Introduction to Single Sign On (SSO)

Single Sign On (SSO) is a secure and convenient way to combine your different application login screens into a single sign-on screen. For optimal data security, we recommend that the majority of your One Model users use SSO to login to your One Model instance while a few Administrators should maintain both SSO and username and password access. 

As an Administrator of your One Model instance, one of your first tasks after kick-off will be to work with your IT team to activate SSO using the SAML2 integration in your Company settings, and configure this with your Identity Provider (IdP).

One Model is compatible with many IdPs, and we have several setup guides to assist your IdP configuration, but first you will need to add your SAML2 Integration.  

If you’re unfamiliar with setting up SSO, SAML2 or your IdP, please don’t hesitate to share our articles with your IT team or to reach out to your Customer Success Lead. 

Part 1 - How to add a SAML2 Integration for SSO

Setting up your SSO begins with adding a SAML2 Integration. While the integration section has many sections and options, there will be information that you will need for your initial setup, and then there are customization options that are better dealt with after your initial SAML2 Integration has been established. We will walk you through each option in order, but keep in mind that this article focuses on your initial setup

Follow these steps to get started. 

  1. Go to the Admin tab, select Company, then SAML 2 Integration. 

  1. Click on + Add SAML 2 Integration and you will see the list of information required. There are many options to choose from, and only some may be applicable for your organization while additional options may appear depending on your selections. 

We will work through the options in order from top to bottom.

  1. ACS URL and Entity ID will populate once you have entered other relevant information.  Come back to this option at the end.  
  2. Configuration source has two options;
    1. Manually configure SAML2, or 
    2. Automatically configure SAML2 from metadata URL.

Most users will select option 2. - Automatically configure SAML2 from metadata URL. 

Once selected, you will need to add the Metadata URL and Issuer (URL). These will be specific to your IdP and you can obtain this information from your provider.

If you seek to manually configure SAML2, then you will also need to enter:

  • IdP Url - the URL to which we should redirect users when they attempt to sign on. You can obtain this information from your IdP. 
  • Public Key - PEM formatted certificate that we can use to verify messages from your IdP. If your IdP has provided you with a .CER or .CERT file, then you need to copy and paste the entire contents of the file into the Public Key window.
  • And the Issuer information.
  1. Select your Preferred Binding option. Most users select HTTP Post

  1. Select the relevant NameID Type. This may be Email or Person ID, but most users will choose Email

  • If you select Email for NameID Type, you get additional options that govern how to populate the Person IDs.

  • If you select Person IDs for NameID Type, the options are removed as we use the value in the SAML NameID field to populate the Person ID within the One Model user account.      

Below is a grid of the 3 options available across the NameID Type and PersonIDs selections:

  ONE MODEL CONFIG CUSTOMER CONFIG ONE MODEL USER
  NameID Type Person IDs

SAML NameID 

(primary identifier)

SAML Attributes

(minimum)

Person ID
1 Email Populate Person ID with SAML NameID Email

first name

last name

Email
2 Email Populate Person ID with SAML Attribute <as defined>

first name

last name 

ID

“ID”
3 Person ID n/a Person ID

first name

last name 

email* 

Person ID

* Email is a required field (along with first name and last name at minimum). SAML Attribute may be called “email” or “emailaddress” or “primaryemail”.  If you choose Person ID as NameID Type, there will be some considerations with user testing that you may want to discuss with your Customer Success Lead. 

There are some additional considerations around Person ID related to contextual role based security that are discussed in this article about Role Based Security 

If you leave the Person IDs selection as “Don’t Populate Person IDs”, this will restrict your ability to fully test the SAML Integration so we do recommend selecting one of the other two options. However, you can proceed to other selections, save, and come back to Person IDs if required. 

  1. Select the relevant NameID Policy Type. This may be Email or Unspecified or None, but most users will choose Email in their initial setup. 

  1. Configure the Date Format for the IssueInstant timestamp sent in SAML requests for SSO logins initiated from One Model. The required value will depend on the configuration of your IdP.
    The Default format looks like “1972-11-09T02:14:23”.
    Utc format looks like “1972-11-09T02:14:23Z”.
    Utc with milliseconds format looks like “1972-11-09T02:14:23.120Z”

  1. Choose your Authorization Comparison Type. Most users select Exact. 
  •  Exact means when the One Model application sends an authentication request to the customer IDP, we expect the IdP to use exactly the ‘PasswordProtectedTransport’ authorization mechanism. 
  • If Minimum is selected, we expect the IdP to use this mechanism at a minimum (or better). 

  1. Next we have Roles and the corresponding Default Application Roles and Default Data Access Roles.

During your initial SAML2 setup we recommend leaving the selection as is. Role assignment setup is detailed and not relevant to your initial small number of Admin users so we recommend skipping over this step during your initial SAML2 Integration setup. SSO and role assignment is covered in this article. 

11. Log In Options

Next you will see the options for showing or bypassing the Login screen. 

During your initial setup we recommend selecting Let users choose between SSO or Username/Password login to ensure you can still access One Model while checking and testing your SSO configuration.

With this option selected, the user will be taken to a login screen showing the One Model logo, as shown below.

You can come back to this setting once your SSO is up and running and switch to Automatically try to log in users with SSO. This will allow users to bypass the login screen for a better user experience. 

When you select this option, you will see an added note for Administrators to bookmark the login screen URL. 

** It is essential that at least one of your Administrators for your One Model instance have the following options selected in their user account:  

  1. Allow log in via Single Sign On, and
  2. Allow log in with username and password.

If SSO fails, the Admin user with these settings, will be able to click on their bookmark link and gain access via username and password. 

12 . Authentication 

The final selection is the option to add authentication context to the SAML request. This additional identification method is not required by everyone, and if selected, One Model sends an authentication request to the customer IdP so that as well as asking about the user logging in, it will also expect that the user has identified themselves to the customer site using a Password over a Protected Transport mechanism. 

14. Save or Cancel

With your settings in place, click Save at the end of the SAML2 Integration section. 

  1. If you click Cancel, then you exit the SAML 2 Integration section with no changes saved. Note that there is no “are you sure?” prompt for unsaved changes. 

Part 2 - Checking your SSO Configuration

After adding and saving the SAML 2 Integration, you will be able to test if your setup was successful by going to your company’s One Model URL and clicking on the Single Sign On button. Setting up your SSO for the first time can be tricky so don’t fret if it doesn’t work the first time.

A common problem users have encountered is when their SSO is not working despite having selected the Automatically try SSO option in their SAML 2 Integration settings. 

In addition to the settings in One Model, you may need to work with your IT team to enable a one-click passthrough or ‘handshake’ from your IdP. Behavior may also differ depending on how you are accessing One Model i.e. via a link in your HR Portal or your own saved bookmark. 

You can continue testing and validating between your SAML2 and IdP until you have a successful SSO login, and we suggest checking with at least one other user. 

To check your SSO configuration and settings:

  1. Go to Admin  
  2. Company  
  3. SAML 2 Integration. 

This will bring you back into the SAML2 Integration section where you can;

  • Review your SSO configuration for your SSO, 
  • See what information is being passed when another user logs in, and;
  • See what information is being passed when you log in. 

  1. To see what is being passed when another user logs in to One Model, copy and paste the Metadata URL into a web browser to download a detailed XML file.
  2. To see what is being passed when YOU log in:
  3. In your browser, log out of One Model.
  4. Navigate to Developer tools in your browser.
    For Google Chrome, you'll need to click the 3 dots in the top right hand corner, and go down to hover over More Tools, then click on Developer Tools. A side panel should come up on the right side of the window.
  5. Towards the top, you will see tabs such as Elements, Console etc - click on the one named Network.
  6. Proceed to login to One Model in this tab.
  7. In the side panel, on the left side, find OneModelAcs.
  8. Click on Payload, and you'll see a section called SAMLResponse - this is what is sent to One Model.

To decode what you see here, you'll need to use a program, such as Notepad++, that can Decode Base64. 

Aside from the basic settings discussed in this article, there are more advanced options related to role assignment and contextual security that are covered in the next article SSO, Role Assignment and Contextual Security

Was this article helpful?

0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.