Configuring Self Service to use Federated Single Sign-On
Self Service supports Federated Single Sign-On through the WS-Federation Passive Protocol. It is implemented with Microsoft Windows Identity Foundation (WIF), and uses Security Assertion Markup Language (SAML) tokens for claims transfer. It does not, however, support the SAML2 Protocol, SAML-P.
When Self Service is installed, it is configured with Forms Authentication that requires the first logon to use the admin account.
To authenticate through the identity provider:
- Create users in the Self Service database, who correspond to users in the identity provider.
- Edit the Self Service
appsettings.jsonfile to enable federated single sign-on.
The User ID is used to identify users in Self Service. Claims are used to identify users in the identity provider. For authentication to succeed, users in Self Service must have a User ID that matches the value in one of the claims from the identity provider.
Self Service looks at the following claims when it attempts to find the Self Service user: Name, Email, Windows Account Name, and UPN. Typically Name and Windows Account Name have the format domain\username, and typically Email and UPN have the format username@domain.
You can enter Users through the portal or import in bulk, either directly from Active Directory or by a .CSV file.
To change the appsettings.json file to enable federated single sign-on:
- Navigate to
install_path\WebSite. - Open
appsettings.jsonwith Notepad as Administrator. - Find the <FederationAuthentication> section and set Enabled to true, and set Wtrealm and MetadataAddress to the desired values.
- Save the
appsettings.jsonfile.
If you have to switch back to Forms Authentication, edit the appsettings.json, and set the Enabled option to false in the FederationAuthentication section. One instance where you would switch back to Forms Authentication is to recover from a problem.
To confirm that the system is fully configured for Federated logon:
- Close and re-open Internet Explorer
- Restart IIS
- Enter the URL of Self Service
- If your environment uses test certificates, accept the two certificate errors
- Enter the credentials for the previously created user. The user should successfully log on.