Single Sign-On (SSO) allows organizations to connect with an existing service to manage access to the SeeClickFix CRM. SSO provides the capability for access to be managed in one directory and by using these steps. SeeClickFix members can be managed through that system.
What is required for configuring SAML Single Sign-on?
- Your organization must have purchased this add-on
- Microsoft Server 2012 or 2008 with Active Directory Federated Services installed details
- An SSL certificate to sign your ADFS login page and the fingerprint for that certificate
- All Active Directory users have an email address attribute
Interested in SAML Single Sign-On for your organization?
The SAML Single Sign-On feature is a purchasable add-on for any organization. Interested in learning more? Please reach out to our sales team here: email@example.com
1. Add Users in SeeClickFix
- Select Manage Organization from the settings dropdown (your avatar) in the upper right of the CRM
- Select Members and add all organization members
2. Add SAML Provider in SeeClickFix
- From Manage Organization
- Select SAML Providers (note: this section will not appear if you have not yet purchased SSO)
- Click New SAML Provider
- Give the SAML Provider a title eg: (Active Directory FS)
- Enter Target URL:
- Enter Certificate Fingerprint:
- Click Create SAML Provider
- Note: This will expose your Identifier and Reply URLs to be used in future steps
3. Add a Relying Party Trust
- From ADFS Management, open the Relying Party Trusts folder and add a new Standard Relying Party Trust. This will open the following setup wizard. Click start.
- Select Data Source: select Enter Data About the Party Manually
- Specify Display Name: Enter a display name, eg: “SeeClickFix Login”
- Choose Profile: select ADFS FS profile
- Configure Certificate: leave as default, click next
- Configure URL:
- Check the box: Enable support for the SAML 2.0 WebSSO Protocol
- Enter the Reply URL from your SeeClickFix SAML settings page (described in section 2). It will be in the format https://int.seeclickfix.com/federated_logins/saml/examplestring/consume where “examplestring” is a unique code for your SAML provider.
- Configure Identifiers: enter the Identifier URL from your SeeClickFix SAML settings page (described in section 2) It will be in the format https://seeclickfix.com/federated_logins/saml/examplestring where “examplestring” is a unique code for your SAML provider.
- Configure Multi-factor Authentication: not covered in this guide
- Choose Issuance Authorization Rules: check Permit all users to access this relying party
- Ready to Add Trust: Click Next
- Finish: Click Close
4. Create Claim Rules
- When you finish adding a relying party trust, a dialog will open to Edit Claim Rules
- Click Add Rule
- Choose Rule Type: Select Send LDAP Attributes as Claims
- Edit Rule - LDAP Email
- LDAP attribute: Email Address
- Outgoing Claim Type: Email Address
- Click Add Rule to create another rule
- Choose Rule Type: Select Transform an Incoming Claim
- Edit Rule - Email Transform
- Select E-mail Address for Incoming Claim Type
- Select Name ID for Outgoing Claim Type
- Select Email for Outgoing Name ID Format
- Select Pass through all claim values
5. Adjust the Trust Settings
- From the Actions sidebar select Properties
- From the Advanced tab, select SHA-256 from the Secure hash algorithm dropdown
- From the Endpoints tab, click add SAML
- Endpoint type: SAML Logout
- Binding: POST
- Trusted URL: create the following URL
- The web address of your ADFS server
- The ADFS SAML endpoint you noted earlier
- The string '?wa=wsignout1.0'
- The URL should look something like this: https://sso.yourdomain.tld/adfs/ls/?wa=wsignout1.0.
6. Turn on SSO for Organization Members
- From Manage Organization
- Select SAML Providers
- Select the SAML Provider you have just set up
- Select each user whose password you would like to replace with the associated SAML provider
- That’s it! Now when a user logs into SeeClickFix, the password field will be ignored and your SAML provider will be used for authentication.
- SSO is currently supported in the CRM, the Portal, and Mobile Applications. If a user attempts to sign in as a citizen from seeclickfix.com, an error message will be shown and the user will be directed to sign in via the CRM.