V6.1

Configure Single Sign-on

Single Sign-on (SSO) is an authentication scheme that allows a user to log in to the Wyn Enterprise application with a single identity to several related, yet independent software systems. SSO allows users to log in to the Wyn application once and access the services without re-entering the authentication factors. In this article, you will find information on the common SSO Configuration Settings and the instructions to configure SSO in Wyn Enterprise identity service for the following external identity authentication providers supported in Wyn Enterprise:

SSO Configuration Settings

To configure SSO, open the Wyn.conf file which is generally located at the following location in your local machine, C:\ProgramFiles\WynEnterprise\Monitor\conf. The following configuration settings show the general layout of an SSO node:

<Server>
  <Authentication>
    <SSO>
      <AuthenticationProtocol>{Protocol}</AuthenticationProtocol>
      <Scheme>{IdP}</Scheme>
      <Disabled>true|false</Disabled>
      <AllowIncognizantUser>true|false</AllowIncognizantUser>
      <Authority>{}</Authority>
      <ClientId>{your_client_id}</ClientId>
      <ClientSecret>{your_client_secret}</ClientSecret>
      <ResponseCode>{your_code}</ResponseCode>
      <Callback>{your_IdP_callbackURL}</Callback>
      <Scopes>
        <sys:string>{authentication_provider_scopes}</sys:string>
        ...
      </Scopes>
  </Authentication>
    </SSO>
</Server>

The following table describes each configuration setting:

Setting	Type	Description
Authentication Protocol	Mandatory	Authentication Protocol parameter is used to specify the protocol used to authenticate users for SSO.
Scheme	Optional	Scheme parameter is an identifier of the authentication provider and can hold any value, for example, MicrosoftAzureAD”, “AWSCognitor”, “MyTestingIdentityProvider”, etc. The Scheme configuration setting is optional.
Disabled	Optional	Disabled parameter is used to disable the SSO function. The default value of the Disabled setting is False.
AllowIncognizantUser	Optional	AllowIncognizantUser parameter is used to allow users not existing in the Wyn Enterprise application to log in to the application. Set the value to True or False.
Authority	Mandatory	Authority parameter is the service endpoint URL used to request tokens from the authentication service provider. Authority value is generally the Domain URL of your authentication service provider. The Authority configuration settings is mandatory.
ClientId	Mandatory	ClientId parameter specifies the public identifier for the user required for OAuth flows. The ClientId configuration setting is mandatory.
ClientSecret	Mandatory	ClientSecret parameter specifies a secret code used by the user to exchange an authorization code for a token. ClientSecret should be kept confidential. The ClientSecret configuration setting is mandatory.
ResponseCode		ResponseCode parameter defines an authorization request parameter from the authorization endpoint.
Callback	Optional	Callback parameter specifies a base URL where the IDP response is sent upon user authentication. The Callback parameter is optional.
Scopes	Optional	Scope parameter is used to customize data requests to a third-party application.

Additional SSO Configuration Settings

The following additional configuration settings are common to all the Authentication Service Providers,

Cookie Management: Cookie options are used to identify user preferences and to track user behavior. Cookies are needed to maintain the login state of the users to allow them to access secured pages without using the credentials again. Wyn Enterprises uses HTTP cookies such as secure, same site, domain, path, etc. to manage and handle SSO configuration settings. To enable the cookies across user domains, set the Cookie: SameSite to None and Cookie: Secure to True.
```
<Server>
...
   <Cookie>
       <ShareCookie>false</ShareCookie>
       <SameSite>None</SameSite>
       <Secure>true</Secure>
   </Cookie>
...
</Server>
```
Incognizant Mode: Incognizant mode is used to enable or disable access of external users into the Wyn Enterprise application. To allow users who do not exist in the Wyn Enterprise application to log in to the application set the AllowIncognizantUser to True. And, to prevent login of the user not existing in the Wyn Enterprise application, import the list of allowed users to the Wyn Enterprise application and ensure that value of the Scheme node is same as the Provider value of the imported users.
```
<Server>
...
   <Authentication>
     <SSO>
      ...
      <AllowIncognizantUser> True </AllowIncognizantUser>
      ...
     </SSO>
   </Authentication>
...
</Server>
```

Claim Mapping: Claims are used to determine the information such as name, phone number, email, roles, etc. about the authenticated users. A claim mapping item in the <Claimmapping> setting under <SSO> node of the Wyn.conf file consists of a Key and a Value where the Key represents the user context in Wyn Enterprise, and Value represents the user context from the authentication provider. To add claims, set the Key and Value fields to the claim name as shown in the below sample configuration settings.

<Server>
...
    <ClaimMappings>
        <sys:Item>
          <Key>given_name</Key>
          <Value>id</Value>
        </sys:Item>
        <sys:Item>
          <Key>phone_number</Key>
          <Value>profile</Value>
        </sys:Item> 
        <sys:Item>
          <Key>sub</Key>
          <Value>id</Value>
        </sys:Item>
     </ClaimMappings>
 ...
 </Server>

Authentication Providers supported by Wyn Enterprise

The following table lists the configuration settings for each authentication service provider supported by Wyn Enterprise with default values of the configuration settings:

Config. Setting	CAS Server	Microsoft Azure AD	Google Cloud Service	Amazon Cognito Service	OKTA
Authentication	CAS	OIDC	OAuth	OIDC	OIDC
Scheme	CAS	Microsoft	Google	AWS	OKTA
Disabled	False	False	False	N/A	N/A
Authority	http://auth.groupoa. net:localhost_id}	https://sts.windows.net/ {your_directory(tenant)_id}	https://accounts.google .com/o/oauth2/v2/auth	https://cognito-idp.region}. amazonaws.com/ {user_pool_id}	Domain URL of your OKTA organization. For example, `https://dev-03535523-admin.okta.com`
ClientID	Client Identifier for CAS Authentication Server.	Unique Application ID assigned in the Azure AD account.	Your Client ID from the Google Cloud Service account. See the help topic on Creating Client IDs for more information.	Pool ID	Your Client Id from Okta organization.
ClientSecret	Decoded URL before comparing to the secret in the CAS service definition.	Your Client Sercet from the Azure AD account.	Your Client Sercet from the Google Cloud Service account.	Your Client Secret from the AWS user pool.	Your Client Secret from Okta organization.
Scope	openid, profile, email, address, phone, custom	openid, email, profile, offline_access, .default	email, openid, profile	openid, profile, email, phone	openid, profile, email
ResponseCode	N/A	N/A	N/A	N/A	Code
CallBack	N/A	N/A	N/A	Callback URI specified in the application client setting. Otherwise, the value is: /signin-oidc	Default value is: /signin-oidc. Otherwise, the value should match the Redirect URI specified in the OKTA application.
Claim Mapping	given_name, sub, name, email, address, phone_number, custom	Checkout the complete list of claim mapping items here	aud, exp, sub, at_hash, email, family_name, given_name, name, profile, etc.	address, birthdate, email, family_name, gender, given_name, locale, middle_name, name, nickname, phone_number, picture, preffered_username, profile, sub, updated_at, website, zoneinfo	id, profile, status, transitioningtostatus, created, activated, statuschanged, lastlogin, lastupdated, passwordchanged, type, realm, realmid, password, credentials, _links, _embedded, class, classloader, custom_name
Incognizant User	Supported	Supported	Supported	Supported	Supported
SLO	Supported	Supported	Not Supported	Not Supported	Not Supported

See the blog post on Single Sign-on for general information related to the feature in Wyn Enterprise.