Authentication Service - SSO Management
2024.1+
The Authentication Service supports SSO (Single Sign-On). This enables users to sign in only once to access multiple applications and systems.
Once users have been authenticated by the Identity Provider (IDP) and validated by a given EasyVista product, they will be authorized to access all other products seamlessly.
- Depending on the protocol used (e.g. SAML, OAuth2, etc.), configuration may be required for the Identity Provider.
- Once the SSO is configured, it can be associated with a connection rule that is used to isolate the customer's end users.
Notes
- This menu can be accessed by the Host Admin and Config Admin profiles.
- More protocols supported by the Authentication Service will be available with each new release.
2024.1+ SAML2, OAuth2.0, OpenID Connect (OIDC), Credentials
Caution
- Once the SSO is created, the protocol can no longer be modified.
Menu access
SSO
Screens description
Protocol
Protocol used by the SSO. It determines the fields to be specified in the Setup screen.
Name: Name of the SSO.
Description: Description of the SSO.
Protocol: Type of protocol used by the SSO.
- Each protocol requires a different configuration. This is performed in the Setup screen.
Setup
SAML2
See Configure SAML SSO with Microsoft Entra ID
Entity ID: ID of the Identity Provider (IDP).
Metadata: List of metadata used for configuring the Identity Provider. It can be entered in two different ways.
- IDP Metadata URL: Used to define a link to online metadata that is regularly refreshed.
- Select the refreshment interval for the data.
- IDP Metadata XML: Used to specify the XML schema of metadata when no online URL is available.
Advanced options: Enable () or disable () the options for the Identity Provider.
- Authentication Requests Signed: Authentication requests are signed.
- is Assertion Encrypted: Assertions are encrypted.
- want Assertions Signed: Assertions must be signed.
- want LogoutRequest Signed: Logout requests must be signed.
- want Logout Response Signed: Logout responses must be signed.
- want Message Signed: Messages must be signed.
OAuth2.0
See Configure OAuth2.0 SSO with Microsoft Entra ID
Client ID: ID of the Identity Provider (IDP).
example App ID in Microsoft Entra ID
Client Secret: Client secret associated with the credentials in the Identity Provider.
example Client secret created in Microsoft Entra ID
Scope: List of fields to be sent by the Identity Provider.
- Use spaces to separate the fields.
example Open ID ==> enter OpenID
Advanced Settings: Enter the required information or click Import from Preset to load it automatically.
- Authorization URI: Authorization URI.
- Token URI: Token request URI.
- Open ID URI: URI used to retrieve all of the required information.
OpenID Connect (OIDC)
Client ID: ID of the Identity Provider (IDP).
example App ID in Microsoft Entra ID
Client Secret: Client secret associated with the credentials in the Identity Provider.
example Client secret created in Microsoft Entra ID
Scope: List of fields to be sent by the Identity Provider.
- Use spaces to separate the fields.
example Open ID ==> enter OpenID
Issuer Url: Enter the full URL to .well-known/OpenID-configuration or click Import from Preset to load it automatically.
Use Nonce: Used to indicate whether the Identity Provider supports the Nonce parameter () or not ().
Credentials
This protocol is used to configure the login and password of a given EasyVista product as the authentication source, and subsequently, to use these credentials to log in to other EasyVista products.
Endpoint: EasyVista product used as the authentication source for other products.
Hostname: Customer hostname corresponding to the EasyVista product used as the authentication source.
Use SSL: Used to indicate whether the EasyVista product server uses the https protocol () or not ().
Configuration
Used to retrieve the information required for configuring the Identity Provider.
SAML2
Callback URL: Callback URL (redirect URL) required for configuring the network connection between the Identity Provider server and the server of the EasyVista product used as the authentication source.
OAuth2.0 or OpenID Connect (OIDC)
Metadata: Metadata URL.
Assertion Consumer Service: The ACS URL must be authorized in the Identity Provider.
Credentials
Requests from the following URL must be allowed: URL based on which requests must be authorized.
Test
Used to check that the SSO is working correctly.
Fields
Used to map the elements retrieved by the SSO, i.e. information on the logged-in user, with fields in the database.
MFA
Multi-factor authentication (MFA) is used to reinforce authentication security by regularly requiring users to enter a confirmation code generated in real-time by a mobile app.
List of fields when MFA is enabled
Issuer: Name identifying the connection in the mobile app.
Interval between two checks: Period after which the Authentication Service will require a new confirmation code from users.
Mandatory: Used to indicate whether the MFA is mandatory () or optional ().
Procedures
How to configure a new SSO
1. Select the SSO menu.
2. Click + Add.
3. Enter the information on the new SSO.
Protocol screen
- Select the protocol used by the SSO.
Setup screen
- Specify the fields based on the protocol used by the SSO. See the description:
Configuration screen
- Retrieve the information required for configuring the Identity Provider depending on the SSO protocol. See the description:
- Hover over the relevant field and click Copy to copy the value.
- Paste the copied value in the screen for configuring the Identity Provider.
Test screen
- Click Test Sign in to run the new SSO.
- The SSO will run.
- The results of the test will appear.
Fields screen
- Map the elements retrieved by the SSO, i.e. information on the logged-in user, with fields in the database.
MFA screen
- Specify whether multi-factor authentication (MFA) is enabled () or not ().
- If MFA is enabled, specify the fields to configure it. See the description
5. Click Finish.
The new SSO will be created.
6. Associate the SSO with a rule.