SSOLogonDef section - HxGN EAM - 12.1.1 - Feature Briefs - Hexagon

HxGN EAM Single Sign-On

Language
English
Product
HxGN EAM
Search by Category
Feature Briefs
HxGN EAM Version
12.1.1

The ssoLogonDef block is used only when connecting to a SAML2-compliant SSO server. It must not be used for custom SSO implementations.

  • name - Each logon definition must have a unique name. The name must be unique across all ssoLogonDef and customLogonDef blocks.

  • logonURL - The URL of the HxGN EAM module that communicates with the SAML server.

    • Since the browser will be redirected to this URL, the URL must be accessible from the browser.

    • The default value will normally not need to be changed.

  • logoutURL - The URL to which the browser will be redirected when the user logs out of HxGN EAM.

    • Note: Do not set the logoutURL to the HxGN EAM login page. If the logoutURL points to the login page, users will be unable to log out at all.

  • ssoLogoutURL - The URL to which the browser will be redirected if the HxGN EAM session times out.

  • STSEndpoint

    • Use a browser to access the ADFS mex address endpoint (see ‘STSMexAddress’ below)

    • In the resulting xml document search for an address ending in "2005/usernamemixed"

    • Use the entire URL for the STSEndpoint

  • STSKeyType

    • The default value should not be altered.

  • STSMexAddress

  • To find the Message Exchange Address using the ADFS console:

    • Navigate to Service > Endpoints.

    • Locate the Metadata section.

    • The Metadata section should contain an entry whose type is WS-MEX.

    • Copy the URL Path for this entry.

    • The complete mex address is a URL using this path. The mex address will look something like https://<adfsserver>:<optional port>/adfs/services/trust/mex.

  • STSPolicyID - Should be left blank when connecting to ADFS.

  • userAttribute - The name of the SAML attribute containing the userid (the unique identifier for the user).

    • This value must exactly match, including case, a Claim Type in ADFS

      • See the Claim Descriptions screen (under the Service tab)

    • Filter

      • In the event that the userid is a substring of the value returned in the SAML claim, a filter may be specified to extract the userid from the SAML value.

      • Requirements for the filter string:

      • It must be a valid Java regular expression

      • Group number 1 will be used to extract the userid substring. If other groups exist they must be non-capturing.

      • If the filter is omitted the entire SAML value will be used.

  • primaryRoleAttribute - The name of the SAML attribute containing an EAM role name

    • The value must match a role defined on the EAM roles screen.

    • This value must exactly match, including case, a Claim Type in ADFS

    • See the Claim Descriptions screen (under the Service tab)

    • If this value is omitted, user records must already exist in the EAM database

    • Filter (see details under the userAttribute above)

  • identityProviderID - A unique identifier for the Identity Provider (e.g. ADFS).

    • By default this value will be automatically populated using the idpEntityID from the yaml configuration.

    • The value only needs to be entered manually if more than one Identity Provider is configured. The ID should be copied from the entityID attribute in the appropriate idp*.xml file.

  • identityProviderType - Defaults to ADFS. This setting should be left unchanged when connecting to ADFS.

  • logonRedirectTimeout

    • When control returns to EAM from an SSO server, parameters are passed to EAM in an encrypted string by means of an http post from the browser.

    • To minimize the possibility of a replay attack, the encrypted string contains a timestamp indicating how long the string remains valid.

    • The timestamp value is given in seconds.

    • The server defaults this value to 300 seconds. The minimum value is 5 seconds; any smaller value will be ignored.

  • faaConfig - This section is only used when EAM is running in the SAAS environment.

    • tenantCookieDomain
      The domain name to use when setting the FAACustomerID cookie

      • The name will normally begin with a dot (‘.’)

      • If this property is present the tenantID must be of the form "CustomerID_somestring".

    • qualifyUserNames
      A Boolean value, If true, the userid sent in a WS-Trust request will be of the form (CustomerID_userid)

      • The customerID will be extracted from the tenantID passed in the SOAP request.

      • If this attribute is set to true, the tenantID must be of the form "CustomerID_somestring"

    • transmitTenant
      Transmit the entire tenant id, not just the customer id portion, with a ws-trust request.

      • The transmitTenant and qualifyUserNames elements should not be used together. If both elements are present, the qualifyUserNames element will be ignored.

  • internalUserAttribute - The name of a SAML claim whose value is a displayable user name.

    • If the logon process results in the automatic creation of a record in r5users, the value of this attribute will be used to populate the usr_code column (provided the value is <= 30 characters). This column will be displayed to end users on various screens.

  • emailAttribute - The name of a SAML claim whose value contains the user’s email address.

    • If the logon process results in the automatic creation of a record in r5users, the value of this column will be used to populate the email address in r5users.

  • userDescriptionAttribute

    • The name of a SAML claim whose value contains a description of the user. The value will be used to populate the description in r5users.