Frontline Inventory & Help Desk Management

Google SAML 2.0 SSO Setup

Client setup for Single Sign-On (Generic) endpoint in their IdP using the SAML 2.0 protocol for a Frontline application. Steps and roles to establish for the Asset Management application.

  1.  Navigation:
  2. Admin View
  3. District Settings
  4. API and SSO Information

Configuration Checklist

Frontline Configuration

The following items have been setup/created by Frontline in order to kick off the SSO setup:

  Num Item Value
  1 Relying Party Identifier (Assertion Consumer) URL for Desktop https://HayesURL/TIPIDCore/
  2 Relying Party Identifier (Assertion Consumer) URL for Mobile https://HayesURL/TIPWebITMobile-Login/
  3 SAML 2.0 Endpoint for Desktop https://HayesURL/TIPIDCore/SSO/ADFSLogOn.aspx
  4 SAML 2.0 Endpoint for Mobile https://HayesURL/TIPWebITMobile-Logon/SAML/SAMLConsumer
  5 Your school's primary email domain DistrictDomainName

District Configuration

Configuration Document

Download an interactive configuration document which will need to be completed and sent to Frontline in order to finalize your ADFS SAML installation.

Download Configuration Document

Overview to Setup SAML 2.0 SSO

Customers who are asked to setup a Single Sign-On endpoint in their IdP using the SAML 2.0 protocol for a Frontline application are sent an application Identifier (Entity ID), the Reply URL (Assertion Consumer Service), the Metadata XML, the roles to be created in their IdP and the list of attributes, and claims needed by the Frontline Asset Management application.

After setting up the SSO endpoint, customers are asked to the IdP SAML Login URL, the IdP SAML Metadata URL or XML, the SAML Certificate and the certificate thumbprint to Frontline support services. This process is repeated for each Frontline application.

Once the above process is complete, customers will create, setup and send Frontline the test/support account (username/domain and password) in their IdP.

Setup Roles or Groups

Asset Management products must have the following roles (group names) setup in the IdP, and those group names must be sent over as plain text in the "role" attribute/claim the SAML response to the Asset Management application.

Required Group Name Description
TIPWEBIT_ADMINVIEW_ADMIN An administrative level user with admin level permissions.
TIPWEBIT_ ADMINVIEW_USER An administrative user. They have similar rights as the admin user, except a few application maintenance features.
TIPWEBIT_SITEVIEW_ADMIN A site level administrator who only has access to their site data.
TIPWEBIT_SITEVIEW_USER A site user who can only work with their site data.
TIPWEBIT_LOOKUPVIEW_USER A view-only used to lookup tags existing in TIPWeb IT.

Create an Account for Frontline Asset Management

Create an SSO account for Frontline support users in your IdP. Create the following user in your IdP for Frontline Support Staff with a password that does not expire.

  • Username: tipweb_it
  • Password: <password that does not expire>
  • Add to group: TIPWEBIT_ADMINVIEW_ADMIN
  • Add an email address such as tipweb_it@DistrictDomainName

Set Up Endpoints

Setup a new, separate endpoint in your SSO IdP to allow Asset Management to authenticate the user.

Application Identifier (Entity ID)

https://HayesURL/TIPIDCore/

Reply URL (Assertion Consumer Service URL)

https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx

Metadata XML

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID=" https://HayesURL/TIPIDCore/">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location=" https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx" index="1" ></md:AssertionConsumerService>
</md:SPSSODescriptor>
</md:EntityDescriptor>

List of Attributes and Claims

<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Given Name"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Surname"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="name"/> => UserName
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="email"/>
<md:RequestedAttribute isRequired="false" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Phone"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Role"/>

NOTE: The "Role" attribute MUST carry/send the user's Role or Group name that you setup earlier. Your IdP cannot send or insert any other value in this attribute or field, such as Group ID or GUID or UID.

Metadata Overrides

  • NameId Format = emailAddress
  • NameId Value = Email

Setup a new, separate endpoint in your SSO IdP to allow TIPWeb-IT Mobile to authenticate the user.

Application Identifier (Entity ID)

https://HayesURL/TIPWebItMobile-Logon/

Reply URL (Assertion Consumer Service URL)

https://HayesURL/TIPWebItMobile-Logon/SAML/SAMLConsumer

Metadata XML

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
entityID="https://HayesURL/TIPWebITMobile-Logon/">
<md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</md:NameIDFormat>
<md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location=" https://HayesURL/TIPWebITMobile-Logon/SAML/SAMLConsumer"
index="1" ></md:AssertionConsumerService>
</md:SPSSODescriptor></md:EntityDescriptor>

List of Attributes and Claims

<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Given Name"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Surname"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="name"/> => UserName
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="email"/>
<md:RequestedAttribute isRequired="false" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Phone"/>
<md:RequestedAttribute isRequired="true" Name="urn:oasis:names:tc:SAML:2.0:attrname-format:basic" FriendlyName="Role"/>

NOTE: The "Role" attribute MUST carry/send the user's Role or Group name that you setup earlier. Your IdP cannot send or insert any other value in this attribute or field, such as Group ID or GUID or UID.

Metadata Overrides

  • NameId Format = emailAddress
  • NameId Value = Email

When you have setup the SSO endpoint for Asset Management in your IdP, fill out the required fields in Configuration Document, and send it to ihdmsupport@frontlineed.com.

Sample SAML Request and Response

Request

<samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"
ID="_591df756-862f-40ff-8b87-2624fbf38c86">
Version="2.0"
IssueInstant="2021-09-10T15:37:21Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
AssertionConsumerServiceURL="https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx"
Destination="https://__your_SSO_Login_URL__">
<saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://HayesURL/TIPIDCore/</saml:Issuer>
</samlp:AuthnRequest>

Response

The SSO IdP must send back a SAML response to Asset Management that is similar to the following:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_93883a0f-fa68-42d7-8444-c61473ea706c" Version="2.0" IssueInstant="2021-09-08T17:49:02.278Z" Destination="https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx" InResponseTo="_f9948222-3e11-4592-a0f6-7f15c2812131"><Issuer xmlns="urn:oasis:names:tc:SAML:2.0:assertion">https://sts.windows.net/90e0c2f4-c0eb-4f28-b0f5-8d2c578af4c8/</Issuer><samlp:Status><samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" /></samlp:Status><Assertion xmlns="urn:oasis:names:tc:SAML:2.0:assertion" ID="_6cf241dc-38c0-4881-9b8b-cd751eda6701" IssueInstant="2021-09-08T17:49:02.278Z" Version="2.0"><Issuer>https://sts.windows.net/90e0c2f4-c0eb-4f28-b0f5-8d2c578af4c8/</Issuer><Signature xmlns="http://www.w3.org/2000/09/xmldsig#"><SignedInfo><CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /><SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" /><Reference URI="#_6cf241dc-38c0-4881-9b8b-cd751eda6701"><Transforms><Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" /><Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" /></Transforms><DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" /><DigestValue>...</DigestValue></Reference></SignedInfo><SignatureValue>...</SignatureValue><KeyInfo><X509Data><X509Certificate>...</X509Certificate></X509Data></KeyInfo></Signature><Subject><NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">tipweb_it@DistrictDomainName</NameID><SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><SubjectConfirmationData InResponseTo="_f9948222-3e11-4592-a0f6-7f15c2812131" NotOnOrAfter="2021-09-08T18:49:01.997Z" Recipient="https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx"/></SubjectConfirmation></Subject><Conditions NotBefore="2021-09-08T17:44:01.997Z" NotOnOrAfter="2021-09-08T18:49:01.997Z"><AudienceRestriction><Audience>https://HayesURL/TIPIDCore/</Audience></AudienceRestriction></Conditions><AttributeStatement><Attribute Name="http://schemas.microsoft.com/identity/claims/displayname"><AttributeValue>Hayes Support</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"><AttributeValue>Hayes</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"><AttributeValue>Support</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"><AttributeValue>tipweb_it@DistrictDomainName</AttributeValue></Attribute><Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"><AttributeValue>tipweb_it@DistrictDomainName</AttributeValue></Attribute><Attribute Name="role"><AttributeValue>TIPWEBIT_ADMINVIEW_ADMIN</AttributeValue></Attribute></AttributeStatement><AuthnStatement AuthnInstant="2021-09-08T17:39:00.607Z" SessionIndex="_6cf241dc-38c0-4881-9b8b-cd751eda6701"><AuthnContext><AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</AuthnContextClassRef></AuthnContext></AuthnStatement></Assertion></samlp:Response>

Setting Up Google SAML

To integrate Google SAML SSO with Frontline Asset Management, you must have a valid Google for Education or Google Workspace license.  If you don’t have a Google Workspace/Admin account, you can read about it at Google Workspace Services.

Additional Resources

You can obtain further support for setting up Google SAML here:

These are the steps that you will need to follow in order to allow Frontline to configure Asset Management to SSO into your Google instance.

  1. Create Google Custom User Attributes (roles) for Asset Management and Mobile SSO
  2. Create a Google account for Frontline support users
  3. Add an Identifier Entity ID and ACES URL for each product Asset Management and Mobile
  4. Map the SAML attributes including custom user attributes
  5. Populate all the users’ custom attributes (the roles)
  6. Send the account and credentials, the security certificates and login details to the Frontline team
  7. Repeat steps 1-6 these for Mobile

Steps

Login to your Google Admin console. You must be an administrator of your Google Workspace. Click Users, then select More -> Manage Custom Attributes.

Image_1.png

Image_2.png

Click Add Custom Attributes

Image_3.png

Add a new custom attribute for Asset Management groups. It must be of the "Text" type, visible to the organization and a Single Value.

Image_4.png

Click Save

Ensure that the value of this attribute is filled in for every user in the organization, using values from the "Setup Roles or Groups" section.

Click Apps

Image_5.png

Click Web and mobile apps

Image_6.png

Click and select Add App -> Add custom SAML app

Image_7.png

Give your new app a name (required) and an icon (optional but recommended).

Image_8.png

Download and copy the metadata, SSO URL, entity ID, certificate and fingerprint and record them in Configuration Document. Repeat the process for Mobile. Send both documents to Frontline support.

Image_9.png

Type in or copy the ACS URL and the Entity ID from this document. The Entity ID is the "Application Identifier". The ACS URL is the Endpoint Reply URL or Assertion Consumer Service URL. The response must not be signed. The Name ID format is the EMAIL and the Name ID is the Primary email (Basic Information -> Primary email).

  TIPWeb-IT Mobile
Entity ID https://HayesURL/TIPIDCore/ https://HayesURL/TIPWebITMobile-Logon/
Endpoint Reply URL https://HayesURL/TIPIDCore/SSO/SAMLConsumer.aspx https://HayesURL/TIPWebITMobile-Logon/SAML/SAMLConsumer

NOTE: The case and slashes in the ACS URL and Entity ID must be exactly as specified in this document, including trailing slashes. Any difference at all between this document and your Google Admin SAML app will cause the SSO to fail.

Image_10.png

Add the SAML attribute mapping. You must include the custom role attribute that carries the name of the users' roles.

Image_11.png

FAQs

Should I name the URLs, file names, projects, and Google settings exactly as documented here?

Yes. Please do not change them as Asset Management depends on the specific names that are requested here.

Where should this information be sent once it is setup?

Please send the information to Frontline support at ihdmsupport@frontlineed.com.

Are there any special permissions that I need to give Frontline Asset Management or its user account?

No. All permissions are default ones, and the user account that’s needed to be created need to be just a regular user, and not a technician or an administrator.

Can I use any other protocol or version instead of SAML 2.0?

No; at this stage, we do not support any other protocol except SAML 2.0.