For the Single Sign On feature to work, configurations need to be done depending on the role of the platform: Identity Provider or Service Provider systems. Click the links below to jump to the role that needs to be configured.
Identity Provider Configuration Procedures
1. Navigate to the Identity Provider setup section.
Go to Setup > Security > Identity Provider
The list of identity providers will be displayed. If there is only one record, it will be automatically displayed. Note that while there can be many profiles defined, there can only be one active identity provider profile at any given time.
2. Create an Identity Provider
Click New to add a new identity provider or select an existing provider to update. The details entry page is then displayed.
Populate the details with the appropriate information.
|Identity Provider Name||Unique name/label for the Identity Provider profile.|
|Enabled||When checked, this is the active identity profile.|
|Issuer||URL of the issuer. This is normally the BillingPlatform org domain/URL.|
Click Submit to save the new Identity Provider profile. Upon saving, certificate information will also be made available on the details page. These can be copied onto a text file and shared with the service providers as a prerequisite for being identified as a trusted system.
3. Add Service Providers
Click on the Service Provider child node on the left navigation pane. The list of identity providers will be displayed. If there is only one record, it will be automatically displayed.
Click New to add a Service Provider, or select an existing record to view/update its details. The details page is displayed where the necessary information can be entered.
Refer to the table below for the information expected for each field.
|Service Provider Name||Unique name/label of the service provider.|
|Start URL||URL where users are redirected when the application is invoked. This can be an absolute URL or a link for the application name.|
|Entity Id||Entity Id value from the service provider. This needs to be provided by the service provider system.|
|ACS URL||ACS stands for Assertion Customer Service, and needs to be obtained from the service provider.|
The subject type that the service provider needs. This configuration needs to be provided by the service provider. Available options are:
|Name ID Format||The format of the Name ID that is passed in the subject. This needs to be provided by the service provider.|
|Issuer||If no URL is provided, the BillingPlatform org domain will be used as the default.|
Click Submit to save the new service provider. Additional service providers can be added as needed.
Service Provider Configuration Procedures
1. Navigate to the Service Provider configuration section.
Go to Setup > Security > Single Sign-on. The profile details will be displayed.
2. Update the configuration
Click Edit to update the details of the Service Provider configuration.
|SAML Enabled||Specifies if the platform needs to be connect to an IDP via SAML.|
|Upload New IDP Certificate||Click this button to upload a certificate file from the Identity Provider.|
|SAML User Id Type||
Specify the format of the user information that is expected from the Identity Provider. This needs to be confirmed with the identity provider. Available options are:
|SAML User Id Location||
Specify the location of the User ID information against the data that is sent by the Identity Provider. This needs to be confirmed with the identity provider. Available options are:
This is only applicable if the SALM User Id Location value is set to "Identity is in an Attribute element". Specify the name of the attribute in this field.
|SP Initiated Request Type||
Specifies the method to be used to initiate an authentication request to the Identity Provider. Available options are:
Unique identifier for the Service Provider. Once this has been configured and communicated with the Identity Provider, any changes will need to be reconfigured in with the Identity Provider again.
This is equivalent to the Entity Id in the Identity Provider configuration.
|Entity id||Identifier of the Identity Provider. This is equivalent to the Issuer in the Identity Provider configuration.|
|Start URL||URL where users are directed when they open the application.|
|IDP Login URL||URL for the endpoint where authentication requests are sent.|
|IDP Logout URL||URL for the endpoint where logout requests are sent.|
|Recreate Certificate and Private Key?||Checking this will instruct the system to refresh the installed certificate and private key.|
|User Provisioning Enabled||Checking this enables the just-in-time provisioning feature. This means that if a user is not existing in the platform but authenticated by the identity provider, it will be created in the platform.|
|API User||Applicable only if User Provisioning is enabled. This is an existing platform user that will be used to provision the new user.|
Applicable only if User Provisioning is enabled. This is the table of attribute mappings of the required information needed when provisioning a new user. These are:
Applicable only if User Provisioning is enabled. This is the table of attribute mappings for optional information when provisioning a new user. Columns to be populated are:
Click Submit to save the changes and complete the Service Provider role configuration.