Set up user login from Centrify into One Model (Use Centrify as an Identity Provider for One Model).
In the “Add Web Apps” dialog open the “Custom” tab and scroll down the list to find the SAML option. Click the "Add" button beside it.
Click yes on the popup that appears and then close the “Add Web Apps” dialog.
Find the new app (it will be given a default name of SAML) and click on it to edit it.
Fill out the “Assertion Consumer Service URL” with the URL provided to you, it will look something like https://your_subdomain.onemodel.us/Saml/Acs. Click “Save”.
Open One Model and go to Company Settings. Find the SAML2 Integration section and click “Edit”. Select “Automatically configure SAML2 from metadata URL” and then copy the “Identity Provider SAML Meta data URL” from Centrify into the “Metadata URL” field in One Model.
Copy the “Issuer” from Centrify into the “Issuer” field in One Model.
Leave “Preferred Binding” set to “Auto”.
One Model looks for attributes in the SAML response that gets sent from Centrify to populate user names. It can also be configured to look for an attribute that provides an employee ID, which we use for user contextual role based security. In the “Advanced” section in the Centrify app settings you can configure these attributes. The exact values required will depend on your company’s configuration in Centrify. The script required to populate attributes will look something like the following.
setAttribute('firstname', LoginUser.Get('first_name'));
setAttribute('lastname', LoginUser.Get('last_name'));
setAttribute('employeeID', LoginUser.Get('employee_id'));
The first_name
, last_name
and employee_id
parameters in the LoginUser.Get()
function will need to match the attribute names your company has setup in Centrify. Centrify provides a way for testing the script by clicking the “Test” button above the script. The SAML response that gets generated should include a section like the following.
<AttributeStatement>
<Attribute Name="firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>Test</AttributeValue>
</Attribute>
<Attribute Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>User</AttributeValue>
</Attribute>
<Attribute Name="employeeID" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<AttributeValue>123456</AttributeValue>
</Attribute>
</AttributeStatement>
Back in the One Model application, after configuring the script in Centrify, select the “Populate Employee ID with SAML Attribute” option for “Employee IDs” and make sure the value of “Employee ID Attribute” matches what was setup in the Centrify script.
The remaining options in One Model (“Default Application Roles”, “Default Data Access Roles”, and “Log In Automatically”) can be configured however you desire.
Comments
0 comments
Please sign in to leave a comment.