Setting up your SSO

Setting up single sign-on with SAML

After you've enabled SAML (by building a SAML server yourself or by using one of the SAML services), all authentication is handled outside of your WhosOnLocation. This can be paired with our Active Directory Sync feature to automatically add/change/delete users in your WhosOnLocation account.

The only user data that is stored in WhosOnLocation is the user name and email address. However, you can also choose to sync the following user data: phone, location, given name, surname, and role. You do this with by adding these attributes to your SAML assertion code.

How SAML for WhosOnLocation Works

SAML for WhosOnLocation works the way SAML does with all other service providers. The typical use case is that your users belong to a corporation and all user authentication is managed by your corporate authentication system (for example, Active Directory or LDAP), which is referred to generically as an identity provider (IdP).

The service provider (SP), in this case of course WhosOnLocation, establishes a trust relationship with IdP and allows that external IdP to authenticate users and then seamlessly log them in to WhosOnLocation. In other words, a user logs in at work and then has automatic access to the many other corporate applications such as email, your CRM, and so on without having to login separately to those services. Aside from the convenience this provides to users, all user authentication is handled internally by a system that you have complete control over.

After you've enabled SAML as the type of single sign-on for your WhosOnLocation, users who visit your WhosOnLocation and attempt to log in are redirected to your SAML server for authentication. Your users' identities can be stored either on the SAML server or can be validated by an identity directory such as Microsoft Active Directory or LDAP. Once authenticated, users are redirected back to your WhosOnLocation and automatically logged in.

SAML_Transaction_Steps.png

Configuring Your SAML Implementation

You have a number of options when considering a SAML service, including building a SAML server in-house (for example, OpenAM) or choosing a SAML service such as Okta, OneLogin, and PingIdentity.

To set up SAML in your WhosOnLocation, you'll need the following:

  • A SAML server with provisioned users or connected to an identity repository such as Microsoft Active Directory or LDAP
  • The Remote Login URL for your SAML server (sometimes called SAML Single Sign-on URL)
  • The SHA1 fingerprint of the SAML certificate from your SAML server

After you have your SAML server properly configured, you use the remote login URL and the SHA1 fingerprint to configure SAML within your WhosOnLocation.

Enabling SAML Single Sign-On In Your WhosOnLocation

With your SAML server configured and the information you need for setting up SAML in WhosOnLocation at hand, log in to your WhosOnLocation as an administrator and follow this procedure.

To enable SAML in your WhosOnLocation fill out the following options on your WhosOnLocation security page.

SAML SSO URL

This is the URL that WhosOnLocation will invoke to redirect users to your Identity Provider.

Remote logout URL

This is the URL that WhosOnLocation will return your users to after they log out.

Certificate Fingerprint

The SHA1 fingerprint of the SAML certificate, obtain this from your Identity Provider.

 

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request