First-Time Configuration of Single Sign-On for Platform

Details

Single Sign-On (SSO) allows customers to leverage their existing Identity Provider (such as Microsoft Azure Active Directory) to provide a single login experience for all their software products. This means that ARCOS end users will be able to log into Platform with the same username and password that they use on other company software without configuring a specific ARCOS username and password. ARCOS’s SSO is entirely configurable by the customer, and this guide is designed to assist customers with the initial configuration and some troubleshooting of common issues.

Solution

The configuration page for ARCOS’s SSO can be found under the Sys Admin>SSO Config tab. This page is divided into two main portions.

The Identity Provider (IdP) section is where the customer will input their SSO information from their IdP.

• Enable SSO / SAML
  • This button turns on and off SSO for ARCOS universally
• IdP SAML Metadata (OPTIONAL)
  • Some customer’s IdP may offer an exportable SAML Metadata file with all the required information needed to configure ARCOS’s SSO.
  • Selecting “Use Metadata File” will allow a customer to import these configurations and skip manually entering any fields.
• IdP SAML Entity ID (REQUIRED)
  • This is the primary endpoint for the IdP.
  • May also be listed as the “Issuer” element in the Authentication Response.
• IdP SSO Endpoint URL (REQUIRED)
  • This is the IdP’s specific endpoint where SSO AuthenRequests will be sent to.
• IdP SSO Binding (REQUIRED)
  • This designates the type or mechanism to be used by requestors and responders when exchanging login messages and will be dependent upon the customer’s IdP configuration.
  • ARCOS supports both of the below protocols:
    • HTTP-Post
    • HTTP-Redirect
• AuthnRequestsSigned (REQUIRED)
  • This designates whether or not ARCOS should apply a digital signature to authentication requests.
• Username element (REQUIRED)
  • This designates the location of the Web ID field in the SAML Response.
  • The most commonly utilized is the NameID field, however some customers may utilize the Attribute function if their IdP stores the usernames in another location.
  • This field is CaSe SEnSItIVe
• Enable Single-Logout (SLO) (OPTIONAL)
  • If the customer wants to utilize a SLO, they will need to select if this is to occur on Mobile and/or on the Web portal.
• IdP SLO Endpoint URL (OPTIONAL)
  • The specific URL from the IdP that SLO LogoutRequests will be directed to.
  • Only required if Web and/or Mobile was selected in the “Enable Single-Logout (SLO)” field.
• IdP SLO Binding (OPTIONAL)
  • This designates the type or mechanism to be used by requestors and responders when exchanging logout messages and will be dependent upon the customer’s IdP configuration.
  • Only required if Web and/or Mobile was selected in the “Enable Single-Logout (SLO)” field. (if not required, leave as HTTP-POST)
• IdP Public Cert (REQUIRED)
  • This is the field the customer will enter the certificate provided by their IdP that will be used to verify signatures in the Authentication Response.
• IdP Cert Info
  • This filed will auto-populate with the IdP’s basic certificate information once pasted in the “IdP Public Cert” field.
  • This field is informational only.
• Post-Logout URL (OPTIONAL)
  • The specific URL the customer will be directed to after logging out
  • This field may be left blank if no specific URL is needed

The Service Provider (SP) section contains all of the required information from ARCOS that the customer will need to provide to their IdP.

Note: If this section is blank, please click the “Submit” button at the bottom of the page to refresh.

• SP SAML Entity ID
  • This is the unique identifier that is used to identify the AROCS entity in the SAML authentication and authorization protocol.
    • NOTE: The Entity ID can be customized if needed to include the company’s schema. This must be configured by ARCOS’s and an OSCAR ticket is required.
• SP SSO Endpoint URL
  • This is the specific endpoint that all SSO Authentication Responses from the customer’s IdP should be posted to.
• SP SLO Endpoint URL
  • This is the specific endpoint that all Single-Logout (SLO) requests and responses should be posted to if the customer’s IdP utilizes this feature.
• SP SAML Protocol Binding
  • This designates the type or mechanism to be used by requestors and responders when exchanging messages.
  • This applies to both SSO and SLO endpoints.
• SP Cert Info
  • This contains specific information on ARCOS’s certificate.
    • NOTE: AROCS’s default SSO encryption is SHA1. This is an older encryption method and may not meet cybersecurity standards for some customers. ARCOS does offer SHA256 encryption if requested. Since this must be configured by ARCOS’s, an OSCAR ticket is required to enable this option.
• AuthenRequestsSigned
  • This is a Yes or No value that is determined by the customer’s selection in the above IdP section.
  • This determines whether ARCOS should or should not apply a digital signature to authentication requests.
• SP SAML Metadata
  • This is an XML which contains all of ARCOS SP information above.
  • Some IdP’s allow the customer to import an XML file instead of inputting the above fields manually.
  • The customer may also need to export a copy of ARCOS’s Certificate for their IdP to validate.
    • To export this XML file, click the “Metadata” button
    • To export the Cert file, click the “Certificate” button

Once SSO has been configured and enabled, customers will need to designate which security groups have access to SSO. This is configured under Sys Admin>Security.