Enabling Single Sign-On (SSO)

Single sign-on (SSO) allows you and/or your clients the ability to log into your system without requiring them to provide you with their credentials (username and password).  This allows organizations more control over authentication capabilities when logging into third party systems.

trackops-saml2.png

Trackops offers the ability to act as a SAML 2.0 Service Provider (SP), allowing you and/or your clients to authenticate via an Identity Provider (IdP) and access your Trackops system using single sign-on. 

The process of setting up SSO for your clients is simple once you have the required information.  In the below examples, if you are setting up SSO for your own organization, refer to yourself as the client when following the instructions. Let's get started!

Step 1: Requesting Identity Provider Information from the Client

In order to enable SSO, you must first establish a trust relationship between the service provider (Trackops) and your client's identity provider (IdP).  To do this, we need to obtain several important pieces of information from the client that will allow us to establish this trust relationship.

You will need:

  • Entity ID / Issuer URL - A URL to the SSO configuration associated with the identity provider. 
  • SSO URL / Login URL - This is the url to the identity provider's (client) login page.
  • x509 Certificate - The public certificate used to sign assertions made by the identity provider.

Tip: If your client offers you a metadata URL, Trackops can automatically retrieve the necessary attributes using that URL.

Step 2: Configuring a new Identity Provider

To configure a new Identity Provider (IdP) inside Trackops, head over to Settings, and then click Identity Providers.  From here, click New Identity Provider

If you have previously obtained a metadata URL from the IdP, simply copy and paste it into the Metadata URL box and click Continue.  This will allow Trackops to automatically configure the identity provider for you. 

new-idp-metadata-url.png

If you do not have a metadata URL, simply click Continue to manually configure the provider.

  • Name - A unique name that will help you identify this identity provider in the list (e.g. ABC Insurance - IdP).
  • Organization - The client that will be associated with this identity provider.  Only contacts associated with this client will be able to use this provider.
  • Issuer URL - Depending on the Identity Provider software your client uses, this may have one of several names, however it also commonly referred to as the Entity ID, Identifier, or Metadata URL. 
  • SSO URL - The login page where your clients will be redirected to login, sometimes known as the Login URL).  
  • Certificate - A PEM formatted X509 certificate used to validate assertions made by the identity provider.
  • Login Hint - Optionally include the IdP account that should be used to authenticate.  For users who have multiple accounts at the IdP, this setting can make it easier to identify which account should be used.  It is important to note that not all identity providers recognize Strict login hints, and may return an error.  If you aren't sure, try using the Relaxed method.
    • None - Do not include a login hint when authenticating. 
    • Strict - When selected, the assertion includes a "Subject" property which will typically fail if the the user attempts to authenticate via a different account than what was provided.
    • Relaxed - When selected, the system will send a "login_hint" parameter to the IdP indicating which account should be used.

Once you have completed the form, click Save Identity Provider to finish the setup.

Step 3: Providing Service Provider Information to the Client

Now that you've created a new identity provider using the provided information, it's your turn to relay some information back to the client.  After saving the new identity provider, you will see a section called Service Provider Information.  Depending on the client's identity provider, the terms may be different, however the three pieces of information they need are located in this section:

  • Entity ID - Also known as the audience or metadata URL, this provides information about the service provider relationship.
  • Consumer URL - Tells the identity provider where to send responses from the SSO attempt.
  • SSO Login URL - The login page where clients will sign in to your system.

Other Considerations For Your Client's IdP Configuration

  • Trackops expects a SAML signed Assertion.  Make sure only the Assertion is signed.
  • Due to the short nature of Trackops sessions, we do not offer Single Logout (SLO) at this time.

Once you have provided this information and they have confirmed the setup is complete, you're ready to go!

Step 4 (Optional): Just-In-Time (JIT) User Provisioning

If you'd like to allow users to onboard themselves, you can do this by enabling automatic user provisioning for the domain associated with this identity provider.  When JIT user provisioning is enabled, users who have an email address associated with the specified domain name (e.g. example.com) can login via SSO and then, if they don't already have an account, will have an account generated for them based on the specifications in your Trackops Identity Provider configuration:

  • Domain - The domain name required for valid SSO authentication. This is a unique value and cannot be used in more than one identity provider configuration.
  • User Role - The user role you wish to grant new users who are automatically provisioned.  It is best practice to assign newly created users a limited user role (least privilege), and manually escalate the privilege if necessary based on the user's access requirements.
  • Location Assignment - By default, automatically provisioned users are assigned to the Primary Location associated with their organization. You can use extra attributes provided by the IdP to look up an alternative location.  You can use template variables in your location assignment search template which can be automatically inserted using the Attributes dropdown.

Note: Please see the Available Just-In-Time Attributes list below for a list of all attributes recognized by Trackops for JIT user provisioning and location assignment identification.

Step 4: Logging In via Single Sign-On

After configuring an identity provider, log out of our Trackops system and you will find that your login page now contains a link to Log in with single sign-on

link-single-sign-on.png

Clients using SSO will need to click this link, then enter the email address associated with their Trackops account to initiate the process.  

Available Just-In-Time Attributes

The below list contains all of the attributes Trackops will identify based on commonly used IdP attributes from various providers.  Your identity provider can most likely include any number of attributes along with the authentication response, so if you'd like to populate any/all of this information, be sure to have the IdP include as many attributes as necessary using the IdP Attribute Names listed below.  

Trackops Attribute IdP Attribute Names Required?
First Name
  • first_name
  • givenname
  • given_name
  • firstname
 Yes
Last Name
  • last_name
  • surname
  • family_name
  • last_name
 Yes
Email Address
  • email_address
  • email
  • emailaddress
  • primary_email
 Yes
Title
  • title
  • jobtitle
 No
Phone (Mobile)
  • mobilephone
 No
Phone (Office)
  • phone
  • telephonenumber
  • phone_number
 No
City
  • city
 No
State
  • state
 No
Location
  • location
  • officelocation
 No
Department
  • department
 No

If you need an attribute that is not listed for profile enhancement or location assignment identification, please contact us for assistance.

Troubleshooting

If clients are unable to login to your system using SSO, here are some common issues that may prevent them from completing a successful login:

  • Users must have a unique email address inside the system in order to log in using SSO.  If you have configured multiple accounts with the same email address underneath the same client, the system will not permit a login.  
  • Users must have an active login inside your system.  Users with a "Disabled" access level will not be able to login, regardless of SSO status.
  • Make sure the email address associated with the user's Trackops account is correct.  If the client does not enter a matching email address, the system will not be able to utilize the correct account.
  • SAML Logins must be completed within the same request cycle and within short period of time.  If for some reason the request is delayed or a new browser session is created in-between IdP authentication and login, the request will be denied.  In this situation, the best thing to do is to close the browser window completely, re-open Trackops in the browser, and attempt a new SSO login from the system.

Additional IdP Specific Help Documentation

If you have questions or need assistance while configuring SSO for your client, please contact us at support@trackops.com for personal assistance.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request