Single sign-on is an authentication service that allows a user to use one set of credentials to access multiple applications. It allows users to sign in to an identity provider application for authentication and grants access to other applications your service provider hosts.
An identity provider is an entity that manages authentication information and provides authentication services through the use of security tokens. For example, Microsoft Azure, Okta, or Salesforce. A service provider is an entity that provides web services to users. For example, an entity that hosts web applications. You can configure single sign-on for the portal you create or import through the Portal Configuration tool. You must enable external authentication to configure single sign-on when you create or import a portal.
Before you configure single sign-on, ensure that you add the provider property
provider.type
and set its value to
SAML
in
Portal Login Module
in Security Providers tool of the Hub Console.
On the
Home
page, select the portal for which you want to configure single sign-on.
Click the
Action
icon on the portal, and select
SSO Configurations
.
The
SSO Configurations
option appears only on published portals.
When you configure for the first time, the
SSO Quick Setup Steps
dialog box appears.
Read through the instructions, and click
OK
.
To see the quick setup steps again, click
SSO Quick Setup Steps
in the
Service Provider Settings
section.
Click
Download Service Provider Metadata
.
The service provider metadata XML file is downloaded.
To digitally sign in the authentication request before sending it to your identity provider, select
Sign Authentication Request
.
To digitally sign in the log out request before sending it to your identity provider, select
Sign Logout Request
.
Upload the service provider metadata file to your identity provider application. For example, to upload the service provider metadata file to Microsoft Azure, perform the following steps:
Log in to Microsoft Azure portal.
Select the enterprise application that you want to configure.
Click
Set up single sign on
.
The
Select a single sign-on method
page appears.
Click
SAML
.
The
Set up Single Sign-On with SAML
page appears.
Click
Upload metadata file
.
Navigate to the service provider metadata file that you downloaded, and click
Add
.
The
Basic SAML Configuration
page appears displaying values from the service provider metadata file.
If the upload fails and the values do not appear on the
Basic SAML Configuration
page, navigate to the
Set up Single Sign-On with SAML
page and click
Edit
to add the values manually from the service provider metadata file.
To redirect the user to a page after the user logs out, enter a logout URL.
Click
Save
and
Close
.
Download the federation metadata XML file from the
SAML Signing Certificate
section on the
Set up Single Sign-On with SAML
page.
In the
Identity Provider Settings
section of the Portal Configuration tool, click
Choose File
.
Navigate to the federation metadata XML file that you downloaded, and click
Open
.
By default, the
NameID
element is mapped to the
User Name Mapping
field. You can also map the path to the email address in the
User Name Mapping
field.
The fields in the
Identity Provider Settings
section populates with values from the federation metadata XML file.