Enabling the possibility to log into OnApp through Identity Provider involves two stages:
- Add the Identity Provider (IdP) instance to Service Provider (SP)
- Configure Service Provider at Identity Provider
Add the IdP instance on the OnApp CP
It is important to access OnApp CP via https before the following steps, to ensure the links containing in the Metadata file are correct.
To add a new Identity Provider instance follow these steps:
- Go to your Control Panel's Settings > Authentication
- Click New SAML Id Provider or a ''+" sign
Fill in the fields in the new window:
Idp sso target url, Idp cert fingerprint and Idp cert are given by the Identity Provider.
- Enabled - move the slider to the right to enable this identity provider at the login screen
- Name - enter the name of the identity provider
- Icon - select the icon file, which will be displayed at the login screen
- Issuer - the name of the service provider; by default - the address of your OnApp Control Panel
- Idp sso target url - the URL to which the authentication request should be sent
- Idp cert fingerprint - the SHA1 fingerprint of the certificate, e.g. "90:CC:16:F0:8D:..."
Idp cert - the identity provider's certificate in PEM format
Nameid format - specify a format of name identifier according to Oasis SAML specification
Either Idp cert or Idp cert fingerprint must be present. If both are present - Idp cert will take precedence over Idp cert fongerprint.
Fill in the keys for attributes mapping.
If the SAML Identity Prodiver does not send the user's email as name_id in response, the user needs to fill in the User email key when configuring an ID provider.
These keys are the names of attributes of the third-party system's users which will be synchronized with OnApp. See Attributes Mapping Configuration for more details.
- OnApp Key - the key which enables the synchronization of the below attributes during every login to OnApp; third party system users who are not yet registered in OnApp will not be created without this key
- User email key - the email of the user
- User name key - login name of the user; cannot be changed or synchronized after creating; if this key is missing the email address will be utilized as a login name for the user
- Roles key - key of the role attribute, which will create/sync the user's role in OnApp
- User group key - the group attribute to assign the user to a particular group
- Time zone key - key of the time zone to which the user will be associated
- Click Save button.
Configure Service Provider
Besides adding the IdP instance, the Identity Provider must also configure the SP instance in their system. To simplify this configuration process, the Identity Provider may use the SP metadata:
- Upon creation you will be redirected to the screen with details of the Identity Provider. At the bottom of the page you will see the Link to Metadata.
- Copy this link and submit it to the Identity Provider in the Select Data Source menu.
- In the Claim Rules menu create new rule by clicking Add Rule and select Transform an Incoming Claim as the template.
- Select E-mail Address as the Incoming Claim Type.
- For Outgoing Claim Type, select Name ID.
- For Outgoing Name ID Format, select Email.
Now this identity provider may be selected at the login screen: