The HxGN EAM Single Sign-On module authenticates users by exchanging SAML messages with a SAML-aware Single Sign-On server known as an Identity Provider (IDP).
The module within an application responsible for communicating with the IDP is called a Service Provider (SP).
A typical HxGN EAM installation will be configured with one SP and one IDP. Most of this document will focus on the configuration necessary for this deployment scenario. It is possible to configure multiple SP's and/or multiple IDP's. See Multiple identity providers and Multiple service providers.
The instructions assume both HxGN EAM and the IDP have already been installed, presumably on two different machines.
SAML authentication requires that a trust relationship be established first between the IDP and SP servers. An IDP will only allow an SP to use its authentication service if it has been configured to recognize the SP. The SP, in turn, will trust the SAML claims it receives from the IDP because it has been provided with the digital certificate the IDP uses to sign SAML messages. The trust relationship between IDP and SP is established by exchanging metadata files between the two applications. The IDP and SP each generate a metadata file, an xml file that is passed to the other party with information necessary to create the trust relationship.
Single Sign-On is supported through an external logon feature. When HxGN EAM is configured for external logons, it bypasses its own logon screen and uses an external server to authenticate users. The main reason for employing an external server is to support single sign-on. By default, the external logon mechanism makes use of EAM’s Single Sign-on module. Alternatively, a custom logon module may be substituted to connect to a wide variety of external SSO servers.
See Creating a custom logon module.
This document discusses SSO configuration for both cloud and on-premise installations of EAM. The sections describing how to configure EAM files and directories only apply to on-premise installations.