Note: SeeClickFix is migrating over to utilizing CivicPlus Single Sign-On with identity providers (IdPs). The Security Assertion Markup Language (SAML) integration discussed below has been deprecated for SeeClickFix. For information on CivicPlus single sign-on, check out this article on Custom IdP.
Single Sign-On (SSO) allows organizations to connect with existing services to manage access to the SeeClickFix Citizen Request Manager (CRM). SSO provides the capability for access to be managed in one directory and by using these steps. SeeClickFix members can be managed through that system.
Requirements for Configuring SAML Single Sign-On
- Your organization must have purchased this add-on
- Microsoft Server 2012 or 2008 with Active Directory Federated Services (ADFS) installed details
- An SSL certificate to sign your ADFS login page and the fingerprint for that certificate
- All Active Directory users have an email address attribute
The SAML Single Sign-On feature is a purchasable add-on for any organization. Interested in learning more? Please reach out to your Client Success Manager.
- Add Users in SeeClickFix
- Add SAML Provider in SeeClickFix
- Note: This will expose your Identifier and Reply URLs to be used in future steps.
- Add a Relying Party Trust
- From ADFS Management, open the Relying Party Trusts folder and add a new Standard Relying Party Trust. This will open the following setup wizard
- Click Start
- Select Data Source: Select Enter Data About the Party Manually
- Specify Display Name: Enter a display name, eg: “SeeClickFix Login”
- Choose Profile: Select ADFS FS profile
- Configure Certificate: Leave as default, click next
- Configure URL:
- Check the box: Enable support for the SAML 2.0 WebSSO Protocol
- Enter the Reply URL from your SeeClickFix SAML settings page
- Note: It will be in the format https://int.seeclickfix.com/federated_logins/saml/examplestring/consume where “examplestring” is a unique code for your SAML provider.
- Configure Identifiers: Enter the Identifier URL from your SeeClickFix SAML settings page
- Note: It will be in the format https://seeclickfix.com/federated_logins/saml/examplestring where “examplestring” is a unique code for your SAML provider.
- Configure Multi-factor Authentication: Not covered in this guide
- Choose Issuance Authorization Rules: Check Permit all users to access this relying party
- Click Next to add trust
- Click Close to finish
- Create Claim Rules
- When you finish adding a relying party trust, a dialog will open to Edit Claim Rules
- Click Add Rule
- Choose Rule Type: Select Send Lightweight Directory Access Protocols (LDAP) Attributes as Claims
- Edit Rule - LDAP Email
- LDAP attribute: Email Address
- Outgoing Claim Type: Email Address
- Click Add Rule to create another rule
- Choose Rule Type: Select Transform an Incoming Claim
- Edit Rule - Email Transform
- Select E-mail Address for Incoming Claim Type
- Select Name ID for Outgoing Claim Type
- Select Email for Outgoing Name ID Format
- Select Pass through all claim values
- Adjust the Trust Settings
- From the Actions sidebar select Properties
- From the Advanced tab, select SHA-256 from the Secure hash algorithm dropdown
- From the Endpoints tab, click add SAML
- Endpoint type: SAML Logout
- Binding: POST
- Trusted URL: Create the following URL
- The web address of your ADFS server
- The ADFS SAML endpoint you noted earlier
- The string '?wa=wsignout1.0'
- The URL should look something like this: https://sso.yourdomain.tld/adfs/ls/?wa=wsignout1.0.
- Turn on SSO for Organization Members
- Navigate to username > Manage Organization
- Select SAML Providers
- Select the SAML Provider you have just set up
- Select each user whose password you would like to replace with the associated SAML provider
- That’s it! Now when a user logs into SeeClickFix, the password field will be ignored and your SAML provider will be used for authentication.
Note: SSO is currently supported in the CRM, the Portal, and Mobile Applications. If a user attempts to sign in as a citizen from seeclickfix.com, an error message will be shown and the user will be directed to sign in via the CRM.