Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision | ||
|
en:sso_implementation [2018/01/31 15:42] admin [How to enable SSS with zebrix] |
en:sso_implementation [2024/08/13 12:10] (current) admin |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| ====== SSO implementation for zebrix ====== | ====== SSO implementation for zebrix ====== | ||
| + | |||
| ====== What is Single Sign-On ====== | ====== What is Single Sign-On ====== | ||
| - | Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to a connected system or systems without using different usernames or passwords, or in some configurations seamlessly sign on at each system. ([[https://www.wikiwand.com/en/Single_sign-on|source: wikipedia]]) | + | |
| + | Single sign-on (SSO) is a property of access control of multiple related, yet independent, software systems. With this feature, a user logs in with a single ID and password to gain access to a connected system or systems without using different usernames or passwords, or in some configurations seamlessly sign on at each system. ([[https://www.wikiwand.com/en/Single_sign-on|source: wikipedia]]) | ||
| ====== Benefits ====== | ====== Benefits ====== | ||
| + | |||
| Benefits of using single sign-on include: | Benefits of using single sign-on include: | ||
| + | |||
| * Mitigate risk for access to 3rd-party sites (user passwords not stored or managed externally) | * Mitigate risk for access to 3rd-party sites (user passwords not stored or managed externally) | ||
| - | * Reduce password fatigue from different user name and password combinations | + | * Reduce password fatigue from different username and password combinations |
| * Reduce time spent re-entering passwords for the same identity | * Reduce time spent re-entering passwords for the same identity | ||
| * Reduce IT costs due to lower number of IT help desk calls about passwords | * Reduce IT costs due to lower number of IT help desk calls about passwords | ||
| Line 14: | Line 19: | ||
| ====== SSO implementation with zebrix ====== | ====== SSO implementation with zebrix ====== | ||
| + | |||
| ===== Compatibility ===== | ===== Compatibility ===== | ||
| + | |||
| zebrix has been tested with following authentication/SSO protocols/technologies: | zebrix has been tested with following authentication/SSO protocols/technologies: | ||
| + | |||
| * CAS | * CAS | ||
| * OAuth | * OAuth | ||
| * SAMLv2 | * SAMLv2 | ||
| * ADFS | * ADFS | ||
| + | * Microsoft 365 / Azure AD STS ([[en:sso_implementation_azuread|Please read this tutorial to know how to configure Azure AD for SSO with zebrix]]) | ||
| ===== How to enable SSO with zebrix ===== | ===== How to enable SSO with zebrix ===== | ||
| - | ==== 1. You need to contact zebrix support ==== | + | |
| - | ==== 2. You have to integrate zebrix metadata in your authentication server ==== | + | To enable the SSO authentication on your zebrix account, please follow these steps: |
| + | |||
| + | ==== 1. Add the zebrix app in your authentication portal ==== | ||
| + | |||
| + | Please create the "zebrix" application in your authentication portal. | ||
| + | If you're using Microsoft 365, [[en:sso_implementation_azuread|you can follow this technical guide.]] | ||
| + | |||
| + | Here is the zebrix's metadata you'll need to use : | ||
| <code xml> | <code xml> | ||
| <EntityDescriptor entityID="https://auth.zebrix.net" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | <EntityDescriptor entityID="https://auth.zebrix.net" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | ||
| Line 53: | Line 70: | ||
| </EntityDescriptor> | </EntityDescriptor> | ||
| </code> | </code> | ||
| + | |||
| + | **Required claims are :** | ||
| + | |||
| + | * UPN (mandatory) | ||
| + | * Name (Concatenation of first and last name) (recommended) | ||
| + | * e-mail address (recommended) | ||
| + | |||
| + | ==== 2. Contact our support team to request SSO activation at support@zebrix.net ==== | ||
| + | |||
| + | * Please mention your zebrix account name (client name) | ||
| + | * Please attach your metadata XML or give the public URL to access it | ||
| + | |||
| + | ==== 3. Our technical team confirms SSO activation ==== | ||
| + | |||
| + | When the configuration has been implemented on our side, you'll receive a confirmation from our technical team, and you can log in to zebrix using SSO. | ||
| + | |||
| + | ===== How will user login to zebrix thanks to sso? ===== | ||
| + | |||
| + | Users have to connect to https://cmsv2.zebrix.net/cn/**yourCompanyName**. zebrix server will check if the user is already authenticated with your company authentification portal. | ||
| + | At this step, there are three possibilities: | ||
| + | |||
| + | * If a user is already authenticated on your potal and authorized to use zebrix, he will directly be logged into zebrix and can use it. | ||
| + | * If a user is not authenticated, he will be redirected to the login page of your company and as soon as he got authenticated he will be automatically redirected to zebrix. | ||
| + | * In both previous cases, if the user is still unknown by zebrix, he will get a "User Awaiting for activation" message. In this case, another zebrix user (with admin right) must uncheck the "lock" checkbox in the user properties. | ||
| + | |||
| + | Please note that users can also be pre-activated by using the "Add SSO user" button. | ||
| + | Existing zebrix regular user can also be converted into SSO user. | ||
| + | |||
| + | ===== How to enable SSO on an existing zebrix user ===== | ||
| + | |||
| + | Only user known as SSO user will be able to log in via SSO. Here is how you can enable SSO on existing zebrix user. | ||
| + | |||
| + | Click on the convert button | ||
| + | |||
| + | {{ :en:sso_convertexistinguser.jpg |}} | ||
| + | |||
| + | Specify the UPN of the user as it will be received in claims | ||
| + | |||
| + | {{ :en:sso_convertexistinguser_upn.jpg |}} | ||
| + | |||
| + | ===== How to create new SSO users ===== | ||
| + | |||
| + | Only user known as SSO user will be able to log in via SSO. | ||
| + | Here is how you can declare SSO users in zebrix. | ||
| + | |||
| + | {{ :en:sso_createnewssousers.jpg |}} | ||
| + | |||
| + | Thanks to this pop-in window, you can create/declare one or many SSO users in one operation | ||
| + | |||
| + | ===== How to enable SSO on auto-added users ===== | ||
| + | |||
| + | If a SSO user (unknown by zebrix) tries to access zebrix, it will automaticaly declared in zebrix as know SSO user but will be locked. | ||
| + | It is required that an admin level user enable the account | ||
| + | |||
| + | {{ :en:sso_enableautoaddeduser.jpg |}} | ||
| + | |||
| + | |||
| + | |||
