Single Sign-On (SSO) allows you to access several applications from one authentication. This function makes things easier for you since you don’t have to remember a new password to access each of your many applications. It also increases security because the more passwords you have to memorize, the more you tend to choose passwords that are simple and repetitive, which are less secure.
This article applies to Administrator accounts - Quarantine Administrator accounts can view this information but cannot edit the parameters.
You can set up SSO for your organization under:
My Organization → Parameters → Advanced → SSO
|IN THIS ARTICLE|
|General Concepts||SSO Parameters|
|Configuration Prerequisites||Configuration Steps|
The most important concepts to understand SSO are the concepts of the Identity Provider (IdP) and of the Service Provider (SP). When logging on to most websites, they act as their own IdP and SP: your identity is validated by the website, which then allows you to log in and use their service. With SSO, you sign on to a single IdP, which then gives you access to many different services.
Here's a more concrete example using Google. You can follow along on the diagram below.
When looking to log into a website, you have the option of creating an account with that website or of creating an account by linking to Google. Google acts as your IdP. When you connect to the website using Google, a new window opens and allows you to log in to your Google account (1). Google then communicates information about the user (2) to the website -the SP- (3) in order to establish a trust relationship. The communication is done using the Security Assertion Markup Language (SAML), an XML-based language. Once the identity has been correctly determined and a trust relationship established, the user can then access the resources offered by the SP.
In our case, the IdP is running on your network whereas the SP is the Cumulus interface.
|Activated||Box must be checked to activate SSO.|
|Force SSO||When active, users can only log in using SSO.|
|Configuration||Select how SSO configuration details will be filled out. Choices are Manual, Upload Metadata, or Metadata Url.|
Manual Configuration Parameters
(Bolded fields are required)
| IdP Name
||Name of the Identity Provider you would like to use. This name must be unique to you.|
| Entity Id
||The exact entity ID of your IdP.|
| SingleSignOn Service
||URL of your IdP's SingleSignOn Service.|
| SingleLogout Service
|| URL of your IdP's SingleLogout Service.
|Certificate||The certification key for your IdP.|
|Security||Select your signing algorithm(RSA-SHA#) and hashing algorithm (SHA#). These must correspond with the signing and hashing algorithms used by your IdP.|
| Cumulus Attribute
||Select which Cumulus attribute will match to an attribute used by your IdP.|
| Idp Attribute
||Select which IdP attribute will match to an attribute used by Cumulus.|
Other Configuration Parameters
The Upload Metadata and Metadata Url options allow for a quicker setup if your IdP allows for it.
- The Upload Metadata option allows you to upload an XML file containing all the details required in the Manual configuration.
- The Metadata Url option allows Cumulus to fetch the configuration details directly from your IdP.
- You must have an authentication system set up.
- You must have a Cumulus portal configured. Contact technical support for more information on setting up a portal.
Please note that these instructions are left vague since they are highly dependent on how your IdP setup is configured.
- Head over to the SSO parameters section in Cumulus under My Organization → Parameters → Advanced → SSO. If you see the below error message, this means you do not have a portal configured. Please contact technical support for help setting up a portal.
- Click the Configure SSO link.
- Select which configuration method you would like to use: Manual, Upload Metadata, or Metadata Url.
- Fill out the required fields and click the Create button.
- Once an SSO configuration has been saved, you will have the option to test the configuration before activating it. Testing will allow you to validate if there are errors in the SSO configuration and troubleshoot any errors that do pop up.