[]
        
(Showing Draft Content)

Configure Single Sign-on

Single Sign-on (SSO) is an authentication scheme that allows a user to log in to the Wyn Enterprise application with a single identity to several related, yet independent software systems. SSO allows users to log in to the Wyn application once and access the services without re-entering the authentication factors. In this article, you will find information on the common SSO Configuration Settings and the instructions to configure SSO in Wyn Enterprise identity service for the following external identity providers supported in Wyn Enterprise:

SSO Configuration Settings

To configure SSO, open the Wyn.conf file which is generally located at the following location in your local machine, C:\ProgramFiles\WynEnterprise\Monitor\conf. The following configuration settings show the general layout of an SSO node:

<Server>
  <Authentication>
    <SSO>
      <AuthenticationProtocol>{Protocol}</AuthenticationProtocol>
      <Scheme>{IdP}</Scheme>
      <Disabled>true|false</Disabled>
      <AllowIncognizantUser>true|false</AllowIncognizantUser>
      <Authority>{}</Authority>
      <ClientId>{your_client_id}</ClientId>
      <ClientSecret>{your_client_secret}</ClientSecret>
      <ResponseCode>{your_code}</ResponseCode>
      <Callback>{your_IdP_callbackURL}</Callback>
      <Scopes>
        <sys:string>{authentication_provider_scopes}</sys:string>
        ...
      </Scopes>
  </Authentication>
    </SSO>
</Server>

The following table describes each configuration setting:

Setting

Description

Values

Authentication Protocol

Authentication Protocol parameter is used to specify the protocol used to authenticate users for SSO.

CAS, OIDC, OAUTH, etc.

Scheme

Scheme parameter is an identifier of the authentication provider.

CAS, MicrosoftAzureAD, AWSCognitor, MyTestingIdentityProvider, etc.

Disabled

Disabled parameter is used to disable the SSO function.

True or False. The Default value is False.

AllowIncognizantUser

AllowIncognizantUser parameter is used to allow users not existing in the Wyn Enterprise application to log in to the application.

True or False

Authority

Authority parameter is the service endpoint URL used to request tokens from the authentication service provider.

Domain URL of your authentication service provider.

ClientId

ClientId parameter specifies the public identifier for the user required for OAuth flows.

For Amazon Incognito, values are available in your user pool.

For OKTA, values are available in your OKTA app settings.

ClientSecret

ClientSecret parameter specifies a secret code used by the user to exchange an authorization code for a token. ClientSecret should be kept confidential.

For Amazon Incognito, values are available in your user pool.

For OKTA, values are available in your OKTA app settings.

ResponseCode

ResponseCode parameter defines an authorization request parameter from the authorization endpoint. For example, the CAS Authentication Server uses Code as the ResponseCode value.

For CAS Authentication Server, the value is CAS.

Callback

Callback parameter specifies a base URL where the IDP response is sent upon user authentication. Callback parameter is used in the SSO configuration settings with Amazon Cognito Service.

Redirect URI specified in the AWS app settings or the default value is /signin-oidc.

Scopes

Scope parameter is used to customize data requests to a third-party application.

For OKTA: openid, profile, and email.

For AWS: openid, profile, email, and phone.

Additional SSO Configuration Settings

The following configuration settings are common to all the Authentication Service Providers listed above,

  • Cookie Management: Cookie options are used to identify user preferences and to track user behavior. Cookies are needed to maintain the login state of the users to allow them to access secured pages without using the credentials again. Wyn Enterprises uses HTTP cookies such as secure, same site, domain, path, etc. to manage and handle SSO configuration settings. To enable the cookies across user domains, set the Cookie: SameSite to None and Cookie: Secure to True.

    <Server>
    ...
       <Cookie>
           <ShareCookie>false</ShareCookie>
           <SameSite>None</SameSite>
           <Secure>true</Secure>
       </Cookie>
    ...
    </Server>
    
  • Incognizant Mode: To allow users that do not exist in the Wyn Enterprise application to log in to the application, set the AllowIncognizantUser to True. And, to prevent login of the user not existing in the Wyn Enterprise application, import the allowed users to the Wyn application and ensure that the Provider value of the imported users is the same as the value of the Scheme.

    <Server>
    ...
       <Authentication>
         <SSO>
          ...
          <AllowIncognizantUser> True </AllowIncognizantUser>
          ...
         </SSO>
       </Authentication>
    ...
    </Server>
  • Claim Mapping: Claims are used to determine the information such as name, phone number, email, roles, etc. about the authenticated users. A claim mapping item in the <Claimmapping> setting under <SSO> node of the Wyn.conf file consists of a Key and a Value where the Key represents the user context in Wyn Enterprise, and Value represents the user context from the authentication provider. To add claims, set the Key and Value fields to the claim name as shown in the below sample configuration settings.

    <Server>
    ...
        <ClaimMappings>
            <sys:Item>
              <Key>given_name</Key>
              <Value>id</Value>
            </sys:Item>
            <sys:Item>
              <Key>phone_number</Key>
              <Value>profile</Value>
            </sys:Item> 
            <sys:Item>
              <Key>sub</Key>
              <Value>id</Value>
            </sys:Item>
         </ClaimMappings>
     ...
     </Server>

Authentication Providers supported by Wyn Enterprise

The following table lists the configuration settings for each authentication service provider supported by Wyn Enterprise with default values of the configuration settings:

Config. Setting

CAS Server

Microsoft Azure AD

Google Cloud Service

Amazon Cognito Service

OKTA

Authentication

CAS

OIDC

OAuth

OIDC

OIDC

Scheme

CAS

Microsoft

Google

AWS

OKTA

Disabled

False

False

False

N/A

N/A

Authority

-

See the Common Authority URLs for a more details.


Pool ARN

Domain URL of your OKTA organization. For example, https://dev-03535523-admin.okta.com

ClientID

-

Unique Application ID assigned in the Azure AD account

Your Client ID from the Google Cloud Service account. See the help topic on Creating Client IDs for more information.

Pool ID

Your Client Id from Okta organization.

ClientSecret

-

Your Client Sercet from the Azure AD account.

Your Client Sercet from the Google Cloud Service account.

Your Client Secret from AWS user pool.

Your Client Secret from Okta organization.

Scope

-

openid, email, profile, offline_access, .default

-

openid, profile, email, phone

openid, profile, email

ResponseCode

N/A

N/A

N/A

N/A

Code

CallBack

N/A

N/A

N/A

Callback URI specified in the application client setting. Otherwise, the value is: /signin-oidc

Default value is: /signin-oidc. Otherwise, the value should match the Redirect URI specified in the OKTA application.

Claim Mapping

profile, email, address, phone, custom

Checkout the complete list of claim mapping items here

-

address, birthdate, email, family_name, gender, given_name, locale, middle_name, name, nickname, phone_number, picture, preffered_username, profile, sub, updated_at, website, zoneinfo

id, profile, status, transitioningtostatus, created, activated, statuschanged, lastlogin, lastupdated, passwordchanged, type, realm, realmid, password, credentials, _links, _embedded, class, classloader, custom_name

Incognizant User

Supported

Supported

Supported

Supported

Not Supported

SLO

Supported

Supported

Not Supported

Not Supported

Not Supported

See the blog post on Single Sign-on for general information related to the feature in Wyn Enterprise.