- Getting Started
-
Administration Guide
- Get Started with Administering Wyn Enterprise
- Configuration Settings
- Account Management
- Security Management
- System Management
- Document Management
- How To and Troubleshooting
- User Guide
- Developer Guide
Configure Single Sign-on
Single Sign-on (SSO) is an authentication scheme that allows a user to log in to the Wyn Enterprise application with a single identity to several related, yet independent software systems. SSO allows users to log in to the Wyn application once and access the services without re-entering the authentication factors. In this article, you will find information on the common SSO Configuration Settings and the instructions to configure SSO in Wyn Enterprise identity service for the following external identity authentication providers supported in Wyn Enterprise:
SSO Configuration Settings
To configure SSO, open the Wyn.conf file which is generally located at the following location in your local machine, C:\ProgramFiles\WynEnterprise\Monitor\conf. The following configuration settings show the general layout of an SSO node:
<Server>
<Authentication>
<SSO>
<AuthenticationProtocol>{Protocol}</AuthenticationProtocol>
<Scheme>{IdP}</Scheme>
<Disabled>true|false</Disabled>
<AllowIncognizantUser>true|false</AllowIncognizantUser>
<Authority>{}</Authority>
<ClientId>{your_client_id}</ClientId>
<ClientSecret>{your_client_secret}</ClientSecret>
<ResponseCode>{your_code}</ResponseCode>
<Callback>{your_IdP_callbackURL}</Callback>
<Scopes>
<sys:string>{authentication_provider_scopes}</sys:string>
...
</Scopes>
</Authentication>
</SSO>
</Server>
The following table describes each configuration setting:
Setting | Type | Description |
---|---|---|
Authentication Protocol | Mandatory | Authentication Protocol parameter is used to specify the protocol used to authenticate users for SSO. |
Scheme | Optional | Scheme parameter is an identifier of the authentication provider and can hold any value, for example, MicrosoftAzureAD”, “AWSCognitor”, “MyTestingIdentityProvider”, etc. The Scheme configuration setting is optional. |
Disabled | Optional | Disabled parameter is used to disable the SSO function. The default value of the Disabled setting is False. |
AllowIncognizantUser | Optional | AllowIncognizantUser parameter is used to allow users not existing in the Wyn Enterprise application to log in to the application. Set the value to True or False. |
Authority | Mandatory | Authority parameter is the service endpoint URL used to request tokens from the authentication service provider. Authority value is generally the Domain URL of your authentication service provider. The Authority configuration settings is mandatory. |
ClientId | Mandatory | ClientId parameter specifies the public identifier for the user required for OAuth flows. The ClientId configuration setting is mandatory. |
ClientSecret | Mandatory | ClientSecret parameter specifies a secret code used by the user to exchange an authorization code for a token. ClientSecret should be kept confidential. The ClientSecret configuration setting is mandatory. |
ResponseCode | ResponseCode parameter defines an authorization request parameter from the authorization endpoint. | |
Callback | Optional | Callback parameter specifies a base URL where the IDP response is sent upon user authentication. The Callback parameter is optional. |
Scopes | Optional | Scope parameter is used to customize data requests to a third-party application. |
Additional SSO Configuration Settings
The following additional configuration settings are common to all the Authentication Service Providers,
Cookie Management: Cookie options are used to identify user preferences and to track user behavior. Cookies are needed to maintain the login state of the users to allow them to access secured pages without using the credentials again. Wyn Enterprises uses HTTP cookies such as secure, same site, domain, path, etc. to manage and handle SSO configuration settings. To enable the cookies across user domains, set the Cookie: SameSite to None and Cookie: Secure to True.
<Server> ... <Cookie> <ShareCookie>false</ShareCookie> <SameSite>None</SameSite> <Secure>true</Secure> </Cookie> ... </Server>
Incognizant Mode: Incognizant mode is used to enable or disable access of external users into the Wyn Enterprise application. To allow users who do not exist in the Wyn Enterprise application to log in to the application set the AllowIncognizantUser to True. And, to prevent login of the user not existing in the Wyn Enterprise application, import the list of allowed users to the Wyn Enterprise application and ensure that value of the Scheme node is same as the Provider value of the imported users.
<Server> ... <Authentication> <SSO> ... <AllowIncognizantUser> True </AllowIncognizantUser> ... </SSO> </Authentication> ... </Server>
Claim Mapping: Claims are used to determine the information such as name, phone number, email, roles, etc. about the authenticated users. A claim mapping item in the <Claimmapping> setting under <SSO> node of the Wyn.conf file consists of a Key and a Value where the Key represents the user context in Wyn Enterprise, and Value represents the user context from the authentication provider. To add claims, set the Key and Value fields to the claim name as shown in the below sample configuration settings.
<Server> ... <ClaimMappings> <sys:Item> <Key>given_name</Key> <Value>id</Value> </sys:Item> <sys:Item> <Key>phone_number</Key> <Value>profile</Value> </sys:Item> <sys:Item> <Key>sub</Key> <Value>id</Value> </sys:Item> </ClaimMappings> ... </Server>
Authentication Providers supported by Wyn Enterprise
The following table lists the configuration settings for each authentication service provider supported by Wyn Enterprise with default values of the configuration settings:
Config. Setting | |||||
---|---|---|---|---|---|
Authentication | CAS | OIDC | OAuth | OIDC | OIDC |
Scheme | CAS | Microsoft | AWS | OKTA | |
Disabled | False | False | False | N/A | N/A |
Authority | http://auth.groupoa. net:localhost_id} | https://sts.windows.net/ {your_directory(tenant)_id} | https://accounts.google .com/o/oauth2/v2/auth | https://cognito-idp.region}. amazonaws.com/ {user_pool_id} | Domain URL of your OKTA organization. For example, |
ClientID | Client Identifier for CAS Authentication Server. | Unique Application ID assigned in the Azure AD account. | Your Client ID from the Google Cloud Service account. See the help topic on Creating Client IDs for more information. | Pool ID | Your Client Id from Okta organization. |
ClientSecret | Decoded URL before comparing to the secret in the CAS service definition. | Your Client Sercet from the Azure AD account. | Your Client Sercet from the Google Cloud Service account. | Your Client Secret from the AWS user pool. | Your Client Secret from Okta organization. |
Scope | openid, profile, email, address, phone, custom | openid, email, profile, offline_access, .default | email, openid, profile | openid, profile, email, phone | openid, profile, email |
ResponseCode | N/A | N/A | N/A | N/A | Code |
CallBack | N/A | N/A | N/A | Callback URI specified in the application client setting. Otherwise, the value is: /signin-oidc | Default value is: /signin-oidc. Otherwise, the value should match the Redirect URI specified in the OKTA application. |
Claim Mapping | given_name, sub, name, email, address, phone_number, custom | Checkout the complete list of claim mapping items here | aud, exp, sub, at_hash, email, family_name, given_name, name, profile, etc. | address, birthdate, email, family_name, gender, given_name, locale, middle_name, name, nickname, phone_number, picture, preffered_username, profile, sub, updated_at, website, zoneinfo | id, profile, status, transitioningtostatus, created, activated, statuschanged, lastlogin, lastupdated, passwordchanged, type, realm, realmid, password, credentials, _links, _embedded, class, classloader, custom_name |
Incognizant User | Supported | Supported | Supported | Supported | Supported |
SLO | Supported | Supported | Not Supported | Not Supported | Not Supported |
See the blog post on Single Sign-on for general information related to the feature in Wyn Enterprise.