You can configure SmarterWX to use your organisation’s own identity provider for single sign-on. SmarterWX can be configured to work with a SAML 2.0 compliant identify provider such as Microsoft Active Directory Federation Server (ADFS).
When your users attempt to sign-on to SmarterWX they will be redirected to your organisation’s identity provider where they will be authenticated.
An Organisation Administrator is sets up SAML integration using the “User Authentication” option from the user menu. This menu item is only available to an administrator. Configuring SAML integration requires some technical knowledge of the process and of how to setup the trust relationship at your SAML identity provider.
Setting up SAML Authentication
To get started select the “User Authentication” option from the user menu.
Step 1 – Select SAML Method
Step 2 – Retrieve Metadata from SAML Provider
Enter the URL of your SAML provider’s metadata in the “Metadata URL” box and click on the Download button. For example, your ADFS URL might be https://idprovider.mycompany.com.au/FederationMetadata/2007-06/FederationMetadata.xml.
When your metadata has been downloaded the configuration will be automatically populated into the Manual Configuration fields. If you do not have access to a metadata URL you can manually enter the details in the manual configuration fields. This is only required if the configuration could not be downloaded automatically.
Step 3 – Add the SmarterWX application to your SAML Provider
SmarterWX displays the URL of the metadata document for you to add to your SAML provider. Copy this URL and enter it in your SAML provider. For a detailed walkthrough of setting up ADFS see below.
SmarterWX relies on the following claims being returned from the SAML Authentication request. You must configure these claims to be returned by your provider to SmarterWX.
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress [MANDATORY]
- http://schemas.xmlsoap.org/claims/Group [REQUIRED IF GROUP-ROLE MAPPING USED]
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
- http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
The givenname and surname claims are optional. If they are returned to SmarterWX, the user’s name in SmarterWX will be updated to match the name in your identity provider whenever they diverge.
Step 4 – [OPTIONAL] Setup Group – Role Mapping
You can optionally setup mapping between groups returned from your identity provider with roles in SmarterWX. If you choose to enable group-role mapping, the user’s role in SmarterWX will be automatically set based on their group memberships in your organisation. (If you do not set this up the roles will be based on whatever is setup by the administrator in SmarterWX).
There are three groups that match to the three SmarterWX user roles. If group-role mapping is on, a user will not be able to login if they do not belong to at least one of these groups. If a user belongs to more than one group they will be granted the role connected to the highest access rights. (For example, if your user belongs to a Basic User and Publisher Group in your identity provider, they will be mapped to the Publisher role in SmarterWX.
Step 5 – Save Settings
To save your configuration details and make it active click on the “Save Settings” button.
Step 6 – Test your SAML Authentication Provider Integration
At this stage users should be able to sign on to SmarterWX using your SAML authentication provider. Create a new user in SmarterWX matching a user in your identity provider and test the login.
Only when you are happy that the integration is working properly you should complete the final step.
Step 7 – Remove all SmarterWX passwords for your users
Users created and verified in SmarterWX prior to the setup of SAML integration can continue to sign-on to SmarterWX using their local credentials. To force all users to sign-on using your authentication provider you will need to remove passwords from all users.
Clicking on “Remove Passwords” will mark all currently verified users as unverified and they will now be redirected to your SAML authentication provider when signing-on.
IMPORTANT: This will include all Organisation Administrators. If you remove passwords and your SAML integration is not correctly configured you could end up in a situation where nobody can sign-on!
If you do end up in this situation; all is not lost. Please contact the SmarterWX Support Team who should be able to rescue you.
This feature was added at SmarterWX Release 1.2.