Single Sign On (SSO) FAQs

1. Can SSO be used for authentication but not user creation?

Not currently. Any employee with access to the customer One Model site URL who successfully authenticates will have a user account created. Role assignment, however, is not automatic and will be determined by other configurations. Refer to this article

 

2. What is the ACS URL and Entity ID?

The ACS URL and Entity ID follow a standard format

  • ACS URL: https://company.onemodel.domain/Saml/Acs
  • Entity ID: http://company.onemodel.domain/Saml/Init


These are case sensitive and must match exactly what is entered into the IdP or the user will receive an error upon login.  

So if your One Model URL is: https://abcinvestments.onemodel.us, then you would use:

  • ACS URL: https://abcinvestments.onemodel.us/Saml/Acs
  • Entity ID: http://abcinvestments.onemodel.us/Saml/Init


You can also confirm your ACS URL and Entity ID by adding this string ‘Saml/Metadata’ to the end of your One Model URL. The Metadata will return the info as the “EntityDescriptor entityID” and “AssertionConsumerService Binding”


3. Why is the Entity ID http not https?

While HTTPS is strongly recommended for the actual communication endpoints in SAML, an entity ID using HTTP is a result of its role as a unique identifier rather than a resolvable location, legacy configuration, or how the metadata was initially generated. 

 

4. What do I do if a user gets an error message upon logging in via SSO? 

There’s a number of different reasons why a user may receive an error message. Could be an error on the customer side or within the One Model configuration.  Please refer this article for configuration steps on your One Model Company page, and here’s some other potential reasons:

  • If your NameID Type is set to PersonID and you have test users with a PersonID assigned which matches an actual user’s PersonID, then the actual user will be blocked from access. Note, most customers will set NameID Type as email so this won’t be an issue, but if you do need to use PersonID then simply remove the ID from the test user after testing. 
  • If you have selected the option to “Assign One Model roles based on SAML attribute roleId”, but a roleId isn’t being sent in the SAML request for every user,  then an error message will appear. Work with your IT team to update the SAML request, and temporarily select "Don't automatically assign One Model roles based on SAML roles" until that is available


If your troubleshooting hasn’t resolved the issue, please raise a Help Center ticket with a screenshot of the error, timestamp of the login/s, with as much detail as possible and we will be happy to assist. 

 

5. Can I get a copy of what is being passed to One Model via SSO?

You can copy and paste the Metadata URL into a web browser to download a detailed XML file showing the generic information being passed through SSO. The Metadata URL is found in the SAML 2 Integration section of your Admin > Company page

If you want to see what is being passed when YOU log in, follow these steps:

  1. In your browser, log out of One Model.
  2. Navigate to Developer tools in your browser.
    For Google Chrome, you'll need to click the 3 dots in the top right hand corner, and go down to hover over More Tools, then click on Developer Tools. A side panel should come up on the right side of the window.
  3. Towards the top, you will see tabs such as Elements, Console etc - click on the one named Network.
  4. Proceed to login to One Model in this tab.
  5. In the side panel, on the left side, find OneModelAcs.
  6. Click on Payload, and you'll see a section called SAMLResponse - this is what is sent to One Model.

To decode what you see here, you'll need to use a program, such as Notepad++, that can Decode Base64. 

 

6. What happens if a user changes their email address? 

The SSO behaviour depends on the SAML 2 Integration settings. 


Where NameID Type = Email

  • Authentication passes based on First Name, Last Name, Person ID; and a new user account will be created with the new email address. Role assignment will depend on other settings. Having two accounts in One Model for the same user may not be an issue if the user only has one valid email in the customer IdP - their SSO will be successful for the new user account on all subsequent logins; and you can manually deactivate the One Model account with the ‘old’ email. But if a user has two active work email addresses, then it would be best to discuss with your Delivery Lead or Support Team. 

     

Where NameID Type = Person ID

  • Authentication fails. 

If you know in advance that your organization is going through a company-wide email address change, please raise a Help Center ticket to discuss any questions you may have related to existing users. 

 

7. Our SSO isn’t working and I need to log into One Model urgently. What can I do?

Your core Admin users may have been setup with username and password access which means their access is retained via that method. They can login using the site URL plus adding this string to it: Account/Login?noSso=true

The customer must determine and manage whether additional users are to be provided with temporary username and password access while your SSO issues are being resolved. 

Please raise a Help Center ticket if you need assistance. 

 

8. Does One Model support SAML2.0/Oauth/WSFed&WSTrust standard?

SAML 2.0.


We are looking to support signed AuthnRequests for SAML authentication in the future. Please contact One Model Support via a Help Center ticket if you wish to participate in beta testing. 


9. What kind of SSO is supported by the application ? IDP (Identity Provider) initiated or SP (Service Provider) initiated?

Both methods are supported by the application. 

 

10. What is the mode of Single Sign-On required to access One Model?

Both of these modes are supported:

  • The SaaS Application access expected after user successfully authenticated in  portal or Internal Application-IDP  
  • Users will directly access SaaS application and its expected that Authentication has to happen after that-SP

 

11. Does One Model require case-sensitive user id? 

Yes

 

12. Does One Model provide metadata to configure SSO? 

Adding the string ‘Saml/Metadata’ to the end of your One Model URL will provide details like the below. For additional support, please raise a Help Center ticket. 

 

<?xml version="1.0" encoding="utf-8"?>

<EntityDescriptor entityID="http://demo-1.onemodel.us/Saml/Init" ID="_ab00859bc16445b2a28207c44a9321a7" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

  <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">

    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://demo-1.onemodel.us/Saml/Acs" index="0" />

    <AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://demo-1.onemodel.us/Saml/Acs" index="1" />

  </SPSSODescriptor>

</EntityDescriptor>



13. What are the claims that One Model expects from IdP? 

We require first name, last name, email address as minimum. 

For contextual security, a person ID (that may be an employee number, email address or other identifier). 

And for automated role assignment , the roleID (or custom attribute). For more details, refer this article

 

14. Does One Model support auto provisioning/scim provisioning?

We support automated user creation and have options for automated role assignment. There is work in progress regarding SCIM provisioning, so please check the latest Release Notes, or raise a 'How To' ticket for more info. 


 

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.