SAML single sign-on configuration overview



Similar documents
Configuring. SugarCRM. Chapter 121

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

Connected Data. Connected Data requirements for SSO

Configuring. SuccessFactors. Chapter 67

Configuring SuccessFactors

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

An overview of configuring Intacct for single sign-on. To configure the Intacct application for single-sign on (an overview)

SAML single sign-on configuration overview

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

Configuring on-premise Sharepoint server SSO

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

Configuring Salesforce

SAP NetWeaver AS Java

Sharepoint server SSO

Configuring Parature Self-Service Portal

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Configuring. Moodle. Chapter 82

Creating a generic user-password application profile

Centrify Cloud Management Suite

Configuring user provisioning for Amazon Web Services (Amazon Specific)

Configuring an ios App Store application

Google Apps Deployment Guide

Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

Managing users. Account sources. Chapter 1

An Overview of Samsung KNOX Active Directory-based Single Sign-On

VMware Identity Manager Administration

Work with PassKey Manager

McAfee Cloud Identity Manager

Integrating Autotask Service Desk Ticketing with the Cisco OnPlus Portal

Office 365 deploym. ployment checklists. Chapter 27

IIS, FTP Server and Windows

Managing policies. Chapter 7

Introduction and overview view of Citrix ShareFile provisioning. Preparing your Citrix ShareFile account for provisioning

Office 365 deployment checklists

Single Sign-On Instructions (SSO) Registration for the SSO

SAML application scripting guide

AVG Business SSO Partner Getting Started Guide

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

User-password application scripting guide

PassKey Manager. Schoolwires Centricity

OneLogin Integration User Guide

Egnyte Single Sign-On (SSO) Installation for Okta

Cloud Authentication. Getting Started Guide. Version

McAfee Cloud Identity Manager

Quick Start Guide. Installation and Setup

McAfee Cloud Identity Manager

Generating an Apple Push Notification Service Certificate for use with GO!Enterprise MDM. This guide provides information on...

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Booth Gmail Configuration

Flexible Identity Federation

Defender Token Deployment System Quick Start Guide

SchoolMessenger for Android

How To Use Salesforce Identity Features

Security Assertion Markup Language (SAML) Site Manager Setup

FAQs. OneDrive for Business?

Device Enrollment Guide

PaperStream Connect. Setup Guide. Version Copyright Fujitsu

Single Sign-on Frequently Asked Questions

APNS Certificate generating and installation

UP L18 Enhanced MDM and Updated Protection Hands-On Lab

Egnyte Single Sign-On (SSO) Installation for OneLogin

Citrix Remote Access Portal U s e r M a n u a l

MICROSOFT OFFICE 365 EXCHANGE ONLINE CLOUD

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

FAQs. OneDrive for Business?

Instructions for Configuring Your Browser Settings and Online Security FAQ s. ios8 Settings for iphone and ipad app

Administrator Guide. v 11

Version 3.2 Release Note. V3.2 Release Note

McAfee Cloud Single Sign On

Lenovo Partner Access - Overview

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication

New Online Banking Guide for FIRST time Login

Frequently Asked Questions

Generating an Apple Enterprise MDM Certificate

Centrify Mobile Authentication Services for Samsung KNOX

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

ATTENTION: End users should take note that Main Line Health has not verified within a Citrix

Centrify Mobile Authentication Services

Getting Started with the Aloha Community Template for Salesforce Identity

Instruction Manual for BicDroid QDocument

Guide for Setting Up Your Multi-Factor Authentication Account and Using Multi-Factor Authentication. Mobile App Activation

GO!Enterprise MDM Device Application User Guide Installation and Configuration for Android with TouchDown

Using Internet or Windows Explorer to Upload Your Site

You will see the terms of service screen which you must read and accept to continue.

Guide for Generating. Apple Push Notification Service Certificate

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Joining a Meeting. Before You Join a Meeting

To set up Egnyte so employees can log in using SSO, follow the steps below to configure VMware Horizon and Egnyte to work with each other.

Configure Single Sign on Between Domino and WPS

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Microsoft OneDrive. How to login to OneDrive:

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

Copyright Pivotal Software Inc, of 10

Solution domain. Cloud PC Backup Startingkit for users. Date 26/05/2015 Sensitivity Unrestricted Our reference V1.0 Contact

Lync Online Deployment Guide. Version 1.0

Flexible Identity Federation

GO!Enterprise MDM Device Application User Guide Installation and Configuration for ios Devices

How to install and use the File Sharing Outlook Plugin

Android App User Guide

Transcription:

Chapter 34 Configurin guring g Clarizen Configure the Clarizen Web-SAML application profile in Cloud Manager to set up single sign-on via SAML with Clarizen. Configuration also specifies how the application appears in the user portal, which users may access the application, if the application requires additional authorization, and how your internal user accounts are mapped to Clarizen accounts. Other application profile controls record and report changes to settings. For general information about single sign-on (SSO) configuration, see Overview. Preparing for configuration Before starting configuration, it helps to understand the basic steps of configuration, to know Clarizen s single sign-on (SSO) characteristics, and to have everything you need for configuration in place. SAML single sign-on configuration overview Clarizen offers both IdP-initiated SAML SSO (for SSO access through the user portal or Centrify mobile apps) and SP-initiated SAML SSO (for SSO access directly through Clarizen). You can configure Clarizen for either or both types of SSO. To configure Clarizen for single sign-on: 1 Ensure that your Clarizen account is ready for single sign-on: Have a Clarizen administrator account to provide the rights to set up SSO. 2 In Cloud Manager, add the Clarizen application profile if it s not already added and set the security certificate. You ll need information in the application profile to set up SSO. For detailed information, see "Adding Clarizen and setting a security certificate" on page 34-21. 3 On the Clarizen web site, configure your organization s Clarizen account for SSO via SAML. For detailed information, see "Configuring Clarizen for SSO" on page 34-22. 4 In Cloud Manager, configure the AnswerHub application profile to control how Clarizen access works through the user portal or Centrify mobile apps. For detailed information, see "Configuring Clarizen in Cloud Manager" on page 34-25. 19

Preparing for configuration Requirements ents for SSO configuration Before you can configure Clarizen for SSO, you need the following: An active Clarizen account with administrator rights for your organization. A signed security certificate that is recognized by both Cloud Manager and Clarizen. Security certificates for SSO A secure connection for SSO between the web application and the cloud service requires a security certificate and a public and private key pair. The web application must have a security certificate containing a public key. The cloud service must have the same certificate and a private key that matches the public key in the certificate. You can use either a standard certificate provided by the cloud service or a certificate provided by your organization. If you use your own certificate, you must provide the certificate to the web application and then provide the same certificate along with your private key to Cloud Manager (both processes described later). Cloud Manager requires your private key to sign SAML responses or messages for the web application using your certificate. If you use the cloud service signing certificate (the default setting), you don t need to provide a private key simply download the standard certificate from Cloud Manager and provide it to the web application as described later. The cloud service already has the matching private key needed to sign messages using the certificate. Clarizen SSO characteristics When you configure Clarizen for SSO and then administer it for your organization, it s useful to know its SSO characteristics. Feature Available versions and clients SP-initiated SSO support IdP-initiated SSO support User name/password sign-in still available after SSO set up Separate sign-in for administrators after SSO is enabled Description SSO works for the SAML web application only. The Clarizen mobile apps for ios and Android do not offer SSO. Yes. Users may go directly to a supplied Clarizen URL and then use the cloud service SSO to authenticate. They may also use the cloud service SSO to authenticate through the standard Clarizen sign-in page if they ve successfully authenticated there before. Yes. Users may use SSO to sign into Clarizen through the user portal or Centrify mobile apps. Yes, if configured to do so. You may also configure to turn off user name/password sign-in for everyone except network administrators, or for external users only (marked so within Clarizen). No, not necessary because user name/password sign-in from the standard sign-in page is always available for administrators. Chapter 34 Configuring Clarizen 20

Adding Clarizen and setting a security certificate Feature Lockout possibility and lockout recovery User provisioning through SAML User types Users may reset their own passwords Administrators may reset other users passwords Description No lockout possible because user name/password sign-in is always available for administrators. Not supported. You may provision users through Clarizen s SOAP API or through Clarizen s User Sync tool. Full users with or without administrator rights. Yes. Yes. Adding Clarizen and setting a security certificate Before you can configure your Clarizen account for SSO and configure the Clarizen application profile, you must add Clarizen in Cloud Manager. You must then decide which security certificate to use. If you re going to use your organization s certificate for connections to Clarizen, you must supply that certificate along with its matching private key in a PKCS #12 archive file. (PKCS #12 files end in a.pfx or.p12 filename extension.) Make sure the file is accessible from your computer before working through these steps. To add Clarizen and set its security certificate: 1 In Cloud Manager, click Apps. 2 Click Add Web Apps. The Add Web Apps screen appears. 3 On the Search tab, enter the partial or full application name in the Search field and click the search icon. 4 Next to the application, click Add. 5 In the Add Web App screen, click Yes to confirm. Cloud Manager adds the application. 6 Click Close to exit the Application Catalog. The application that you just added opens to the Application Settings page. The bottom of the page displays current security certificate settings. It s set by default to use the standard cloud service certificate. If you want to use this standard certificate, skip to Step 11. Cloud Manager user s guide 21

Configuring Clarizen for SSO 7 If you want to use your own security certificate, select Use a certificate with a private key (pfx file) from your local storage then click Browse to open a file browser. 8 Locate the archive file containing your certificate and private key, then click Open. 9 If prompted for a certificate password for the archive file, enter the password then click OK. The archive file uploads to the cloud service and the Application Settings page shows an uploaded private certificate under Use existing certificate. 10 Click Save to save your certificate setting to the application profile. 11 Download a copy of the security certificate specified by the application profile: click Download. The certificate downloads through your web browser to a location set by the browser. Remember the location. You can change to a different certificate at any time by making a different choice under the Security Certificate settings as just described. To change from a private certificate to the cloud service standard certificate: 1 In the Applications Settings page select Use the default tenant signing certificate 2 Click Save. Remember that if you change the certificate in the application profile you must also upload your new certificate to Clarizen as described in the next section. Configuring Clarizen for SSO You must be signed into Clarizen with administrator rights to perform these steps. You ll find the SAML settings you need to provide in Cloud Manager in the Application Settings tab of the Clarizen application profile. Tip This process transfers information between Cloud Manager and Clarizen. If you open Cloud Manager and the web application at the same time using either separate browser tabs or side-by-side windows, you can easily copy and paste information between them. To configure Clarizen for SSO: 1 In your web browser, go to the URL https://app.clarizen.com/clarizen/pages/ Service/Login.aspx and sign in with your administrator account. 2 Click the Navigation bar on the left of the page to open the navigation menu, then click Settings in the bottom of the menu to open the settings page. Chapter 34 Configuring Clarizen 22

Configuring Clarizen for SSO 3 In the page s Organization Settings section, click the edit... link for Federated Authorization to open the Federated Authentication (Clarizen s term for SSO) dialog box. 4 Specify and use the following for the SSO Settings: Option Enable Federated Authentication Certificate Current Certificate Value Click to check this setting, which turns on SSO via SAML. This field accepts the certificate specified under Security Certificate in the Clarizen application profile. 1 Click Upload... to browse your computer for the certificate presented by the cloud service for each SSO session. If the certificate isn t available, see Step 11 in Adding Clarizen and setting a security certificate to download the certificate to your computer. 2 Once you ve selected your certificate in the file browser, click Open in the dialog box. This field displays contents of the currently specified security certificate. Cloud Manager user s guide 23

Configuring Clarizen for SSO Option Sign-in URL Sign-out URL Enable Password authentication Enable API access Advanced verification Advanced request To login via SSO 3 Click Save into save the SAML settings and turn on SSO for your organization s Clarizen account. 4 Sign out of your Clarizen account. SP-Initiated SSO Value Copy and paste the Sign-in URL setting from the Clarizen application profile. (Optional) Copy and paste the Sign-out URL setting from the Clarizen application profile. If this URL is specified, Clarizen redirects users to this URL (the user portal) when they sign out. If not specified, users redirect to the Clarizen sign-in page. This setting turns user name/password authentication on and off for different sets of users. Settings are: No one allows nobody from your organization except administrators to sign in through the Clarizen web site using user name/password instead of SSO. External users only allows only administrators and your organization s users who are not part of your organization s internal authentication system to sign in through the Clarizen web site with user name/ password instead of SSO. Everyone (internal and external) allows all your users to sign in through the Clarizen web site with user name/password instead of SSO. If checked, allows applications that connect to Clarizen via the Clarizen API to authenticate for your users. When unchecked, these applications may not connect to Clarizen for your users. Leave this option unchecked. Leave this option unchecked. Clarizen generates this URL as an SSO sign-in page for SP-initiated SAML for your users. You can provide it to users if they want to use SSO but don t access Clarizen through the user portal or the Centrify mobile apps. When you set up SSO on Clarizen, SP-initiated SSO is automatically enabled. The way it works depends on how you set password authentication and on the URL used to access Clarizen. You can supply your users the custom Clarizen URL provided by the To login via SSO field in the Federated Authentication dialog box (as described previously). When users access the URL, Clarizen redirects them to the cloud service for SSO authentication. The cloud then returns the user to his or her account at Clarizen if authentication is successful. If the user goes to the standard Clarizen sign-in page and tries to sign in when Enable Password authentication is disabled, the page tells the user to use Federated Authentication to connect, which requires them to use the custom Clarizen SSO URL. If Chapter 34 Configuring Clarizen 24

Configuring Clarizen in Cloud Manager Enable Password authentication is not disabled for the user, they can sign in via userpassword and bypass SSO. Once they ve successfully signed in, a Clarizen cookie on their browser triggers a Federated Authentication link in the sign-in page so the user from then on has a choice between user/password sign-in and SSO from the standard sign-in page. Configuring Clarizen in Cloud Manager Use Cloud Manager to configure the Clarizen application profile. Configuring specifies how Clarizen appears in the user portal and who has access to Clarizen. Some configuration is required to deploy Clarizen; other configuration is optional. The steps following describe all configuration settings and mark those that are optional. Once you finish configuring the application profile and save your changes, Clarizen is deployed and appears as a deployed application in Cloud Manager. To configure the Clarizen application profile in Cloud Manager: 1 If the Clarizen application profile isn t open in Cloud Manager, click the Apps tab to view all added applications, then click Clarizen Web-SAML to open its application profile. 2 On the Application Settings page, the following settings are unique to this application. They are read-only so you don t need to set them: Option Sign-in URL Sign-out URL Description Paste this value as described earlier into the corresponding SAML SSO setting in Clarizen. Paste this value as described earlier into the corresponding SAML SSO setting in Clarizen. Cloud Manager user s guide 25

Configuring Clarizen in Cloud Manager 3 On the Application Settings page, expand the Additional Options section and specify the following settings: Option Application ID Show in User app list Security Certificate Description Configure this field if you are deploying a mobile application that uses the Centrify mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The cloud service uses the Application ID to provide single sign-on to mobile applications. Note the following: The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field. There can only be one SAML application deployed with the name used by the mobile application. The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters. Select Show in User app list to display this web application in the user portal. (This option is selected by default.) If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won t display for users in the user portal. These settings specify the security certificate used for secure SSO authentication between the cloud service and the web application. Select an option to change the security certificate. Use existing certificate displays beneath it the certificate currently in use. The Download button below the certificate name downloads the current certificate through your web browser to your computer so you can supply the certificate to the web application during SSO configuration. It s not necessary to select this option it s present to display current status. Use the default tenant signing certificate selects the cloud service standard certificate for use. This is the default setting. Use a certificate with a private key (pfx file) from your local storage selects any certificate you want to supply, typically your organization s own certificate. To use this selection, you must click Browse to upload an archive file (.p12 or.pfx extension) that contains the certificate along with its private key. If the file has a password, you must enter it when prompted. 4 (Optional) On the Description page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified. The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal. Chapter 34 Configuring Clarizen 26

Configuring Clarizen in Cloud Manager 5 On the User Access page, select the role(s) that represent the users and groups that have access to the application. When assigning an application to a role, select either Automatic Install or Optional Install: Select Automatic Install for applications that you want to appear automatically for users. If you select Optional Install, the application doesn t automatically appear in the user portal and users have the option to add the application. 6 (Optional) On the Policy page, specify additional authentication control for this application.you can select one or both of the following settings: Restrict app to clients within the Corporate IP Range: Select this option to prevent users outside the company intranet from launching this application. To use this option, you must also specify which IP addresses are considered as your intranet by specifying the Corporate IP range in Settings > Corporate IP Range. Require Strong Authentication: Select this option to force users to authenticate using additional, stronger authentication mechanisms when launching an application. Specify these mechanisms in Policy > Add Policy Set > Account Security Policies > Authentication. You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require additional authentication methods. For details, see Specifying application access policies with JavaScript. 7 On the Account Mapping page, configure how the login information is mapped to the application s user accounts. The options are as follows: Use the following Directory Service field to supply the user name: Use this option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userprincipalname or a similar field from the Centrify user service. Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account. Use Account Mapping Script: You can customize the user account mapping here by supplying a custom JavaScript script. For example, you could use the following line as a script: LoginUser.Username = LoginUser.Get('mail')+'.ad'; The above script instructs the cloud service to set the login user name to the user s mail attribute value in Active Directory and add.ad to the end. So, if the user s mail attribute value is Adele.Darwin@acme.com then the cloud service uses Adele.Darwin@acme.com.ad. For more information about writing a script to map user accounts, see the SAML application scripting guide. Cloud Manager user s guide 27

For more information about Clarizen 8 (Optional) On the Advanced page, you can edit the script that generates the SAML assertion, if needed. In most cases, you don t need to edit this script. For more information, see the SAML application scripting guide. On the Changelog page, you can see recent changes that have been made to the application settings, by date, user, and the type of change that was made. Note 9 Click Workflow to set up a request and approval work flow for this application. The Workflow feature is a premium feature and is available only in the Centrify Identity Service App+ Edition. See Configuring Workflow for more information. 10 Click Save. After configuring the application settings (including the role assignment) and the application s web site, you re ready for users to launch the application from the user portal. For more information about Clarizen For more information about configuring Clarizen for SSO, see the following links: http://usermanual.clarizen.com/#single-sign-on-and-ldap-integration http://usermanual.clarizen.com/#integration-with-identity-providers Chapter 34 Configuring Clarizen 28

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information