Qvidian Proposal Automation Single Sign-on Administrator's Guide

Similar documents
Single Sign On (SSO) Implementation Manual. For Connect 5 & MyConnect Sites

SAML Authentication Quick Start Guide

Configuring. Moodle. Chapter 82

DocuSign Single Sign On Implementation Guide Published: March 17, 2016

Configuring Single Sign-on from the VMware Identity Manager Service to AirWatch Applications

Connected Data. Connected Data requirements for SSO

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Salesforce

Dell One Identity Cloud Access Manager How to Configure as an Identity Provider

SAP NetWeaver Java SAML configuration guide

Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow

SAP NetWeaver AS Java

Adobe Sign. Enabling SAML Single Sign-On with OneLogin Reference Guide

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

SAML Single-Sign-On (SSO)

Enabling SAML 2.0 web browser Single Sign-On with Typing Quest

Security Assertion Markup Language (SAML) Site Manager Setup

Configuring Single Sign-on from the VMware Identity Manager Service to WebEx

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

SAP NetWeaver Fiori. For more information, see "Creating and enabling a trusted provider for Centrify" on page

Authentication Methods

Configuring EPM System for SAML2-based Federation Services SSO

An overview of configuring WebEx for single sign-on. To configure the WebEx application for single-sign on from the cloud service (an overview)

Egnyte Single Sign-On (SSO) Configuration for Active Directory Federation Services (ADFS)

How To Use Saml 2.0 Single Sign On With Qualysguard

SP-initiated SSO for Smartsheet is automatically enabled when the SAML feature is activated.

This chapter describes how to use the Junos Pulse Secure Access Service in a SAML single sign-on deployment. It includes the following sections:

Step-by-Step guide for SSO from MS Sharepoint 2010 to SAP EP 7.0x

Dell One Identity Cloud Access Manager How to Configure as an Identity Provider

SAP Cloud Identity Service Document Version: SAP Cloud Identity Service

Integration Guide. SafeNet Authentication Service. Using SAS SAML-based Authentication with Citrix NetScaler Gateway 10.1

The authentication process for validating a user using an external AD or LDAP provider is as follows.

HOTPin Integration Guide: Salesforce SSO with Active Directory Federated Services

Only LDAP-synchronized users can access SAML SSO-enabled web applications. Local end users and applications users cannot access them.

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Tableau Server

TIB 2.0 Administration Functions Overview

T his feature is add-on service available to Enterprise accounts.

CA Nimsoft Service Desk

SAML Authentication with BlackShield Cloud

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Drupal

Cloud Single Sign-On and On-Premise Identity Federation with SAP NetWeaver Cloud White Paper

Dell One Identity Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Enabling Single Sign- On for Common Identity using F5

Getting Started with AD/LDAP SSO

PingFederate. Windows Live Cloud Identity Connector. User Guide. Version 1.0

HP Software as a Service

McAfee Cloud Identity Manager

Egnyte Single Sign-On (SSO) Installation for OneLogin

Enterprise Self-Service Portal FAQ

SafeNet Authentication Manager

For details about using automatic user provisioning with Salesforce, see Configuring user provisioning for Salesforce.

How to create a SP and a IDP which are visible across tenant space via Config files in IS

SAML single sign-on configuration overview

Configuring Salesforce

Agenda. How to configure

Siebel CRM On Demand Single Sign-On. An Oracle White Paper December 2006

Copyright Pivotal Software Inc, of 10

Configuring. SugarCRM. Chapter 121

Configuring user provisioning for Amazon Web Services (Amazon Specific)

Configuring ADFS 3.0 to Communicate with WhosOnLocation SAML

Configuring Single Sign-on from the VMware Identity Manager Service to Dropbox

Configuring Active Directory with AD FS and SAML for Brainloop Secure Dataroom Setup Guide

Configuring Single Sign-on from the VMware Identity Manager Service to Amazon Web Services

IBM Tivoli Federated Identity Manager V6.2.2 Implementation. Version: Demo. Page <<1/10>>

Configuring SAML2 for Single Sign On to Smartsheet (Enterprise Only)

Google Apps Deployment Guide

Authentication Integration

SAM Context-Based Authentication Using Juniper SA Integration Guide

Get Success in Passing Your Certification Exam at first attempt!

Managing users. Account sources. Chapter 1

Advanced Configuration Steps

Integration Guide. SafeNet Authentication Manager. Using SAM SAML-based Authentication with Citrix NetScaler Gateway 10.1

HP Software as a Service. Federated SSO Guide

Add Microsoft Azure as the Federated Authenticator in WSO2 Identity Server

PingFederate. Salesforce Connector. Quick Connection Guide. Version 4.1

SAML SSO Configuration

CONFIGURATION GUIDE WITH MICROSOFT ACTIVE DIRECTORY FEDERATION SERVER

Dell One Identity Cloud Access Manager How to Develop OpenID Connect Apps

Single Sign-on. Overview. Using SSO with the Cisco WebEx and Cisco WebEx Meeting. Overview, page 1

Flexible Identity Federation

Configuring SuccessFactors

Configuring. SuccessFactors. Chapter 67

Created by Hotline Support Konica Minolta Hotline Support (UK) V1.2

Using SAML for Single Sign-On in the SOA Software Platform

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

Single Sign On for ShareFile with NetScaler. Deployment Guide

365 Services. 1.1 Configuring Access Manager Prerequisite Adding the Office 365 Metadata. docsys (en) 2 August 2012

Single Sign On Integration Guide. Document version:

WebNow Single Sign-On Solutions

This section includes troubleshooting topics about single sign-on (SSO) issues.

Samsung KNOX EMM Authentication Services. SDK Quick Start Guide

Zendesk SSO with Cloud Secure using MobileIron MDM Server and Okta

Single Sign-On Implementation Guide

Configuring Single Sign-On from the VMware Identity Manager Service to Office 365

Centrify Mobile Authentication Services for Samsung KNOX

Configuring Parature Self-Service Portal

Configuring Single Sign-on from the VMware Identity Manager Service to BambooHR

Understanding Mediasite security. Technical planner: TP-03

Hubcase for Salesforce Installation and Configuration Guide

About Me. Software Architect with ShapeBlue Specialise in. 3 rd party integrations and features in CloudStack

Transcription:

Qvidian Proposal Automation Single Sign-on Administrator's Guide Version 11.04-8/17/2017

Copyright Copyright 2017 Qvidian. All rights reserved. Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Qvidian. Qvidian 10101 Alliance Road Cincinnati, OH 45242 800.272.0047 Qvidian Proposal Automation Single Sign-on Administrator's Guide i

Single Sign-on Configuration Single Sign-on (SSO) provides users access to Qvidian Proposal Automation (QPA) using their organization's identity provider (IdP) or Service Provider(SP). The Qvidian SSO model includes the customer external IdP acting as the authentication authority, using either a SAML 2.0 compliant IdP from within the customer s network or a Salesforce.com IdP from the cloud or internet, and Qvidian SP. This document is of two parts: Configuration Customer Side Configuration: SSO/IT administrator is required. QPA Subscriber SSO Configuration: QPA administrator is required. Customer Side Configuration As part of the deployment, configuration details must be shared between Qvidian personnel and the customer s IT staff. These configuration details include settings such as endpoint URL information, partner entity ID, etc. Additionally, optional configuration settings to achieve the full capabilities of QPA SSO, such as creating and updating user and group attributes, should also be communicated. Following the notes below, please generate the metadata file from your SSO authority in xml or txt format and submit the file as well as the security signing certificate to Qvidian Support via email, support@qvidian.com. The following provides key configuration settings necessary for the full capabilities of QPA SSO to be operational: Qvidian URL/SERVER processing SAML requests: https://sso1.qvidian.com/sp/acs.saml2 QPA s SAML2 implementation uses HTTP-POST Bindings for maximum reliability with large attribute fields. HTTP-Redirect bindings are available but not preferred. SingleSignOnService Location in the metadata must be filled in with a URL accessible to the customer s users. The product may redirect customers to this URL to begin IDP-initiated sign in. (See the sample of customer metadata below) The customer s Public-key SSL Certificate for SSO-related authentication is also required. Any of the fixed QPA attributes (user properties and customer groups membership list) that are to be supplied by the customer s SSO authority (LDAP, Active Directory, Siteminder, etc.) as part of the user connection, must be specified. None, some, or all of the fixed QPA attributes may be defined depending on availability of those property values from the customer s SSO authority. Required attributes have to be defined as shown below. QPA requires the following attributes be passed as part of the login security assertion: SAML_SUBJECT Email FirstName LastName Qvidian Proposal Automation Single Sign-on Administrator's Guide 1

Note SAML_SUBJECT is a fixed, core attribute and must contain the user s login name. It should be in an email format. So the customer can either pass the value as email address or Organization ID and QPA will append the domain to match what is existing in QPA. QPA supports the following optional attributes be passed as part of the login security assertion: Groups* Address1 Country Phone Title State MiddleName Address2 City Fax Salutation Zip * Named groups can be used in QPA to assign roles. QPA Subscriber SSO Configuration The final SSO configuration step for a QPA subscriber is performed by the customer s QPA Administrator within the QPA application s Administration interface. To configure the QPA for SSO, follow the steps below. 1. Log on to QPA with an administrative credential, including the Manage Single Sign-On Settings application permission. 2. On the Administration tab, click Application Settings, and then click Single Sign-On Settings. Example of Single Sign-on screen in QPA. Qvidian Proposal Automation Single Sign-on Administrator's Guide 2

Note The Authentication Mode setting is set by the service provider. If you need to modify this setting, please contact Qvidian Support. 3. Under User Settings, select the radio button next to one of the Enable New User Provisioning options below. Yes: SSO will automatically provision new users into QPA including setting any QPA user properties and role memberships as specified by the customer s SSO values within bounds of the remaining SSO settings. No: Users must already have QPA user accounts to connect. 4. Select the radio button next to one of the Enable SP-Initiated Single Logout? options below. Yes: When the user logs out of QPA, they are automatically logged out of the SP. This ensures the users must log in each time they exit and return to QPA. No: When the user logs out of QPA, it does not log them out of the SP. This may allow users who have previously logged in to QPA to open QPA without providing their credentials. 5. Select the radio button next to one of the Manage Existing User Properties options below. Yes: For existing QPA users, every time the user connects, the user properties updates specified by the customer s SSO authority will be applied. No: For existing QPA users, the user properties will not update in QPA agon. 6. Select the radio button next to one of the Manage Existing User Roles options below. Yes: For existing QPA users, every time the user connects, QPA role memberships will be updated based on group memberships specified by the customer s SSO authority within the bounds of the other SSO settings for QPA roles management. No: For existing QPA users, QPA role memberships will not be updated regardless of group memberships specified by the customer s SSO value. 7. Under User Group/ QPA Settings, in the Default QPA User Roles Default QPA User Roles field, in the Default QPA User Roles box, enter one or more (vertical-bar delimited list) low-level roles (Case sensitive) so that connecting user whose list of user group memberships do not map to any of the Group/Role mapping stated in step 10 below, will get their account provisioned and assigned to those low-level roles giving the user basic access to QPA. This is required if the customer enabled New User Provisioning from step 3. Everyone Role can be used as the Default QPA User Role if there is no other custom low level role existing. If you enable new user provisioning from step 3, new users will have to have a Default Role assigned to them. Additionally, you can have SSO handle Role assignments based on Groups being passed via SSO. Mapping of customer user groups to QPA user roles are specified below in step 10. If Default QPA User Roles is not configured AND SSO assertion s group membership list does not map to any QPA user roles (step 10), the connection will be denied. Qvidian Proposal Automation Single Sign-on Administrator's Guide 3

You can change the assigned QPA roles for a specific user after their account is provisioned. However, if Manage Existing User Roles (step 6) is set to Yes, the QPA role memberships will be reset to those specified by the SSO assertion s Groups attribute the next time the user connects to QPA. 8. In the Authorized User Groups field, type a vertical-bar delimited list of customer user groups that are authorized to connect to QPA (Case sensitive). This is required if the customer is passing Groups values via SSO and needs to limit access to QPA only for specific Groups. If no user groups are specified, no further processing for this setting is necessary. If one or more user groups are specified in this setting, processing continues as follows: Within the user connection SSO assertion s Groups attribute, the customer s SSO authority provides the list of customer groups the connecting user is a member of. As long as at least one of these customer groups is in this Authorized User Groups setting, the user s connection continues to be processed within the bounds of the remaining SSO settings. If none of the assertion s groups exist in this Authorized User Groups setting the user s connection is denied. 9. Enter the User Group Keys Delimiter, which specifies the delimiter character to use when parsing the connecting user s customer group membership list into individual groups. The list of customer groups the user is a member of is provided by the customer s SSO authority in the user connection SSO assertion s Groups attribute. If left empty, the default delimiter is a vertical-bar ( ). 10. Under User Group / QPA Role Mappings, click Add.This is required if the customer is passing Groups values via SSO and New User Provisioning is enabled, and needs to automate Role assignment. For each group, a User Group / QPA Role Mappings setting is required, which includes a list of QPA roles that the customer IdP group is mapped to delimited with a vertical-bar ( ). a. In the User Group box, type the name of your IdP group (Case sensitive). b. In the Description box, type a general description of your IdP group and mapped QPA roles. This is only for display purposes. c. In the QPA Roles box, type a vertical-bar delimited list of the QPA user roles that are mapped to the IdP group specified in the Setting (Case sensitive). d. Click Save. Qvidian Proposal Automation Single Sign-on Administrator's Guide 4

Examples of Group / QPA Role Settings Process Flow For an incoming user connection, the QPA portal application retrieves the contents of the original SSO assertion s Groups attribute and parses that list of customer IdP groups into the individual groups using the delimiter specified by User Group Keys Delimiter setting (step 9). Qvidian Proposal Automation Single Sign-on Administrator's Guide 5

For each individual group extracted from this IdP groups list, the QPA portal application looks for an entry in the User Group / QPA Role Mappings settings with a User Group setting that matches the IdP group name (Step 10): For matched entries, the incoming user is granted membership to the corresponding mapped QPA user roles. Unmatched entries are ignored. Once all specified IdP groups are processed, if no QPA user roles have been assigned for the incoming connection s user: If valid QPA user role(s) are specified in the Default QPA User Roles setting, the user will be granted membership to those QPA user role(s). If Default QPA User Roles is unspecified or does not contain any valid QPA user roles, the user connection is denied with an appropriate message. About Email Triggers Under Administration > Application Data > Email Notification Triggers, there are three Email Notification Triggers for New User creation. New users are automatically notified when they are set up in QPA with the trigger set to enabled, and the Send Status is set to Auto-Send or Customizable. The email trigger that is used depends on what authentication mode is defined (Step 2). This means that a site that is set to use Explicit Login Only (users have to enter credentials for QPA each time they login) will use the New User Created trigger. A site that is Mixed mode (users can access by using SSO or logging in explicitly) will use the New User Mixed Authentication trigger. A site that is SSO only (users can only access QPA using SSO) will use the New User Single Sign-On trigger. Qvidian Proposal Automation Single Sign-on Administrator's Guide 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information