The ssoLogonDef block is used only when connecting to a SAML2-compliant SSO server. It must not be used for custom SSO implementations.
-
name - Each logon definition must have a unique name. The name must be unique across all ssoLogonDef and customLogonDef blocks.
-
logonURL - The URL of the HxGN EAM module that communicates with the SAML server.
-
Since the browser will be redirected to this URL, the URL must be accessible from the browser.
-
The default value will normally not need to be changed.
-
-
logoutURL - The URL to which the browser will be redirected when the user logs out of HxGN EAM.
-
Note: Do not set the logoutURL to the HxGN EAM login page. If the logoutURL points to the login page, users will be unable to log out at all.
-
-
ssoLogoutURL - The URL to which the browser will be redirected if the HxGN EAM session times out.
-
STSEndpoint
-
Use a browser to access the ADFS mex address endpoint (see ‘STSMexAddress’ below)
-
In the resulting xml document search for an address ending in "2005/usernamemixed"
-
Use the entire URL for the STSEndpoint
-
-
STSKeyType
-
The default value should not be altered.
-
-
STSMexAddress
-
To find the Message Exchange Address using the ADFS console:
-
Navigate to Service > Endpoints.
-
Locate the Metadata section.
-
The Metadata section should contain an entry whose type is WS-MEX.
-
Copy the URL Path for this entry.
-
The complete mex address is a URL using this path. The mex address will look something like https://<adfsserver>:<optional port>/adfs/services/trust/mex.
-
-
STSPolicyID - Should be left blank when connecting to ADFS.
-
userAttribute - The name of the SAML attribute containing the userid (the unique identifier for the user).
-
This value must exactly match, including case, a Claim Type in ADFS
-
See the Claim Descriptions screen (under the Service tab)
-
-
Filter
-
In the event that the userid is a substring of the value returned in the SAML claim, a filter may be specified to extract the userid from the SAML value.
-
Requirements for the filter string:
-
It must be a valid Java regular expression
-
Group number 1 will be used to extract the userid substring. If other groups exist they must be non-capturing.
-
If the filter is omitted the entire SAML value will be used.
-
-
-
primaryRoleAttribute - The name of the SAML attribute containing an EAM role name
-
The value must match a role defined on the EAM roles screen.
-
This value must exactly match, including case, a Claim Type in ADFS
-
See the Claim Descriptions screen (under the Service tab)
-
If this value is omitted, user records must already exist in the EAM database
-
Filter (see details under the userAttribute above)
-
-
identityProviderID - A unique identifier for the Identity Provider (e.g. ADFS).
-
By default this value will be automatically populated using the idpEntityID from the yaml configuration.
-
The value only needs to be entered manually if more than one Identity Provider is configured. The ID should be copied from the entityID attribute in the appropriate idp*.xml file.
-
-
identityProviderType - Defaults to ADFS. This setting should be left unchanged when connecting to ADFS.
-
logonRedirectTimeout
-
When control returns to EAM from an SSO server, parameters are passed to EAM in an encrypted string by means of an http post from the browser.
-
To minimize the possibility of a replay attack, the encrypted string contains a timestamp indicating how long the string remains valid.
-
The timestamp value is given in seconds.
-
The server defaults this value to 300 seconds. The minimum value is 5 seconds; any smaller value will be ignored.
-
-
faaConfig - This section is only used when EAM is running in the SAAS environment.
-
tenantCookieDomain
The domain name to use when setting the FAACustomerID cookie-
The name will normally begin with a dot (‘.’)
-
If this property is present the tenantID must be of the form "CustomerID_somestring".
-
-
qualifyUserNames
A Boolean value, If true, the userid sent in a WS-Trust request will be of the form (CustomerID_userid)-
The customerID will be extracted from the tenantID passed in the SOAP request.
-
If this attribute is set to true, the tenantID must be of the form "CustomerID_somestring"
-
-
transmitTenant
Transmit the entire tenant id, not just the customer id portion, with a ws-trust request.-
The transmitTenant and qualifyUserNames elements should not be used together. If both elements are present, the qualifyUserNames element will be ignored.
-
-
-
internalUserAttribute - The name of a SAML claim whose value is a displayable user name.
-
If the logon process results in the automatic creation of a record in r5users, the value of this attribute will be used to populate the usr_code column (provided the value is <= 30 characters). This column will be displayed to end users on various screens.
-
-
emailAttribute - The name of a SAML claim whose value contains the user’s email address.
-
If the logon process results in the automatic creation of a record in r5users, the value of this column will be used to populate the email address in r5users.
-
-
userDescriptionAttribute
-
The name of a SAML claim whose value contains a description of the user. The value will be used to populate the description in r5users.
-