Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 34 Next »

Administration permission required: Configuration

The ‘single sign-on’ feature uses a trusted third-party identity provider (IDP) to allow users to manually sign in to Phocas with the same credentials they use for other applications.  Single sign-on uses a standard web protocol known as SAML (Security Assertion Markup Language), which works by securely passing a user’s identity from one place to another via encrypted digitally signed XML certificates, in other words, from your IDP to Phocas.

Learn about how single sign-on impacts users

When you enable single sign-on, users will see an additional button (Sign-in via...) on the Phocas sign-in screen, giving them the option to sign in via the IDP.

When the user clicks this button:

  • If the user is already authenticated with your IDP, they are taken straight into Phocas.

  • If they're not yet authenticated, they are taken to a second sign-in window, where they enter their credentials for the provider. 

  • When the user is finished using Phocas, they still need to manually sign out of Phocas in the usual way, even if they have signed out of other applications that use the IDP. Without signing out, the duration of a session will depend on your provider and other factors, such as how often users clear cookies.

Enable single sign-on

  1. Click the Phocas menu button > Administration > Configuration, then scroll down to the SAML section.

  2. Select the Enable SAML checkbox. The SAML configuration settings display.

  3. Configure the SAML:

  4. Enter the Identity Provider (IDP) information. See note below for more information.

  5. Copy the Service Provider (SP) and paste it into your IDP application. See note below for more information.

  6. Click Save.

 Information about the IDP you enter in Phocas

As shown in the image below,  there are some details you will need to get from the IDP you are using. It can be useful to have the Configuration screen and the relevant settings page from your IDP open side by side. Depending on your provider, this information might be called something different to what it is called in Phocas.

The X509 Certificate is a commonly used standard in internet protocols and, although it is not compulsory, it is strongly recommend that you copy these details from your IDP and enter them into Phocas. If you make an error when pasting and try to save your configuration changes, the certificate text will turn red and show an error message. Check you have copied the entire text and have not accidentally added spaces or deleted anything.

 Information about Phocas you provide to your IDP

When you enable SAML, Phocas will automatically populate the details in the Service Provider (SP) section. The service provider is the system (Phocas) that wants to use SAML to authenticate its users. Click the Copy button to copy this information and paste it into to the relevant fields in your IDP application.  

If you have an on-premise installation of Phocas, you are also asked for an Application URL. You find this in the top section of the Configuration screen.

 Specific URL to a favorite or other resource

In an IDP-initiated single sign-on flow, the IDP might supply a path to a specific resource (such as an embedded favorite) in the RelayState parameter of the request. When the sign-on successfully occurs, the application automatically directs to the URL specified in the RelayState parameter.

For example, the RelayState below specifies the path '/favourite/Embed/3140' - which identifies a particular favorite in Phocas.

 

When the user signs in successfully via a SAML request, they are automatically taken to the favorite, as shown below.

  • No labels