New release coming soon. Head over to our YouTube channel for updates:
SoftwareOne Marketplace Platform
Sign InJoin

How do I set up SSO?

Our platform has an SSO Authentication framework that integrates with existing Identity provider tools (such as Azure AD and ADFS) and SAML-based tools (such as Okta and Ping).

Setting up SSO with SAML

Process

  1. The customer provides SoftwareOne with basic metadata about their IdP. If your SSO tool requires the Assertion Consumer Service URL and Entity ID, contact SoftwareOne.

  2. SoftwareOne proceeds with a basic setup on the Client Portal IdP and provides the customer with {connection_name} that'll be used for further configuration.

  3. The customer proceeds and finalizes the setup from their side.

  4. All logins to the Client Portal for any of the specified IdP domains will be federated out to the customer's SAML-based IdP.

Set up information required by the Client Portal

  1. IdP Domains - List of email domains, for example @user.org, for which authentication should be federated out to the customer's IdP.

  2. Sign-in URL - HTTP-POST or HTTP-Redirect binding.

  3. Sign Out URL

  4. X509 Signing Certificate - In the .pem or .cer format.

Technical specification

Capabilities

We support the items listed in the following table:

Item
Details

Supported Protocol Bindings

HTTP-POST & HTTP-Redirect

SAML Authentication Requests signed

Yes (by default)

Sign Request Algorithm

RSA-SHA256 (default) or RSA-SHA1

Sign Request Algorithm Digest

SHA256 (default) or SHA1

Signing Certificate Strength

2048 Bit RSA

IdP-Initiated SSO

Supported, but strongly discouraged

Settings

{connection_name} is a verbatim string that SoftwareOne will provide after receiving the initial configuration settings from you.

Setting
Value

Entity ID

urn:auth0:pyc:{connection_name}.

Example: If your connection_name is demo_company, the Entity ID on Production will be

urn:auth0:pyc:demo_company

Assertion Consumer Service URL

https://{idp_base_url}/login/callback?connection={connection_name}

Example: If your connection_name is demo_company, the Assertion Consumer Service URL on Production will be: https://login.pyracloud.com/login/callback?connection=demo_company

Metadata URL

https://login.pyracloud.com/samlp/metadata?connection={connection_name}

Single Logout URL

https://login.pyracloud.com/logout

Single Login URL

Attribute Mappings

The Client Portal requires the following attributes via the specified mappings:

Attribute
Mapping

user_id

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

Fallback URL 1: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

Fallback URL 2: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

email

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

given_name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Fallback URL: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

family_name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

The attributes must satisfy at least one mapping for all properties above. If your IdP provides values for the required attributes in different claims/namespaces, provide a list of claims to be used for all attributes above.

Make sure to provide the attribute values as they are without any modifications. URLs are sometimes changed by security software; for example, Proofpoint’s Targeted Attack Protection adds urldefense.com at the beginning of links.

Setting up SSO with Azure AD

To set up SSO with the Client Portal via Azure AD, complete the following steps. SoftwareOne will then enable SSO with your Azure AD.

Process

1

Register the Client Portal with Azure AD

  2. Search for and select Azure Active Directory.

  3. Under Manage, select App registrations.

  4. Select New Registration.

  5. In Register an application, enter a meaningful application name to display to the users, for example, Client Portal.

  6. In Supported account types, select Accounts in any organizational directory (Any Microsoft Entra directory - Multitenant).

  7. In Redirect URI, select the Redirect URI type as Web, and enter your callback URL: https://login.pyracloud.com/login/callback.

  8. Click Register.

2

Create a client secret

SoftwareOne will use the client secret to interact with your Azure subscription on behalf of the created application. Follow these steps to create a secret:

  1. From the Overview page of the app, select Certificates & secrets > Client secrets > New client secret.

  2. Add a description for your client secret.

  3. Set the expiration date for the secret.

  4. Select Add.

  5. Make a note of the client's secret value. The value won't be accessible again after you leave this page.

We recommend that you create a reminder to renew your client secret at least two weeks before it expires. Once you've created a new secret, provide the value to SoftwareOne so that it can be updated in the system. If your client secret has expired or is no longer valid, you won't be able to sign in to the Client Portal using SSO.

3

Add API permissions

Follow these steps to add permissions that allow read access to users and the user directory:

  1. From the app Overview page, select API permissions.

  2. Under Configured permissions, select Add a permission.

  3. Configure permissions for the Microsoft Graph API.

  4. After selecting the API, the Request API Permissions page is displayed.

  5. Enable the following permissions:

    • Users > User.Read

    • Directory > Directory.Read.All

  6. Select Add permissions to complete the process.

Enabling the Directory > Directory.Read.All permission is optional. If you want to benefit from future user auto-provisioning, turn it on. However, for SSO to work, this permission is not required.

4

Send the details to Marketplace Platform support

Inputs required
Notes

Application Client ID

Application Client Secret

Microsoft Azure AD Domain

Your Azure AD domain name. You can find this on your Azure AD directory's overview page in the Microsoft Azure portal.

IdP Domains

A list of all email domains that must be authenticated through the federated Azure AD, for example, @customer.com.

Usually 1 domain but can also be multiple.

After we receive the information, we will finalize the setup. The Client Portal will then automatically start redirecting all users from the specified IdP domains to your Azure AD for federated authentication.

Technical specification

Capabilities

We support the items listed in the following table:

Item
Detail

Identity API

Azure Active Directory (v1) (default) & Microsoft Identity Platform (v2).

Protocol used for federated Sign-In

OpenID Connect (default) or WS Federation.

Settings

Setting
Value

Application type

Multitenant / Web

Redirect URI

https://{idp_base_url}/login/callback*

The redirect URI on Production will be:

https://login.pyracloud.com/login/callback

Attribute Mappings

The Client Portal queries the following basic profile attributes from Azure AD:

  • upn

  • azure_id

  • given_name

  • family_name

  • nickname

  • tenantid

  • oid

  • email

  • name

Setting up SSO with ADFS

Process

  1. The customer configures their ADFS server according to technical requirements.

  2. The customer provides ADFS Metadata/IdP domains to SoftwareOne.

  3. SoftwareOne will complete the ADFS setup.

Set up information required by the Client Portal

Input
Notes

ADFS Metadata Source

Either the URL or the Federation Metadata file. The URL usually ends in /FederationMetadata/2007-06/FederationMetadata.xml.

IdP Domains

List of all email domains that should be authenticated through the federated ADFS server, for example, @customer.com.

Usually 1 domain, but can also be multiple.

Technical specification

Capabilities

We support the items listed in the following table:

Item
Detail

Federation Metadata Discovery (Automated Certificate Rollover)

Yes – if ADFS Metadata Source is provided as URL.

Settings

Setting
Value

Realm Identifier

urn:auth0:{environment_name}

For example, urn:auth0:pyc on Production.

Endpoint

https://{idp_base_url}/login/callback*

The endpoint URL on Production will be: https://login.pyracloud.com/login/callback

Attribute Mappings

By default, the Client Portal expects the following attributes from ADFS via the specified mappings:

LDAP attribute
Outgoing claim type
Namespace

E-Mail-Addresses

E-Mail Address

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Display-Name

Name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

User-Principal-Name

Name ID

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

Given-Name

Given Name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Surname

Surname

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

Setting up SSO with PingFederate

Process

  1. The customer provides Signing Certificates/IdP domains to SoftwareOne.

  2. SoftwareOne will complete the SSO setup.

Set up information required by the Client Portal

  1. PingFederate Server URL.

  2. X509 Signing Certificate in the .pem or .cer format.

  3. IdP Domains: List of all email domains that should be authenticated through the federated ADFS server (for example, @customer.com). Usually just one, but can also be multiple.

Technical specification

Attribute Mappings

By default, the Client Portal requires the following attributes via the specified mappings:

Attribute
Mappings

user_id

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier

Fallback URL 1: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn

Fallback URL 2: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

email

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

given_name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Fallback URL:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

family_name

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

The provided attributes must satisfy at least one mapping for all properties above. If your IdP provides values for the required attributes in different claims/namespaces, please provide a list of claims to be used for all attributes above.

Handling unknown or new users (Ad Hoc Provisioning)

If an email domain is federated out to the user's identity provider, the Client Portal may receive sign-in attempts from users who are not set up as Client Portal users.

In such cases, if authenticated users from a federated connection are not Client Portal users, their login to Client Portal will fail with an error message stating that their account is not set up and they don't have access.

PreviousI'm unable to view the Reserved Instance dataNextHow do I configure conditional access policies?

Last updated

Was this helpful?