If you're an administrator with 'Configuration' permission you can enable single sign-on to Phocas. Using a trusted third-party identity provider (IDP) you can allow users to manually sign in to Phocas using the same credentials they use for other applications.
This is achieved using a standard web protocol known as SAML (Security Assertion Markup Language), which works by securely passing a user’s identity from one place to another via encrypted digitally signed XML certificates, i.e., from your IDP to Phocas.
| Table of Contents | ||
|---|---|---|
|
What the user will see
Once you enable single sign-on users will see an additional option on the Phocas sign-in screen, below the usual sign-in area. It will offer the option of signing in via the IDP you are using. If the user is already authenticated with your IDP, selecting 'Sign-in via ...' takes them straight into Phocas. If they're not yet authenticated, they will be taken to a second sign-in window where they enter their credentials for the provider.
Note that once they have finished using Phocas they still need to manually sign out of Phocas in the usual way, even if they have signed out of other applications that use the IDP. Without signing out, the duration of a session will depend on your provider and other factors such as how often users clear cookies etc.
Enabling single sign on
Go to Administration > Configuration. Towards the bottom of the screen, you'll see a section titled SAML.
Tick 'Enable SAML'.
How to configure single sign on
Information about the IDP you enter in Phocas
As shown in the image below, there are some details you will need to get from the IDP you are using. It can be useful to have the Configuration screen and the relevant settings page from your IDP open side by side. Note that depending on your provider, this information may be called something different to what we call it in Phocas.
Note about X509 certificate. This is a commonly used standard in internet protocols and, although it is not compulsory, we strongly recommend you copy these details from your IDP and enter in the relevant field. If you make an error when pasting and try to save your configuration changes, the certificate text will turn red and show an error message. Check you have copied the entire text and have not accidentally added spaces or deleted anything.
Information about Phocas you provide to your IDP
Once you enable SAML, Phocas will automatically populate the fields under the 'Service Provider' heading. The service provider is the system, i.e., Phocas, that is wanting to use SAML to authenticate its users. Use the copy icon to copy this information and paste in to the relevant fields in your IDP application.
Note if you have an on-premise installation of Phocas, you will also be asked for 'Application URL'. This can be found in the top section of the Configuration screen (shown below).
Specific URL to a favorite or other resource
In an IDP-initiated single sign-on flow, the IDP may supply a path to a specific resource (e.g. an embedded favorite) in the RelayState parameter of the request. Once the sign-on successfully occurs, the application automatically directs to the URL specified in the RelayState parameter.
- For example, the RelayState below specifies the path '/favourite/Embed/3140' - which identifies a particular favorite in Phocas.
- When the user signs in successfully via a SAML request, they are automatically taken to the favorite, as shown below.
