Qvidian Proposal Automation Single Sign-on Administrator's Guide

Transcription

1 Qvidian Proposal Automation Single Sign-on Administrator's Guide Version /17/2017

2 Copyright Copyright 2017 Qvidian. All rights reserved. Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Qvidian. Qvidian Alliance Road Cincinnati, OH Qvidian Proposal Automation Single Sign-on Administrator's Guide i

3 Single Sign-on Configuration Single Sign-on (SSO) provides users access to Qvidian Proposal Automation (QPA) using their organization's identity provider (IdP) or Service Provider(SP). The Qvidian SSO model includes the customer external IdP acting as the authentication authority, using either a SAML 2.0 compliant IdP from within the customer s network or a Salesforce.com IdP from the cloud or internet, and Qvidian SP. This document is of two parts: Configuration Customer Side Configuration: SSO/IT administrator is required. QPA Subscriber SSO Configuration: QPA administrator is required. Customer Side Configuration As part of the deployment, configuration details must be shared between Qvidian personnel and the customer s IT staff. These configuration details include settings such as endpoint URL information, partner entity ID, etc. Additionally, optional configuration settings to achieve the full capabilities of QPA SSO, such as creating and updating user and group attributes, should also be communicated. Following the notes below, please generate the metadata file from your SSO authority in xml or txt format and submit the file as well as the security signing certificate to Qvidian Support via , [email protected]. The following provides key configuration settings necessary for the full capabilities of QPA SSO to be operational: Qvidian URL/SERVER processing SAML requests: QPA s SAML2 implementation uses HTTP-POST Bindings for maximum reliability with large attribute fields. HTTP-Redirect bindings are available but not preferred. SingleSignOnService Location in the metadata must be filled in with a URL accessible to the customer s users. The product may redirect customers to this URL to begin IDP-initiated sign in. (See the sample of customer metadata below) The customer s Public-key SSL Certificate for SSO-related authentication is also required. Any of the fixed QPA attributes (user properties and customer groups membership list) that are to be supplied by the customer s SSO authority (LDAP, Active Directory, Siteminder, etc.) as part of the user connection, must be specified. None, some, or all of the fixed QPA attributes may be defined depending on availability of those property values from the customer s SSO authority. Required attributes have to be defined as shown below. QPA requires the following attributes be passed as part of the login security assertion: SAML_SUBJECT FirstName LastName Qvidian Proposal Automation Single Sign-on Administrator's Guide 1

4 Note SAML_SUBJECT is a fixed, core attribute and must contain the user s login name. It should be in an format. So the customer can either pass the value as address or Organization ID and QPA will append the domain to match what is existing in QPA. QPA supports the following optional attributes be passed as part of the login security assertion: Groups* Address1 Country Phone Title State MiddleName Address2 City Fax Salutation Zip * Named groups can be used in QPA to assign roles. QPA Subscriber SSO Configuration The final SSO configuration step for a QPA subscriber is performed by the customer s QPA Administrator within the QPA application s Administration interface. To configure the QPA for SSO, follow the steps below. 1. Log on to QPA with an administrative credential, including the Manage Single Sign-On Settings application permission. 2. On the Administration tab, click Application Settings, and then click Single Sign-On Settings. Example of Single Sign-on screen in QPA. Qvidian Proposal Automation Single Sign-on Administrator's Guide 2

5 Note The Authentication Mode setting is set by the service provider. If you need to modify this setting, please contact Qvidian Support. 3. Under User Settings, select the radio button next to one of the Enable New User Provisioning options below. Yes: SSO will automatically provision new users into QPA including setting any QPA user properties and role memberships as specified by the customer s SSO values within bounds of the remaining SSO settings. No: Users must already have QPA user accounts to connect. 4. Select the radio button next to one of the Enable SP-Initiated Single Logout? options below. Yes: When the user logs out of QPA, they are automatically logged out of the SP. This ensures the users must log in each time they exit and return to QPA. No: When the user logs out of QPA, it does not log them out of the SP. This may allow users who have previously logged in to QPA to open QPA without providing their credentials. 5. Select the radio button next to one of the Manage Existing User Properties options below. Yes: For existing QPA users, every time the user connects, the user properties updates specified by the customer s SSO authority will be applied. No: For existing QPA users, the user properties will not update in QPA agon. 6. Select the radio button next to one of the Manage Existing User Roles options below. Yes: For existing QPA users, every time the user connects, QPA role memberships will be updated based on group memberships specified by the customer s SSO authority within the bounds of the other SSO settings for QPA roles management. No: For existing QPA users, QPA role memberships will not be updated regardless of group memberships specified by the customer s SSO value. 7. Under User Group/ QPA Settings, in the Default QPA User Roles Default QPA User Roles field, in the Default QPA User Roles box, enter one or more (vertical-bar delimited list) low-level roles (Case sensitive) so that connecting user whose list of user group memberships do not map to any of the Group/Role mapping stated in step 10 below, will get their account provisioned and assigned to those low-level roles giving the user basic access to QPA. This is required if the customer enabled New User Provisioning from step 3. Everyone Role can be used as the Default QPA User Role if there is no other custom low level role existing. If you enable new user provisioning from step 3, new users will have to have a Default Role assigned to them. Additionally, you can have SSO handle Role assignments based on Groups being passed via SSO. Mapping of customer user groups to QPA user roles are specified below in step 10. If Default QPA User Roles is not configured AND SSO assertion s group membership list does not map to any QPA user roles (step 10), the connection will be denied. Qvidian Proposal Automation Single Sign-on Administrator's Guide 3

6 You can change the assigned QPA roles for a specific user after their account is provisioned. However, if Manage Existing User Roles (step 6) is set to Yes, the QPA role memberships will be reset to those specified by the SSO assertion s Groups attribute the next time the user connects to QPA. 8. In the Authorized User Groups field, type a vertical-bar delimited list of customer user groups that are authorized to connect to QPA (Case sensitive). This is required if the customer is passing Groups values via SSO and needs to limit access to QPA only for specific Groups. If no user groups are specified, no further processing for this setting is necessary. If one or more user groups are specified in this setting, processing continues as follows: Within the user connection SSO assertion s Groups attribute, the customer s SSO authority provides the list of customer groups the connecting user is a member of. As long as at least one of these customer groups is in this Authorized User Groups setting, the user s connection continues to be processed within the bounds of the remaining SSO settings. If none of the assertion s groups exist in this Authorized User Groups setting the user s connection is denied. 9. Enter the User Group Keys Delimiter, which specifies the delimiter character to use when parsing the connecting user s customer group membership list into individual groups. The list of customer groups the user is a member of is provided by the customer s SSO authority in the user connection SSO assertion s Groups attribute. If left empty, the default delimiter is a vertical-bar ( ). 10. Under User Group / QPA Role Mappings, click Add.This is required if the customer is passing Groups values via SSO and New User Provisioning is enabled, and needs to automate Role assignment. For each group, a User Group / QPA Role Mappings setting is required, which includes a list of QPA roles that the customer IdP group is mapped to delimited with a vertical-bar ( ). a. In the User Group box, type the name of your IdP group (Case sensitive). b. In the Description box, type a general description of your IdP group and mapped QPA roles. This is only for display purposes. c. In the QPA Roles box, type a vertical-bar delimited list of the QPA user roles that are mapped to the IdP group specified in the Setting (Case sensitive). d. Click Save. Qvidian Proposal Automation Single Sign-on Administrator's Guide 4

7 Examples of Group / QPA Role Settings Process Flow For an incoming user connection, the QPA portal application retrieves the contents of the original SSO assertion s Groups attribute and parses that list of customer IdP groups into the individual groups using the delimiter specified by User Group Keys Delimiter setting (step 9). Qvidian Proposal Automation Single Sign-on Administrator's Guide 5

8 For each individual group extracted from this IdP groups list, the QPA portal application looks for an entry in the User Group / QPA Role Mappings settings with a User Group setting that matches the IdP group name (Step 10): For matched entries, the incoming user is granted membership to the corresponding mapped QPA user roles. Unmatched entries are ignored. Once all specified IdP groups are processed, if no QPA user roles have been assigned for the incoming connection s user: If valid QPA user role(s) are specified in the Default QPA User Roles setting, the user will be granted membership to those QPA user role(s). If Default QPA User Roles is unspecified or does not contain any valid QPA user roles, the user connection is denied with an appropriate message. About Triggers Under Administration > Application Data > Notification Triggers, there are three Notification Triggers for New User creation. New users are automatically notified when they are set up in QPA with the trigger set to enabled, and the Send Status is set to Auto-Send or Customizable. The trigger that is used depends on what authentication mode is defined (Step 2). This means that a site that is set to use Explicit Login Only (users have to enter credentials for QPA each time they login) will use the New User Created trigger. A site that is Mixed mode (users can access by using SSO or logging in explicitly) will use the New User Mixed Authentication trigger. A site that is SSO only (users can only access QPA using SSO) will use the New User Single Sign-On trigger. Qvidian Proposal Automation Single Sign-on Administrator's Guide 6