Note: SeeClickFix (now Citizen Relationship Management) is migrating over to utilizing CivicPlus Single Sign-On with identity providers (IdPs). The Security Assertion Markup Language (SAML) integration discussed below has been deprecated for SeeClickFix (Citizen Relationship Management). For information on CivicPlus Single Sign-On, check out the Custom Identity Providers (IdP) article.
Single Sign-On (SSO) allows organizations to connect with existing services to manage access to the SeeClickFix (Citizen Relationship Management) Citizen Request Manager (CRM). SSO provides the capability for access to be managed in one directory by using these steps. SeeClickFix (Citizen Relationship Management) members can be managed through that system.
Requirements for Configuring SAML Single Sign-On
- Your organization must have purchased this add-on
- Microsoft Server 2012 or 2008 with Active Directory Federated Services (ADFS) installed details
- A Secure Socket Layer (SSL) certificate to sign your ADFS login page and the fingerprint for that certificate
- All Active Directory users have an email address attribute
The Security Assertion Markup Language (SAML) Single Sign-On feature is a purchasable add-on for any organization. If you are interested in learning more, please reach out to your Customer Success Manager.
- Add Users in SeeClickFix (Citizen Relationship Management).
- Add SAML Provider in SeeClickFix (Citizen Relationship Management).
- Note: This will expose your Identifier and Reply URLs to be used in future steps.
- Add a Relying Party Trust.
- From ADFS Management, open the Relying Party Trusts folder and add a new Standard Relying Party Trust. This will open the following setup wizard.
- Click Start.
- Select Data Source: Select Enter Data About the Party Manually
- Specify Display Name: Enter a display name, eg: “SeeClickFix Login”
- Choose Profile: Select ADFS FS profile.
- Configure Certificate: Leave as default, click next.
- Configure URL:
- Check the box: Enable support for the SAML 2.0 WebSSO Protocol.
- Enter the Reply URL from your SeeClickFix (Citizen Relationship Management) SAML settings page.
- Note: It will be in the format https://int.seeclickfix.com/federated_logins/saml/examplestring/consume where “examplestring” is a unique code for your SAML provider.
- Configure Identifiers: Enter the Identifier URL from your SeeClickFix (Citizen Relationship Management) SAML settings page.
- Note: It will be in the format https://seeclickfix.com/federated_logins/saml/examplestring where “examplestring” is a unique code for your SAML provider.
- Configure Multi-factor Authentication: Not covered in this guide
- Choose Issuance Authorization Rules: Check Permit all users to access this relying party
- Click Next to add trust.
- Click Close to finish.
- Create Claim Rules
- When you finish adding a relying party trust, a dialog will open to Edit Claim Rules.
- Click Add Rule.
- Choose Rule Type: Select Send Lightweight Directory Access Protocols (LDAP) Attributes as Claims
- Edit Rule - LDAP Email.
- LDAP attribute: Email Address
- Outgoing Claim Type: Email Address
- Click Add Rule to create another rule.
- Choose Rule Type: Select Transform an Incoming Claim
- Edit Rule - Email Transform
- Select E-mail Address for Incoming Claim Type
- Select Name ID for Outgoing Claim Type
- Select Email for Outgoing Name ID Format
- Select Pass through all claim values
- Adjust the Trust Settings.
- From the Actions sidebar, select Properties.
- From the Advanced tab, select SHA-256 from the Secure hash algorithm dropdown.
- From the Endpoints tab, click add SAML.
- Endpoint type: SAML Logout
- Binding: POST
- Trusted URL: Create the following URL
- The web address of your ADFS server
- The ADFS SAML endpoint you noted earlier
- The string '?wa=wsignout1.0'
- The URL should look something like this: https://sso.yourdomain.tld/adfs/ls/?wa=wsignout1.0.
- Turn on SSO for Organization Members.
- Navigate to username > Manage Organization.
- Select SAML Providers.
- Select the SAML Provider you have just set up.
- Select each user whose password you would like to replace with the associated SAML provider.
- That’s it! Now when a user logs into SeeClickFix (Citizen Relationship Management), the password field will be ignored and your SAML provider will be used for authentication.
Note: SSO is currently supported in the CRM, the Portal, and Mobile Applications. If a user attempts to sign in as a citizen from seeclickfix.com, an error message will be shown and the user will be directed to sign in via the CRM.