- Getting Started
-
Administration Guide
- Get Started with Administering Wyn Enterprise
- Configuration Settings
- Account Management
- Security Management
- System Management
- Document Management
-
How To and Troubleshooting
- Change Default Password
- Set Language Preference
- Set Time Zone
- Slack Integration
- MS Teams Integration
- Create Custom Language Packages
- Configure Identity Server
- Configure Single Sign-on
- Convert Crystal Reports/MS Access Reports to Wyn Reports
- Encrypt or Decrypt Connection Strings
- Using ClickHouse as OLAP Database
- Hide Download Link in Scheduled Tasks
- Configure Redis Cluster using Username and Password
- User Guide
- Developer Guide
Configure Single Sign-on
Single Sign-on (SSO) is an authentication scheme that allows a user to log in to the Wyn Enterprise application with a single identity to several related, yet independent software systems. SSO allows users to log in to the Wyn application once and access the services without re-entering the authentication factors. In this article, you will find information on the common SSO Configuration Settings and the instructions to configure SSO in Wyn Enterprise identity service for the following external identity providers supported in Wyn Enterprise:
SSO Configuration Settings
To configure SSO, open the Wyn.conf file which is generally located at the following location in your local machine, C:\ProgramFiles\WynEnterprise\Monitor\conf. The following configuration settings show the general layout of an SSO node:
<Server>
<Authentication>
<SSO>
<AuthenticationProtocol>{Protocol}</AuthenticationProtocol>
<Scheme>{IdP}</Scheme>
<Disabled>true|false</Disabled>
<AllowIncognizantUser>true|false</AllowIncognizantUser>
<Authority>{}</Authority>
<ClientId>{your_client_id}</ClientId>
<ClientSecret>{your_client_secret}</ClientSecret>
<ResponseCode>{your_code}</ResponseCode>
<Callback>{your_IdP_callbackURL}</Callback>
<Scopes>
<sys:string>{authentication_provider_scopes}</sys:string>
...
</Scopes>
</Authentication>
</SSO>
</Server>
The following table describes each configuration setting:
Setting | Description | Values |
---|---|---|
Authentication Protocol | Authentication Protocol parameter is used to specify the protocol used to authenticate users for SSO. | CAS, OIDC, OAUTH, etc. |
Scheme | Scheme parameter is an identifier of the authentication provider. | CAS, MicrosoftAzureAD, AWSCognitor, MyTestingIdentityProvider, etc. |
Disabled | Disabled parameter is used to disable the SSO function. | True or False. The Default value is False. |
AllowIncognizantUser | AllowIncognizantUser parameter is used to allow users not existing in the Wyn Enterprise application to log in to the application. | True or False |
Authority | Authority parameter is the service endpoint URL used to request tokens from the authentication service provider. | Domain URL of your authentication service provider. |
ClientId | ClientId parameter specifies the public identifier for the user required for OAuth flows. | For Amazon Incognito, values are available in your user pool. For OKTA, values are available in your OKTA app settings. |
ClientSecret | ClientSecret parameter specifies a secret code used by the user to exchange an authorization code for a token. ClientSecret should be kept confidential. | For Amazon Incognito, values are available in your user pool. For OKTA, values are available in your OKTA app settings. |
ResponseCode | ResponseCode parameter defines an authorization request parameter from the authorization endpoint. For example, the CAS Authentication Server uses Code as the ResponseCode value. | For CAS Authentication Server, the value is CAS. |
Callback | Callback parameter specifies a base URL where the IDP response is sent upon user authentication. Callback parameter is used in the SSO configuration settings with Amazon Cognito Service. | Redirect URI specified in the AWS app settings or the default value is /signin-oidc. |
Scopes | Scope parameter is used to customize data requests to a third-party application. | For OKTA: openid, profile, and email. For AWS: openid, profile, email, and phone. |
Additional SSO Configuration Settings
The following configuration settings are common to all the Authentication Service Providers listed above,
Cookie Management: Cookie options are used to identify user preferences and to track user behavior. Cookies are needed to maintain the login state of the users to allow them to access secured pages without using the credentials again. Wyn Enterprises uses HTTP cookies such as secure, same site, domain, path, etc. to manage and handle SSO configuration settings. To enable the cookies across user domains, set the Cookie: SameSite to None and Cookie: Secure to True.
<Server> ... <Cookie> <ShareCookie>false</ShareCookie> <SameSite>None</SameSite> <Secure>true</Secure> </Cookie> ... </Server>
Incognizant Mode: To allow users that do not exist in the Wyn Enterprise application to log in to the application, set the AllowIncognizantUser to True. And, to prevent login of the user not existing in the Wyn Enterprise application, import the allowed users to the Wyn application and ensure that the Provider value of the imported users is the same as the value of the Scheme.
<Server> ... <Authentication> <SSO> ... <AllowIncognizantUser> True </AllowIncognizantUser> ... </SSO> </Authentication> ... </Server>
Claim Mapping: Claims are used to determine the information such as name, phone number, email, roles, etc. about the authenticated users. A claim mapping item in the <Claimmapping> setting under <SSO> node of the Wyn.conf file consists of a Key and a Value where the Key represents the user context in Wyn Enterprise, and Value represents the user context from the authentication provider. To add claims, set the Key and Value fields to the claim name as shown in the below sample configuration settings.
<Server> ... <ClaimMappings> <sys:Item> <Key>given_name</Key> <Value>id</Value> </sys:Item> <sys:Item> <Key>phone_number</Key> <Value>profile</Value> </sys:Item> <sys:Item> <Key>sub</Key> <Value>id</Value> </sys:Item> </ClaimMappings> ... </Server>
Authentication Providers supported by Wyn Enterprise
The following table lists the configuration settings for each authentication service provider supported by Wyn Enterprise with default values of the configuration settings:
Config. Setting | |||||
---|---|---|---|---|---|
Authentication | CAS | OIDC | OAuth | OIDC | OIDC |
Scheme | CAS | Microsoft | AWS | OKTA | |
Disabled | False | False | False | N/A | N/A |
Authority | - | See the Common Authority URLs for a more details. | Pool ARN | Domain URL of your OKTA organization. For example, | |
ClientID | - | Unique Application ID assigned in the Azure AD account | Your Client ID from the Google Cloud Service account. See the help topic on Creating Client IDs for more information. | Pool ID | Your Client Id from Okta organization. |
ClientSecret | - | Your Client Sercet from the Azure AD account. | Your Client Sercet from the Google Cloud Service account. | Your Client Secret from AWS user pool. | Your Client Secret from Okta organization. |
Scope | - | openid, email, profile, offline_access, .default | - | openid, profile, email, phone | openid, profile, email |
ResponseCode | N/A | N/A | N/A | N/A | Code |
CallBack | N/A | N/A | N/A | Callback URI specified in the application client setting. Otherwise, the value is: /signin-oidc | Default value is: /signin-oidc. Otherwise, the value should match the Redirect URI specified in the OKTA application. |
Claim Mapping | profile, email, address, phone, custom | Checkout the complete list of claim mapping items here | - | address, birthdate, email, family_name, gender, given_name, locale, middle_name, name, nickname, phone_number, picture, preffered_username, profile, sub, updated_at, website, zoneinfo | id, profile, status, transitioningtostatus, created, activated, statuschanged, lastlogin, lastupdated, passwordchanged, type, realm, realmid, password, credentials, _links, _embedded, class, classloader, custom_name |
Incognizant User | Supported | Supported | Supported | Supported | Not Supported |
SLO | Supported | Supported | Not Supported | Not Supported | Not Supported |
See the blog post on Single Sign-on for general information related to the feature in Wyn Enterprise.