Single Sign-On (SSO) for Appspace cloud
This article provides instructions to enable the Single Sign-On (SSO) feature for Appspace Cloud.
With SSO, Appspace Cloud accounts can now be configured to integrate with Security Assertion Markup Language (SAML) 2.0 compliant identity providers, allowing for seamless and secure connections using a single set of credentials, simplifying username and password management.
When you login to Appspace, your credentials are authenticated by the identity provider, and a SAML assertion is sent to Appspace via the web browser to allow the login access to Appspace. The instructions in this article use the Active Directory Federation Services (AD FS) as the identity provider, with Appspace as the service provider. Follow the instructions below to setup SSO for Cloud.
- Setup Active Directory Federated Services (AD FS) server
- Enable Single Sign-On (SSO)
- Configure AD FS Relying Party Trust
- Log in with SSO
- An Identity Provider that is SAML 2.0 compliant.
- IdP metadata, or the SSO URL and x.509 certificate.
- You must be an Account Owner.
- Contact Support to enable SSO on cloud.
There is limitation with SSO that impacts all Appspace environments, where the validation of the SSO assertions will fail for customers that are using non-URI based issuers.
Most SSO providers default to a URI based scheme, but some customers may override it to a different value.
Example: The issuer “MyCompany” will fail, but “https://sso.mycompany.com” will succeed.
Appspace is looking into resolving this limitation, however the current workaround for a successful validation of the SSO assertion, would be to have customers adjust their issuer string.
Setup Active Directory Federated Services (AD FS) server
Installation can be performed on the Active Directory server or on a separate server.
- Install the Active Directory Federated Services (AD FS) server role. Follow the instructions here: https://msdn.microsoft.com/en-us/library/azure/dn151310.aspx
- Configure the ADFS. Follow the instructions here: https://msdn.microsoft.com/en-us/library/azure/dn151319.aspx
Enable Single Sign-On (SSO)
Download the IdP metadata by navigating to the following URL: https://<ADFSFQDN or IP>/FederationMetadata/2007-06/FederationMetadata.xml.
This metadata is used by the Identity Provider (AD FS) to recognize the service provider (Appspace).
Login to your Account Management Portal with your Account Owner credentials.
Click the Settings tab.
Click the Account Authentication tab, and select Single Sign-On (SSO) as the authentication method in the AUTHENTICATION METHOD section.
In the SINGLE SIGN-ON (SSO) SETTINGS section, set the desired Login method to either SSO or Appspace Credentials or SSO only, depending on the authentication implementation.
- SSO only - Users must log in with Single Sign-On credentials (AD credentials). Only administrators can log in with an Appspace credential.
- SSO or Appspace Credentials - Users can login with their Appspace credentials, or Single Sign-On credentials (AD credentials).
In the IDENTITY PROVIDER (IDP) INFORMATION section, you may drop the IdP Metadata XML file that was downloaded in Step 1 above, in to the drop-area, or click the browse file link to upload the file.
Alternatively, enter in the SSO URL and X.509 Certificate data manually in the appropriate fields.
To force the IdP to not use the previous security context during authentication, check the Force re-authentication on login checkbox.
In the GENERATING SERVICE PROVIDER (SP) METADATA section, select your preferred data binding option:
- Redirect – Users will be redirected to the Identity Provider. SSO details will be passed in a query string with “?SAMLRequest=……” as part of the URL.
- Post – SSO details will be passed using the POST method. For this method to work, you must ensure that the Identity Provider has direct access to the Appspace Server.
Click Save to download the Service Provider XML file, which will be used to configure the Identity Provider.
Pass-through Authentication is disabled by default on cloud. To enable it, please contact Appspace Support.
Configure AD FS Relying Party Trust
This section is performed on the Identity Provider (AD FS) server.
On the AD FS server, create a Relying Party Trust by following the instructions here: https://technet.microsoft.com/en-us/library/dd807132(v=ws.11).aspx
Please note the specific configurations required for Appspace, as listed below.
In the Edit Claim Rule window, add the following claim rules:
Add a Send LDAP Attributes as Claims rule by following the instructions here: https://technet.microsoft.com/en-us/library/dd807115(v=ws.11).aspx
This step mandates that all Appspace users (authenticating via SSO) are required to have email addresses that can be used as the usernames as well.
Add a Transform an Incoming Claim rule by following the instructions here: https://technet.microsoft.com/en-us/library/dd807068(v=ws.11).aspx
We currently support the following Outgoing name ID format
- Transient Identifier (default)
- Email Identifier
Click Apply, and click OK.
In the AD FS 2.0 folder tree, click the Relying Party Trusts folder, and select your Relying Party Trust display name.
Click Advanced, and select SHA-1 from the Secure hash algorithm drop-down menu. Click Apply to make changes.
Log in with SSO
You must use HTTPS for SSO to work.
Log in to Appspace Cloud with your credentials, and you will be redirected to the SSO login page provided by your Identity Provider.
Enter in your AD credentials.
Upon successful authentication, you will be redirected back to your Appspace Dashboard.
Disable SSO Authentication
Follow the instructions below if you wish to disable SSO: