The SSO Configuration screen supports Single Sign-On authentication by enabling the configuration of SSO capabilities in EAM. The fields on this screen are completely optional and include configuration of both WS-Trust and OIDC using the parameters populated on this screen. You may choose to configure both WS-Trust and OIDC.
The WS-Trust settings populated on this screen will be the default settings to enable tenant-specific configuration and will override any customer information stored in YAML files. While on-premise customers can use this screen to store WS-Trust configuration, this screen will be used in the cloud to facilitate tenant-specific WS-Trust settings. This screen also supports OIDC configuration in place of using install parameters and will incorporate validation logic to ensure all required fields for OIDC authentication are populated.
-
Select Administration > System Configuration > SSO Configuration.
-
In the OIDC Configuration section, specify this information:
-
Issuer – Enter the issuer of the OpenID Connect ID token.
-
Client ID – Enter the client ID of the OpenID Connect.
-
JWKS URI – Enter the URI the client can access to get information on the JWK keys used by Google.
-
Optionally, select the Password Grant check box to authenticate the username and password for users.
-
Client Password – Enter the OpenID Connect client password.
-
Scope – Enter the OpenID Connect scope to be passed in the request sent to the token end point.
-
Token End Point – Enter the OpenID Connect token end point.
-
-
Authentication Endpoint – Enter the endpoint authentication to ensure that only authorized devices can connect.
-
End Session Endpoint – Enter the endpoint to redirect the user to after the session ends.
-
-
In the OIDC Claims section, specify this information:
-
Identity Claim – Enter the name of the OpenID Connect ID token claim containing the unique identity information of the user.
-
UPN Claim – Enter the name of the OpenID Connect ID token claim containing the displayable user information (UPN/Identity 2).
-
Role Claim – Enter the name of the OpenID Connect ID token claim containing the role information.
-
Tenant Claim – Enter the name of the OpenID Connect ID token claim whose value contains the tenant information.
-
Email Claim – Enter the name of the OpenID Connect ID token claim containing the email address.
-
User Description Claim – Enter the name of the OpenID Connect ID token claim containing the user description.
-
-
In the WS-Trust Configuration section, specify this information:
-
Enable WS-Trust – Optionally, select this check box to enable the WS-Trust protocol configuration.
WS-Trust is available when using ADFS or Ping Federate as the IDP, but not with Azure AD or Okta.
-
Identity Provider Type – Select PF or ADSF to choose between Ping Federate or Active Directory server to indicate the user authentication that allows SSO to access other websites.
-
STS Endpoint – Enter the security token service connection end point for credentials.
-
MEX Address – Enter the Message Exchange Address using the ADFS console.
-
-
STS Policy ID – Should be left blank when connecting to ADFS.
-
Optionally, select the Quality User check box to set the userid to <tenant>~<userid> which is intended for backwards compatibility.
-
Optionally, select the Transmit Tenant check box to set the userid to <customerid>_<userid> which is intended for backwards compatibility.
-
-
Click Save Record.