Client setup for Single Sign-On (Generic) endpoint in their IdP using the SAML 2.0 protocol for a Frontline application. Steps and roles to establish for the Asset Management application.
- Navigation:
- Admin View
- District Settings
- API and SSO Information
Table of Contents
Configuration Checklist
Frontline Configuration
The following items have been setup/created by Frontline in order to kick off the SSO setup:
Num | Item | Value | |
---|---|---|---|
1 | Relying Party Identifier (Assertion Consumer) URL for Desktop | https://HayesURL/TIPIDCore/ | |
2 | Relying Party Identifier (Assertion Consumer) URL for Mobile | https://HayesURL/TIPWebITMobile-Login/ | |
3 | Asset Management Endpoint for Desktop | https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx | |
4 | TIPWeb-IT Endpoint for Mobile | https://HayesURL/TIPWebITMobile-Logon/SAML/SAMLConsumer |
District Configuration
Overview to Setup SAML 2.0 SSO
Customers who are asked to setup a Single Sign-On endpoint in their IdP using the SAML 2.0 protocol for a Frontline application are sent an application Identifier (Entity ID), the Reply URL (Assertion Consumer Service), the Metadata XML, the roles to be created in their IdP and the list of attributes, and claims needed by the Frontline Asset Management application.
After setting up the SSO endpoint, customers are asked to the IdP SAML Login URL, the IdP SAML Metadata URL or XML, the SAML Certificate and the certificate thumbprint to Frontline support services. This process is repeated for each Frontline application.
Once the above process is complete, customers will create, setup and send Frontline the test/support account (username/domain and password) in their IdP.
Setup Roles or Groups
Asset Management products must have the following roles (group names) setup in the IdP, and those group names must be sent over as plain text in the "role" attribute/claim the SAML response to the Asset Management application.
Required Group Name | Description |
---|---|
TIPWEBIT_ADMINVIEW_ADMIN | An administrative level user with admin level permissions. |
TIPWEBIT_ ADMINVIEW_USER | An administrative user. They have similar rights as the admin user, except a few application maintenance features. |
TIPWEBIT_SITEVIEW_ADMIN | A site level administrator who only has access to their site data. |
TIPWEBIT_SITEVIEW_USER | A site user who can only work with their site data. |
TIPWEBIT_LOOKUPVIEW_USER | A view-only used to lookup tags existing in TIPWeb IT. |
Create an Account for Frontline Asset Management
Create an SSO account for Frontline support users in your IdP. Create the following user in your IdP for Frontline Support Staff with a password that does not expire.
- Username: tipweb_it
- Password: <password that does not expire>
- Add to group: TIPWEBIT_ADMINVIEW_ADMIN
- Add an email address such as tipweb_it@DistrictDomainName
Set Up Endpoints
Setup a new, separate endpoint in your SSO IdP to allow Asset Management to authenticate the user.
Application Identifier (Entity ID)
https://HayesURL/TIPIDCore/
Reply URL (Assertion Consumer Service URL)
https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx
Metadata XML
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID=" https://HayesURL/TIPIDCore/">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx" index="1" ></md:AssertionConsumerService>
</md:SPSSODescriptor>
</md:EntityDescriptor>
List of Attributes and Claims
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Given Name"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Surname"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="name"/> => UserName
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="email"/>
<md:RequestedAttribute isRequired="false" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Phone"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Role"/>
Metadata Overrides
- NameId Format = emailAddress
- NameId Value = Email
Setup a new, separate endpoint in your SSO IdP to allow TIPWeb-IT Mobile to authenticate the user.
Application Identifier (Entity ID)
https://HayesURL/TIPWebItMobile-Logon/
Reply URL (Assertion Consumer Service URL)
https://HayesURL/TIPWebItMobile-Logon/SAML/SAMLConsumer
Metadata XML
<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://HayesURL/TIPWebITMobile-Logon/">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location=" https://HayesURL/TIPWebITMobile-Logon/SAML/SAMLConsumer"
index="1" ></md:AssertionConsumerService>
</md:SPSSODescriptor></md:EntityDescriptor>
List of Attributes and Claims
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Given Name"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Surname"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="name"/> => UserName
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="email"/>
<md:RequestedAttribute isRequired="false" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Phone"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Role"/>
Metadata Overrides
- NameId Format = emailAddress
- NameId Value = Email
When you have setup the SSO endpoint for Asset Management in your IdP, fill out the required fields in Configuration Document, and send it to ihdmsupport@frontlineed.com.
Sample SAML Request and Response
Request
<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_591df756-862f-40ff-8b87-2624fbf38c86">
Version="2.0"
IssueInstant="2021-09-10T15:37:21Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx"
Destination="https://__your_SSO_Login_URL__"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://HayesURL/TIPIDCore/</saml:Issuer>
</samlp:AuthnRequest>
Response
The SSO IdP must send back a SAML response to Asset Management that is similar to the following:
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_93883a0f-fa68-42d7-8444-c61473ea706c" Version="2.0" IssueInstant="2021-09-08T17:49:02.278Z" Destination="https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx" InResponseTo="_f9948222-3e11-4592-a0f6-7f15c2812131"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/90e0c2f4-c0eb-4f28-b0f5-8d2c578af4c8/</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6cf241dc-38c0-4881-9b8b-cd751eda6701" IssueInstant="2021-09-08T17:49:02.278Z" Version="2.0"><Issuer>https://sts.windows.net/90e0c2f4-c0eb-4f28-b0f5-8d2c578af4c8/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI="#_6cf241dc-38c0-4881-9b8b-cd751eda6701"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>...</DigestValue></Reference></SignedInfo><SignatureValue>...</SignatureValue><KeyInfo><X509Data><X509Certificate>...</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">tipweb_it@DistrictDomainName</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_f9948222-3e11-4592-a0f6-7f15c2812131" NotOnOrAfter="2021-09-08T18:49:01.997Z" Recipient="https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx"/></SubjectConfirmation></Subject><Conditions NotBefore="2021-09-08T17:44:01.997Z" NotOnOrAfter="2021-09-08T18:49:01.997Z"><AudienceRestriction><Audience>https://HayesURL/TIPIDCore/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>Hayes Support</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>Hayes</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><AttributeValue>Support</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>tipweb_it@DistrictDomainName</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>tipweb_it@DistrictDomainName</AttributeValue></Attribute><Attribute Name="role"><AttributeValue>TIPWEBIT_ADMINVIEW_ADMIN</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2021-09-08T17:39:00.607Z" SessionIndex="_6cf241dc-38c0-4881-9b8b-cd751eda6701"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>
Setting Up Microsoft Azure AD
To integrate Microsoft Azure AD SSO with Frontline Asset Management, you must have a valid Azure Active Directory Single Sign-On (SSO) solution created by Microsoft. If you don’t have a Azure AD setup, you can read about it at Azure Active Directory.
Additional Resources
You can obtain further support for setting up Microsoft Azure AD here:
These are the steps that you will need to follow in order to allow Frontline to configure Asset Management to SSO into your Azure instance.
- Create Azure User Groups for Asset Management and Mobile SSO
- Create an Azure account for Frontline support users
- Add an Relying Party Trust (Identifier Entity ID) for each product Asset Management and Mobile
- Generate the IdP Metadata File or URL using SAML
- Send the Azure account and credentials, and the IdP details to the Frontline team
Steps
Complete the following in Microsoft Azure:
Navigate to: Enterprise Applications > New application
Choose Non-gallery application
Enter a name for the application and choose Add
From the Getting Startedpage of the new application, choose Single sign-on from left menu or Configure Single sign-on from the getting started page.
Choose SAML as the single sign-on mode.
In the Single Sign-On Configuration, you will need to modify both the Basic SAML configuration and User Attributes & Claims sections.
Collect values from the SAML Signing Certificate section and the Set-up section to return to Frontline.
In the Basic SAML Configuration, enter the following values for Identifier and Reply URL and choose Save.
- Identifier: https://HayesURL/TIPIDCore/
- Reply URL: https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx
In User Attributes & Claims, leave default claims in place and choose Add a group claim.
In the Group Claims window, fill out the following:
- Leave the default claims in place
- Click Add group claim
- Select All groups or Security groups depending on how your Asset Management Active Directory groups are configured
- In the Advanced options:
- Check "Customize the name of the group claim"
- In the Name field, type "role"
- Click Save
Information to Submit to Frontline
The following information will be needed by Frontline Software to configure your application to work with Azure AD Single Sign-On:
- SAML Signing Certificate Thumbprint
- Federation Metadata XML file
- Login URL
- Logout URL
FAQs
Should I name the URLs, file names, projects, and Google settings exactly as documented here?
Yes. Please do not change them as Asset Management depends on the specific names that are requested here.