Single Sign-On (SSO)
4 article
Azure SSO
Last Updated: November 18, 2021Please note, the following steps walk through an example use case and the information that will need to be saved will be specific to your application. Application Registration using Azure Portal To setup Azure Single Sign-On with SecurEnds and Azure AD, you need to register SecurEnds as an application within the Azure portal. Doing this will create the service principal object in your Azure AD tenant. The information that will need to be gathered and saved throughout the steps below are as follows: Tenant Id Client Secret (Value) Client Id Group Name Notice: Desired group must be associated with the SSO application created How to Associate Azure Group to you SSO App in Azure portal: Navigate to Enterprise Applications and search for the application Click on Application name In the Overview screen, click on Assign users and groups Click on Add user/group Here we can add either the user or the group to an application Step 1: Create Application Login in to https://portal.azure.com Navigate to left navigation menu and select Azure Active Directory Make note of the Tenant ID displayed on the right as this will need to be supplied to the SecurEnds team. After making note, select Enterprise applications Select New application. Be sure you have appropriate access. Admin permission is needed to create new application. Select Non–gallery application Give an application name and select Add After creating an application, you will be automatically navigated to the application overview page Make note of the Application ID and Object ID displayed on the screen as these will need to be supplied to the SecurEnds team After making note, select Single sign-on on the left navigation menu Select Linked as the single sign-on method Provide the Sign on URL and select Save Navigate to home page > select Azure active directory > then select App registrations Select the application just created Select Certificates and secrets Select New client secret Add a Description and select a Expires timeframe. Once complete select Add The Client Secret will be displayed when these settings are saved and compulsory, copy the key to the clipboard, once you leave the page the key will not be visible Make note of the Client Secret (Value) displayed on the screen as this will need to be supplied to the SecurEnds team Step 2: Azure Permissions After registering SecurEnds as an application within the Azure portal, the next step is to make sure the application has the correct API permissions to access data within Microsoft Graph. To do this the user or administrator must grant the correct permissions via a consent process. Select the Authentication link on the left navigation menu and select Add a platform Select Web as the configure platform under web applications Select “Add a platform” and input Redirect URL as below: https://companyname.securends.com/login/oauth2/code/azure Configure No need to add Logout URL since we are using REST API for logout Under Logout URL in Implicit Grant, ID token checkbox should be enabled Select API permissions on the left navigation menu and select Add a permission Select Microsoft Graph under Commonly used MicrosoftAPIs Under Microsoft Graph give the following Delegated Permissions. Totaling 4 permissions in all. Delegated permissions: Email Openid Profile Directory Search for Directory Permissions and Select Directory.AccessAsUser.All permission. Select email, openid and profile permissions as shown below Select Add permissions and then select Grant admin consent for ******” Select Yes After selecting required permissions check the status for granted/not granted Admin will get an option to grant those permissions beside “Add a permission button” Step 3: Manifest Configuration Select the “Manifest” link on the left navigation menu and update the following: oauth2AllowImplicitFlow value to true Step 4: Users and Groups Creation (Optional) If users and groups have already been created then you can skip this step but make note of the “Group Name” as this will need to be supplied to the SecurEnds team Create users and groups (If already created then ignore this step) Navigate to Azure Active Directory and select Users Select New User and add the appropriate details Navigate to Azure Active Directory and select Groups Select New Group and add the appropriate users to that group This group contains a list of Active Directory groups to use for authorization Make note of this Group Name as it will need to be supplied to the SecurEnds team Step 5: Configuration Settings Once the steps above have been completed then you can provide SecurEnds the following information that was saved based on the directions from each step Tenant Id Contains your Active Directory’s Directory ID from earlier Client Id Contains the Application ID from your app registration that you completed earlier Client Secret Contains the Value from your app registration key that you completed earlier Group Name Contains a list of Active Directory groups to use for authorization Step 6 (Optional): Update Azure Claim Token Required if your company utilizes two logins like UPN (UserPrincipalName) and email. Please go through the below steps to update Azure email claim token. Select the “App registration” link on the left navigation menu. Go to All Applications tab and click on the application for which looking to update an email token. Example : securends-sharepoint as shown in the below screen. Once you have clicked on the Selected application the screen will redirect to the below. Select Token Configuration link on the left navigation menu. Click on Add optional claim, a new screen appears on the left side to Add optional claim. Select Token type as ID and Claim as email. Click on Add button. Successfully, email claim token is updated.
Okta SSO (SAML)
Last Updated: January 26, 2022Step:1 Create an application in okta This app connector provides the SAML values your app needs to communicate with Okta SAML as an identity provider. It also provides a place for you to provide SAML values that SAML requires to communicate with your app as a service provider. Access Okta. Go to Applications Please click on Create App Integration Please select an option SAML2.0 Please Enter App Name and click on Next button Please Enter Single Sign On URL and Audience URI(SP Entity ID) and Click On Next Button Note: The above screenshot I used qa11 and we have to replace qa11 with specific customer URL. Please Select I’m an Okta customer adding an internal app option click on Finish Button Now we can see The Identity Provider Metadata link Click on the metadatalink it can open a new window click on save (Ctrl+S). It will open a pop up window to save the metadata file. Note: Please save the file and share it with Securends Team Please Click On View Setup Instructions Please copy the Identity Provider Issuer. Note: Please copy the issuer url and share it with the securends team Final Step: Please assign the created application to people/groups.
Okta SSO (OIDC)
Last Updated: January 26, 2022Supported Features SecurEnds application supports the following OIDC feature: Service Provider (SP)-Initiated Authentication (SSO) Flow Step 1: Add SecurEnds Application in Okta dashboard Within the Okta Admin dashboard select the Applications link in the header of the page Select the Add Application button on the Application screen Search for “SecurEnds” application and select the SecurEnds application from the results shown Select the Add button on the SecurEnds screen Provide Application label and Sub Domain details and select the Done button Example Application Label SecurEnds Example Sub Domain If the URL is “https://test.securends.com/” then the Sub Domain will be “test”, the first part of the URL prior to “.securends.com” You will then be redirected to view the SecurEnds application details Select the Sign On tab, copy the Client ID and Client secret values. These values will need to be provided to your SecurEnds Implementation Consultant to be configured within your organizations SecurEnds instance The following information will need to be provided to enable Okta SSO Client ID Issuer Client Secret Once the application is created, go to General Tab Navigate to the App Embedded Link Section and copy the URL up until “okta.com” This will be the Issuer URL required to enable your organization’s SSO in SecurEnds Example Issuer URL: https://dev-577759.okta.com Please provide the following information to your SecurEnds Implementation Consultant to be configured within your organizations SecurEnds Instance Client ID Client Secret Issuer Test Your Integration Step 2: Assign Users First you must assign your integration to one or more test users in your org: Select the Assignments tab Select Assign and then select either Assign to People or Assign to Groups Enter the appropriate users or groups that you wish to enable Single Sign-On into your application, and then select Assign for each For any users that you added, verify the user-specific attributes, and then select Save and Go Back Select Done Test Single Sign-On Sign out of your administrator account within your development org by selecting Sign out in the upper-right corner of the Admin Console Sign in to the Okta End-User Dashboard as the normal user who was assigned the SecurEnds integration In your dashboard, select the Okta tile for the integration and confirm that the user is signed into SecurEnds application Notes Users can access SecurEnds application using OIDC features in the following ways: Customer can login to their okta org url After authentication, customer can click on the SecurEnds App available in the dashboard and will be redirected to the SecurEnds application Access SecurEnds instance url directly Customer will be redirected to their okta org for authentication and after authentication customer will be redirected back to SecurEnds application Troubleshooting and Tips If you run into issues with your sign-in process, you can try the following to troubleshoot the issues: In the Admin Console of your Okta development org, navigate to Reports > System Log and examine any failure messages reported Open the developer console of your web browser and examine any status messages related to your authentication request. The console errors have status codes in the 4XX range. Investigate and resolve any error messages generated by your sign-on request Please reach out to the SecurEnds Implementation Consultant in case further help is required
OneLogin SSO
Last Updated: February 9, 2022Step:1 Create an app connector in OneLogin Use the SAML Test Connector (Advanced) connector to build an application connector for your app. This app connector provides the SAML values your app needs to communicate with OneLogin as an identity provider. It also provides a place for you to provide SAML values that OneLogin requires to communicate with your app as a service provider. Access OneLogin. Go to Apps > Add Apps. Search for SAML Test Connector. Select the SAML Test Connector (Advanced) app. Edit the Display Name, if required. In the case of working with the demo1 app, enter demo1. Accept the default values and click Save. Keep the OneLogin app connector UI open for the next task. Click Save Side Navigation Bar Details Info : Configuration: The screenshot below represents sample data to setup the SAML OneLogin SSO. The data will be transferred between the Service Provider(SecurEnds) to the Identity Provider(OneLogin) in a secure manner. A public key needs to be added in the SAML Encryption field. Parameters: SSO: Select “SHA-256” for SAML Signature Algorithm. Copy the Issuer URL and forward to the SecurEnds team. Add Users: Go to Users > Users and click the New User button to open the User Info page On the User Info page, verify that the user is activated (Green). Enter the user’s name and email address, along with any other personal information you want to include. (Note: The user will receive the verification email and should activate the account). Click the SAVE USER button. Assign User to App In OneLogin, click Users, and then select each user you want to add. In the user info page, click Applications Click + icon and select the application from drop down and click Continue. Then click Save. Add Role Click Users and select Roles Enter a name for the new role, click Save. (Example: Admin/Finance/ Account. It can be any name you want to provide for the role). In Roles, open the new Role by clicking the one you created. Click Users (left side navigation) In Check existing or add new users to this role, enter the name(s) of the users to add. When you have located each user name, click Check. For each user, click Add to Role. When you are done, the user(s) are listed in Users Add Manually. Click Save. You are returned to the Roles page. In the Role, click Applications. Click the Add Apps or + Icon. Set Up Go to More Actions dropdown, select SAML Metadata option and then SAVE. Forward the SAML Metadata file to the SecurEnds team.
