Versions Compared

Old Version 31

changes.mady.by.user Denise McGettigan

Saved on

compared with

New Version 32

changes.mady.by.user Denise McGettigan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

If you're an administrator with

'

the Configuration

'

permission, you can enable single sign-on to Phocas.

Using

Learn about single sign-on

The ‘single sign-on’ feature uses a trusted third-party identity provider (IDP)

you can

to allow users to manually sign in to Phocas

using

with the same credentials they use for other applications.  

This is achieved using

Single sign-on uses a standard web protocol known as SAML (Security Assertion Markup Language), which works by securely passing a user’s identity from one place to another via encrypted digitally signed XML certificates,

i.e.

in other words, from your IDP to Phocas.

Table of Contents
excludeWhat the user will see

What the user will see

Once

When you enable single sign-on, users will see an additional

option

button (Sign-in via...) on the Phocas sign-in screen,

below

giving them the

usual

option to sign

-

in

area. It will offer the option of signing in

via the IDP

you are using.

.

Image Added

When the user clicks this button:

  • If the user is already authenticated with your IDP,

selecting 'Sign-in via ...' takes them

  • they are taken straight into Phocas.

  • If they're not yet authenticated, they

will be

  • are taken to a second sign-in window, where they enter their credentials for the provider. 

Image Removed

Note that once they have

  • When the user is finished using Phocas, they still need to manually sign out of Phocas in the usual way, even if they have signed out of other applications that use the IDP. Without signing out, the duration of a session will depend on your provider and other factors, such as how often users clear cookies

etc

  • .

Enabling

Enable single sign-on

Go to

  1. Click the Phocas menu button > Administration > Configuration

. Towards the bottom of the screen, you'll see a section titled SAML.

Tick 'Enable SAML'.

How to configure single sign on

  1. , then scroll down to the SAML section.

  2. Select the Enable SAML checkbox. The SAML configuration settings display.

  3. Configure the SAML:

  4. Enter the Identity Provider (IDP) information. See note below for more information.

  5. Copy the Service Provider (SP) and paste it into your IDP application. See note below for more information.

  6. Click Save.

Expand
titleInformation about the IDP you enter in Phocas

As shown in the image below,  there are some details you will need to get from the IDP you are using. It can be

useful to

useful to have the Configuration screen and the relevant

 settings

settings page from your IDP open side by side.

Note that depending

Depending on your provider, this information

may

might be called something different to what

we call

it is called in Phocas.

Note about X509 certificate. This

The X509 Certificate is a commonly used standard in internet protocols and, although it is not compulsory,

we

it is strongly recommend that you copy these details from your IDP and enter

in the relevant field

them into Phocas. If you make an error when pasting and try to save your configuration changes, the certificate text will turn red and show an error message. Check you have copied the entire text and have not accidentally added spaces or deleted anything.

Image Removed
Image Added
Expand
titleInformation about Phocas you provide to your IDP
Once

When you enable SAML, Phocas will automatically populate the

fields under

details in the

'

Service Provider

' heading

(SP) section. The service provider is the system

, i.e., Phocas, that is wanting

(Phocas) that wants to use SAML to authenticate its users.

Use the copy icon Image Removed to

Click the Copy button to copy this information and paste

in

it into to the relevant fields in your IDP application.  

Image Removed
Image Added

Note if

If you have an on-premise installation of Phocas, you

will

are also

be

asked for

'

an Application URL

'. This can be found

. You find this in the top section of the Configuration screen

(shown below)

.

Image Removed
Image Added
Expand
titleSpecific URL to a favorite or other resource

In an IDP-initiated single sign-on flow, the IDP

may

might supply a path to a specific resource (

e.g.

such as an embedded favorite) in the RelayState parameter of the request.

Once

When the sign-on successfully occurs, the application automatically directs to the URL specified in the RelayState parameter.

For example, the RelayState below specifies the path '/favourite/Embed/3140' - which identifies a particular favorite in Phocas.

 

Image Removed

Image Added

When the user signs in successfully via a SAML request, they are automatically taken to the favorite, as shown below.

Image Removed
Image Added