Managing Your Members Using Single Sign-On (SSO)

Overview  

SSO allows organizations to connect with existing services to manage access to the SeeClickFix internal system. SSO provides the capability for access to be managed in one directory by using these steps. SeeClickFix members can be managed through that system.

Requirements for Configuring SAML Single Sign-On

• Your organization must have purchased this add-on
• Microsoft Server 2012 or 2008 with Active Directory Federated Services (ADFS) installed details
• A Secure Socket Layer (SSL) certificate to sign your ADFS login page and the fingerprint for that certificate
• All Active Directory users have an email address attribute

The Security Assertion Markup Language (SAML) Single Sign-On feature is a purchasable add-on for any organization. If you are interested in learning more, please reach out to your Customer Success Manager. 

Instructions

1. Add Users in SeeClickFix.
2. Add SAML Provider in SeeClickFix.
   • Note: This will expose your Identifier and Reply URLs to be used in future steps.
3. Add a Relying Party Trust.
   1. From ADFS Management, open the Relying Party Trusts folder and add a new Standard Relying Party Trust. This will open the following setup wizard.
   2. Click Start.
   3. Select Data Source: Select Enter Data About the Party Manually
   4. Specify Display Name: Enter a display name, eg: “SeeClickFix Login”
   5. Choose Profile: Select ADFS FS profile.
   6. Configure Certificate: Leave as default, and click next.
   7. Configure URL:
      1. Check the box: Enable support for the SAML 2.0 WebSSO Protocol.
      2. Enter the Reply URL from your SeeClickFix SAML settings page.
         • Note: It will be in the format https://int.seeclickfix.com/federated_logins/saml/examplestring/consume where “examplestring” is a unique code for your SAML provider.
   8. Configure Identifiers: Enter the Identifier URL from your SeeClickFix SAML settings page.
      • Note: It will be in the format https://seeclickfix.com/federated_logins/saml/examplestring where “examplestring” is a unique code for your SAML provider.
   9. Configure Multi-factor Authentication: Not covered in this guide
   10. Choose Issuance Authorization Rules: Check Permit all users to access this relying party
   11. Click Next to add trust.
   12. Click Close to finish.
4. Create Claim Rules
   1. When you finish adding a relying party trust, a dialog will open to Edit Claim Rules.
   2. Click Add Rule.
   3. Choose Rule Type: Select Send Lightweight Directory Access Protocols (LDAP) Attributes as Claims
   4. Edit Rule - LDAP Email.
      • LDAP attribute: Email Address
      • Outgoing Claim Type: Email Address
   5. Click Add Rule to create another rule.
   6. Choose Rule Type: Select Transform an Incoming Claim
   7. Edit Rule - Email Transform
      1. Select E-mail Address for Incoming Claim Type
      2. Select Name ID for Outgoing Claim Type
      3. Select Email for Outgoing Name ID Format
      4. Select Pass through all claim values
5. Adjust the Trust Settings.
   1. From the Actions sidebar, select Properties.
   2. From the Advanced tab, select SHA-256 from the Secure hash algorithm dropdown.
   3. From the Endpoints tab, click add SAML.
      • Endpoint type: SAML Logout
      • Binding: POST
      • Trusted URL: Create the following URL
        • The web address of your ADFS server
        • The ADFS SAML endpoint you noted earlier
        • The string '?wa=wsignout1.0'
        • The URL should look something like this: https://sso.yourdomain.tld/adfs/ls/?wa=wsignout1.0.
6. Turn on SSO for Organization Members.
   1. Navigate to username > Manage Organization.
   2. Select SAML Providers.
   3. Select the SAML Provider you have just set up.
   4. Select each user whose password you would like to replace with the associated SAML provider.
   5. That’s it! Now when a user logs into SeeClickFix, the password field will be ignored and your SAML provider will be used for authentication.