Single sign-on (SSO) allows you and/or your clients the ability to log into your system without requiring them to provide you with their credentials (username and password). This allows organizations more control over authentication capabilities when logging into third party systems.
Trackops offers the ability to act as a SAML 2.0 Service Provider (SP), allowing your clients to access your Trackops system using single sign-on.
The process of setting up SSO for your clients is simple once you have the required information. In the below examples, if you are setting up SSO for your own organization, refer to yourself as the client when following the instructions. Let's get started!
Step 1: Requesting Identity Provider Information from the Client
In order to enable SSO, you must first establish a trust relationship between the service provider (Trackops) and your client's identity provider (IdP). To do this, we need to obtain several important pieces of information from the client that will allow us to establish this trust relationship.
You will need:
- Entity ID / Issuer URL - A URL to the SSO configuration associated with the identity provider.
- SSO URL / Login URL - This is the url to the identity provider's (client) login page.
- x509 Certificate - The public certificate used to sign assertions made by the identity provider.
Tip: If your client offers you a metadata URL, Trackops can automatically retrieve the necessary attributes using that URL.
Step 2: Configuring a new Identity Provider
To configure a new Identity Provider inside Trackops, head over to Settings, and then click Identity Providers. From here, click New Identity Provider.
If you have previously obtained a metadata URL from your client, simply copy and paste it into the Metadata URL box and click Continue. This will allow Trackops to automatically configure the identity provider for you. If you do not have a metadata URL, simply click Continue to manually configure the provider.
- Name - A unique name that will help you identify this identity provider in the list (e.g. ABC Insurance - IdP).
- Organization - The client that will be associated with this identity provider. Only contacts associated with this client will be able to use this provider.
- Issuer URL - Depending on the Identity Provider software your client uses, this may have one of several names, however it also commonly referred to as the Entity ID or Metadata URL.
- SSO URL - The login page where your clients will be redirected to login.
- Certificate - A PEM formatted X509 certificate used to validate assertions made by the identity provider.
Once you have completed the form, click Save Identity Provider to finish the setup.
Step 3: Providing Service Provider Information to the Client
Now that you've created a new identity provider using the provided information, it's your turn to relay some information back to the client. After saving the new identity provider, you will see a section called Service Provider Information. Depending on the client's identity provider, the terms may be different, however the three pieces of information they need are located in this section:
- Entity ID - Also known as the audience or metadata URL, this provides information about the service provider relationship.
- Consumer URL - Tells the identity provider where to send responses from the SSO attempt.
- SSO Login URL - The login page where clients will sign in to your system.
Other Considerations For Your Client's IDP Configuration
- Trackops should be configured in the identity provider as a Service Provider Initiated login.
- Trackops expects a SAML signed Assertion. Make sure only the Assertion is signed.
- Due to the short nature of Trackops sessions, we do not offer Single Logout (SLO) at this time.
Once you have provided this information and they have confirmed the setup is complete, you're ready to go!
Step 4: Logging In via Single Sign-On
After configuring an identity provider, log out of our Trackops system and you will find that your login page now contains a link to Log in with single sign-on.
Clients using SSO will need to click this link, then enter the email address associated with their Trackops account to initiate the process.
If clients are unable to login to your system using SSO, here are some common issues that may prevent them from completing a successful login:
- Users must have a unique email address inside the system in order to log in using SSO. If you have configured multiple accounts with the same email address underneath the same client, the system will not permit a login.
- Users must have an active login inside your system. Users with a "Disabled" access level will not be able to login, regardless of SSO status.
- Make sure the email address associated with the user's Trackops account is correct. If the client does not enter a matching email address, the system will not be able to utilize the correct account.
- SAML Logins must be completed within the same request cycle and within short period of time. If for some reason the request is delayed or a new browser session is created in-between IdP authentication and login, the request will be denied. In this situation, the best thing to do is to close the browser window completely, re-open Trackops in the browser, and attempt a new SSO login from the system.
Additional IdP Specific Help Documentation
If you have questions or need assistance while configuring SSO for your client, please contact us at firstname.lastname@example.org for personal assistance.