Implementing Single Sign-On (SSO) on your site
Who is this article for?Site Administrators who are looking to set up Single Sign-On (SSO) on their system.
Site Admin permissions are required.
This article will walk through how to prepare a Ideagen Risk Management site for SSO integration before SSO is implemented. It will also detail how to retrieve the necessary information required to configure various External Providers to work with Ideagen Risk Management's SSO integration. Finally, this article will walk through troubleshooting steps should any issues arise during the process.
Preparing a Ideagen Risk Management Site Before SSO Integration
Prior to configuring SSO, Site Admins will be required to check the following details within their live site to make sure that the SSO Integration will work correctly.
-
Ensure that no duplicate email addresses are used in the system
This is because Ideagen Risk Management SSO uses email addresses to identify the user profile for login. This can be done by running a User Report on their Ideagen Risk Management system.
The report must look at all Users (including inactive) and the layout must include User First Name, User Last Name, and Email address fields. Exporting this into Excel and searching for duplicates in the email address field will identify any problem Users.
This can be done quickly with the Excel formula of =IF(COUNTIF(C:C, C)>1, "Duplicate", "") where C is the column containing the email field.
-
Determine whether a test site should be used to minimise disruption to end users
SSO can only be enabled on a site-wide basis. Once enabled, users accessing the site via any URL other than https://<sitename>.pentanarpm.uk/login will be directed to the SSO login if they are not currently logged in.
Test sites are available for use, the only difference is a change in URLs and the need to set up test users to check access. These test sites are cleansed after each use, and all customer data is removed.
Once these steps are completed, an internal IT Team or Contact responsible for SSO will need to perform the following steps to ensure that the Integration is successful.
-
Ensure that your Identity Provider (IdP) can be configured manually, without the use of metadata.
Our SSO implementation does not publish or consume metadata, and so the connection must be manually configured. Current implementations include Microsoft Entra ID, Microsoft AD, Google IdP and OKTA, but any form of active directory which uses SAML 2.0 should be compatible.
-
Provide us with a copy of your IdP URLand your public encryption certificate (this may be self-signed) or your IdP metadata XML file.
This allows us to configure the connection settings on our end and enable SSO. Exporting the certificate is covered under each implementation guide in the second part of this document.
Finally, Ideagen Support will provide you with the following upon request:
-
Your SP/Application URL and the POST binding SP URL.
These are used to configure the connection between your Penatana Risk site and your IdP. If a test site has been used, then upon completion of testing these URLs will need to be changed to your Live site.
-
A copy of our public signing certificate.
This is used to authenticate and encrypt your login requests. This will be stored in your IdP against the connection settings. This can be found attached within the Downloads section of this guide or on request from Ideagen Risk Management Support.
2. Configuring SSO
Each External Provider has different steps that need to be followed to configure SSO so it's ready to be integrated with Ideagen Risk Management.
Active Directory Federated Services SSO (ADFS)
ADFS SSO is configured via a relaying party.
To configure the relaying party:
- Navigate between each available screen, filling in the information as follows.
- 'Select Data Source' screen - Choose to enter data about the relaying party manually.
- 'Specify Display Name' screen - Enter a relevant display name and any notes.
- 'Choose Profile' screen - Select must be ADFS type.
- 'Configure Certificate' screen - This must include our token encryption certificate which can be found from the Downloads section on this article.
- 'Configure URL' screen - This must use the SAML 2.0 SSO protocol. The service URL created here will be the IdP URL used in our internal configuration process.
- 'Configure Identifiers' screen - The relaying party trust identifier will be https://<yoursitename>.pentanarpm.uk.
- On the 'Finish' screen select 'Open the Edit Claims rule'.
-
In the 'Edit Claims' editor, select 'Add Rule' and create the following claim rules:
- LDAP Attribute - E-Mail-Addresses.
- Outgoing Claim Type - E-Mail Address.
- Access the relaying party properties, and select the 'Endpoints' tab.
- Here, add a SAML Consumer type POST-binding endpoint using the following URL: https://<yoursitename>.pentanarpm.uk/cpmweb/sso/samlresponse.
To export your ADFS public encryption certificate:
- Open AD FS 2.0.
- Navigate to 'Service', then 'Certificates'.
- Find the Token-signing certificate for your ADFS server that is used to authenticate the 'Security Assertion Markup Language (SAML)' connection.
- Click the 'Token-signing certificate'.
- In the 'Actions' section, click 'View Certificate'.
- Click the 'Details' tab.
- Select 'Copy to File', then 'Next'.
- Select 'Base-64 encoded X.509 (.CER)' and click 'Next'.
- Click 'Browse', select a location, enter a file name, and then click 'Save'.
- Click 'Next', and then click 'Finish'.
Provide our Support Team with a copy of your certificate and your IdP URL for them to finish configuring the SSO Implementation.
Microsoft Entra ID SSO
Microsoft Entra ID SSO is configured as a non-gallery app.
To configure the app:
- Expand the 'Applications' menu on the left.
- Select 'Enterprise applications'.
- Click '+ New application'.
- Pick 'Non-Gallery Application'.
- Select 'Configure Single Sign-On'.
- Choose 'SAML-based Sign-On'.
-
Enter the following metadata:
- Identifier - https://<yoursitename>.pentanarpm.uk
- Reply URL - https://<yoursitename>.pentanarpm.uk/cpmweb/sso/samlresponse
- Sign on URL - https://<yoursitename>.pentanarpm.uk/cpmweb/login
- Under the 'Attributes' tab, set the 'SAML Token Attributes' to a one claim rule for 'email'.
This is used by Ideagen Risk Management to identify the user logging in. - Under the 'SAML Signing Certificate' panel, access the 'App Federation URL', 'Login URL', and the 'application certificate'.
Please provide these to the Ideagen Risk Management Support team so that they can configure your sites SSO. -
Manage the user groups to grant access to the application.
Any users on the IdP without a Ideagen Risk Management user account will not be able to login to the application.
Google Authentication Services SSO
To configure Google Authentication Services, you need to create a Custom App in the Admin directory.
To create the app:
- Sign into the Google Admin console.
-
Go to Apps > SAML Apps.
To see Apps on the Home page, click 'More' controls at the bottom. - Click the '+' icon in the bottom corner.
-
Select 'Set up my own custom app'.
Google IDP Information window will open, and the 'Single Sign-On URL' and the 'Entity ID URL' fields will automatically populate. -
Record and store the following information for the Ideagen Risk Management implementation:
- Entity ID.
- Single Sign-On URL.
- Download the X.509 Certificate.
- Click 'Next'.
- In the 'Basic Application Information' window, add an application name and description for the Ideagen Risk Management application.
- In the 'Service Provider Details' window, add the following fields:
- Assertion Consumer Service URL - https://<yoursitename>.pentanarpm.uk/cpmweb/sso/samlresponse
- Entity ID - https://<yoursitename>.pentanarpm.uk
- Start URL - https://<yoursitename>.pentanarpm.uk/cpmweb/login
- Leave 'Signed Response' unchecked.
- Change the 'Name ID' format from 'Unspecified' to 'Email Address'.
- Click 'Next'.
- Click 'Add new mapping'.
- Select 'Basic Information'.
- Choose 'Primary Email' from the dropdown boxes and name the Mapping 'mail'.
- Click 'Finish'.
- Click 'OK' on the final window and provide our Support Team with your IdP information.
OKTA Authentication
Below is the information you need to set up OKTA.
- Single Sign-On URL - https://<yoursitename>.pentanarpm.uk/cpmweb/sso/samlresponse.
- Use this for Recipient URL and Destination URL - Should be ticked.
- Audience URL - https://<yoursitename>.pentanarpm.uk.
- NameID - Format should be set to 'EmailAddress'.
- Application Username - Should be set to a custom value for 'user.email'.
- Mail attribute within config is also required.