Configure Single Sign-On (SSO) & Just-in-Time (JIT) for Appspace 8.0 On-Prem

Appspace on-prem deployments can be configured to integrate with Security Assertion Markup Languages (SAML) 2.0 compliant identity providers (IdP), allowing for seamless and secure connections using a single set of credentials, simplifying username and password management with Single Sign-On (SSO). When you log in to Appspace, your credentials are authenticated by the IdP, and a SAML 2.0 assertion is sent to Appspace via the web browser to allow access to Appspace. Additionally, Appspace provides the following seamless SSO configuration options for organizations utilizing an external IdP:

• Just-in-Time (JIT) provisioning: when a user already configured in an access management tool (i.e. Okta/OneLogin) signs in to the Appspace console for the first time using SSO, JIT provisioning uses a SAML assertion to automatically create users on the Appspace account if they do not already exist. This eliminates the need to create user accounts separately for Appspace.

This article provides the instructions to enable and configure Single Sign-On (SSO) on an Appspace 8.0 on-prem deployment, while providing the option to enable Just-in-Time (JIT) provisioning:

Prerequisites

• Windows Server Administrator permissions.
• Required Appspace roles and permissions: Portal Admin.
• An Identity Provider (IdP) that is SAML 2.0 compliant:
  • IdP metadata, or
  • SSO URL and x.509 certificates.

Additional Prerequisites for Just-in-Time Provisioning:

• An Appspace User Group, which acts as the default user group for newly created JIT-provisioned users.
• Configured SAML 2.0 identification attribute flag to identify an IdP user as one that should be created in Appspace. This attribute can be selected by the IdP administrator, and should be configured in both the IdP and Appspace. 
• Configured IdP to pass the correct JIT-related attributes to Appspace, such as attribute mappings for the “First Name” and “Last Name” fields.
• Configured JIT as per the specific access management tool (ie. Okta or OneLogin) and ensure that any Appspace-specific attributes are created and passed with each assertion.
• Make Appspace available in the IdP-specific App Store catalog.

Please be informed that once configuration server settings have been saved, a notification is displayed at the top, informing you that the Appspace server has detected changes in the server settings, and to Click Here to apply these settings. Clicking the link will redirect you to the Apply Configuration tab, in which you would be required to enter your Windows Server Administrator credentials for the server settings to be applied. However, you may continue performing other server configurations before finally applying all the server setting changes that have been made.

Enable and Configure Single Sign-On (SSO)

1. Click the ☰ Appspace menu, and click System > Configuration, and click the Authentication tab.
2. In the AUTHENTICATION PROVIDER section:
   
   • Select Appspace Authentication from the Authentication Provider drop-down menu.
   • Optionally, you may enable Account Lockout by checking the Enable checkbox, and entering the number of attempts before the user’s account is locked..
   • Optionally, you may enable Password Complexity by checking the Enable checkbox. 
     Note

     The password composition shall follow these rules:

     • A minimum of 8 characters.
     • A combination of uppercase (A-Z), lowercase letters (a-z), and numbers (0-9) or special characters (!, @,#,$, etc.).
     • Does not contain the current username.
     • Does not contain more than 3 consecutive repeating characters
3. In the GLOBAL SSO CONFIGURATION section:
   • Slide the SSO Global toggle to ON, allowing for additional SSO configurations to be displayed.
   • Ensure the correct SSL certificate is selected in the SSL Certificate drop-down menu. If a valid SSL certificate is installed on the Appspace on-prem server, it will be listed in the drop-down menu.
   • Select the desired Appspace Tenancy option:
     • Single.
     • Multiple.
4. In the AUTHENTICATION METHOD section:
   • Select Single Sign-On (SSO) from the Select an authentication method drop-down menu.
5. In the SINGLE SIGN-ON (SSO) SETTINGS section:
   • Select the desired Login method options:
     • SSO only – Users can only sign in via their Single Sign-On credentials.
     • SSO or Appspace Credentials – Users and Admins can sign in via their Single Sign-On credentials, or Appspace credentials.
6. In the IDENTITY PROVIDER (IDP) INFORMATION section:
   
   • Upload the IdP metadata XML file, or manually enter the SSO URL and X.509 Certificate details in the respective fields.
     Important

     Ensure the NameID in the SAML assertion is the user’s email address.

     Appspace uses the following NameID format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
7. In the GENERATING SERVICE PROVIDER (SP) METADATA section:
   • Select the desired Data binding (IdP to SP) options:
     • Redirect – Users are redirected to the IdP. SSO details are passed in a query string with “?SAMLRequest=……” as part of the URL.
     • Post – SSO details are passed using the POST method. IdP requires direct access to the Appspace server for this method to work.
8. Once done, click Save, and click OK to confirm the settings.

Disable Single Sign-On (SSO)

1. Click the ☰ Appspace menu, and click System > Configuration, and click the Authentication tab.
2. In the GLOBAL SSO CONFIGURATION section:
   • Slide the SSO Global toggle to OFF.
3. Once done, click Save, and click OK to confirm the settings.

Enable and Configure Just-In-Time Provisioning (JIT)

Important

Ensure first time users log via the Login URL listed in the GENERATING SERVICE PROVIDER (SP) METADATA section, in order for their user accounts to be created automatically by the JIT provisioning feature. Once their user accounts have been created, they may continue to log in via the default Appspace login URL.

1. Click the ☰ Appspace menu, and click System > Configuration, and click the Authentication tab.
2. In the JUST-IN-TIME PROVISIONING (JIT) section:
   
   • Slide the Enable JIT? toggle to ON.
   • Enter the Appspace User Group that would be automatically assigned to JIT provisioned users in the User Group field.
     Note

     By default, the SAML attributes are mapped to First Name and Last Name of the IdP configuration.
3. Optionally, you may click the Show advanced configuration link to display further configuration options, allowing you to manually configure the SAML attributes values that match the IdP.
   • Enter the Attribute name and Attribute value regex of the JIT condition in the respective fields.
     Note

     The SAML identification attribute flag, Attribute=”appspace-role” and Value=”^platform-user$”.

     This value is a regular expression. If the attribute value matches this regular expression then the user is provisioned via JIT. Regular expressions allow very flexible matching for the wide array of IdP configurations.

     This allows you to only provision platform users for some employees, while allowing for pass-through access. By default, this looks for an attribute called “appspace-role” with a value of “^platform-user$”, however this is designed to be flexible and has a regex match. You could also make it match all users by setting it to something like attribute = ‘mail’ value = ‘.*’ (regex wildcard that will match any email value).
   • Enter the SAML attribute mapping for the First name and Last name in the respective fields.
4. Once done, click Save, and click OK to confirm the settings.