim rule window give your Claim Rule a unique name, select Active Directory as the Attribute Store and select User-principal-
  - name as LDAP Attribute and Name_ID as the Outgoing Claim and click Finish
  - Click Apply and OK

SAML Setup

SAML Setup

Login • Register