HomeGuidesAPI
HomeGuidesRecipesAPI
HomeGuidesAPILog In
Guides
Start typing to search…
These docs are for v12.0. Click to read the latest docs for v31.

Configuring SmartIQ SAML Settings

At a minimum, the SmartIQ installation should have Forms Authentication to verify user identities as well as applying authorization based on their groups, roles and permissions.

Prerequisites

  • An existing SmartIQ environment installed with default Forms Authentication.

  • A SAML 2.0 provider with an Identity Provider (Idp) configured to:

    • Return a group memberships as an assertion attribute (e.g. IsMemberOf) (mandatory to ensure at least one user can be added to a SmartIQ Administrator Role after the switch to SAML) within the SAML assertion
    • Return profile information such as first and last name (Optional)

📘

Refer to Okta and Azure Active Directory for configuration settings.

  • Service Providers for both SmartIQ Manage and SmartIQ Produce whereby:
    • The response is configured to be sent via HTTP-POST to: http://yourserver/Manage/account/samlauthenticate or http://yourserver/Produce/account/samlauthenticate respectively
    • The HTTP-POST response is signed.
    • A meaningful name is given to the Service Providers (usually Produce and Manage)
    • A certificate either installed on the SmartIQ web server or uploaded as file that can be used to check the SAML response signature (i.e. the certificate used by the IdP to sign the response).
    • A user configured in the SAML 2.0 provider for testing that is a member of at least one known group.
    • For single logout service, the Service Provider should have the Single Logout Service response configured to be sent via HTTP-POST to: http://yourserver/Manage/Account/SamlLogout or http://yourserver/Produce/Account/SamlLogout respectively

SAML Authentication in Multi-Tenant Environments

To allow navigation to a specific tenancy and to authenticate using SAML instead of forms authentication:

  • When navigating to a specific form, SmartIQ is able to determine the tenancy of that form and will, therefore, use the authentication method defined by that tenancy.

  • A TenantId may be used to specify what tenancy to log in to if navigation to the Produce home page is required. The produce homepage in this situation will be the normal home page with /b/<tenantid> appended to the URL.

For example, if Produce is normally http://IQtransform.com, then a specific tenancy can be navigated to at http://IQtransform/b/12345, where the tenant id is 12345.

📘

Once a SAML Produce instance is navigated to, a cookie will be stored on that computer and will remember that SAML login is preferred when accessing that instance of SmartIQ. In this situation, in the unlikely situation where forms authentication is desired, the SAML tenancy must be logged out and cookies cleared.

SmartIQ Configuration

Step 1 - Identify a SAML Administrator Group

When the first user (usually a server administrator) attempts to access SmartIQ via SAML Authentication, SmartIQ needs to assign permissions to an External Group so they can access appropriate functions. If this step is not completed, user will not be able to administer anything post authentication.

Step 2 - Enable and Configure SAML

  1. Open the SmartIQ Manage application and log in as an Administrator with Change settings permission.

  2. Click Settings > SAML 2.0.

961
  1. Provide the necessary information. Refer to Okta and Azure Active Directory for configuration and settings.

Setting

Description

SAML 2.0

Provides the option to use SAML 2.0

Create Users

Provides the option to create a user in the SmartIQ platform. If unchecked, the user must already exist in SmartIQ to be able to login.

Manage Entity Id

The Entity Id of the Manage Service Provider. For example, Manage, ManageTest, ManageProd Etc.

  • For Azure Active Directory, the Application (client) ID will be the Manage Entity Id and Produce Identity Id.
  • For OKTA, this is the Audience URI (SP Entity Id).

Note: Do this twice as the Manage Entity Id needs to be different from the Produce Entity Id.

Produce Entity Id

The Entity Id of the Produce Service Provider. For example, Produce, ProduceTest, ProduceProd Etc.

  • For Azure Active Directory, the Application (client) ID will be the Manage Entity Id and Produce Identity Id.
  • For OKTA, this is the Audience URI (SP Entity Id).

Metadata URL

Enables reading information about the requirements of the service from this URL.

  • For Azure Active Directory, paste the Federation Metadata Document.

Identity Provider Issuer

The Issuer ID of the Identity Provider. For example, http://openam.example.com:8080/openam

  • If using Okta, this information is labelled as “Identity Provider Issuer” when you click the “View Setup Instructions” button within the Settings page in Okta.

Identity Provider Login URL

The URL of the Single Sign on Service URL that SmartIQ will make the HTTP-Post Request to. For example, http://openam.example.com:8080/openam/SSOPOST/metaAlias/idp

  • If using Okta, this information is labelled as “ Identity Provider Single Sign-On URL” when you click the “View Setup Instructions” button within the Settings page in Okta.

Identity Provider Logout URL

The URL of the Single Sign on Service that SmartIQ will make a logout request to. This value is optional. To use a logout service, you must also supply the SmartIQ Signing Certificate. For example, http://openam.example.com:8080/openam/metaAlias/#logout

Identity Provider Certificate

The certificate SmartIQ will use to check the signature received in the HTTP-POST Response.

A certificate can be installed in the server and referenced by a thumbprint or uploaded directly to the application.

  • If using Okta, the certificate can be downloaded by clicking Download Certificate from the “View Setup Instructions” button within the Settings page in Okta.

SmartIQ Signing Certificate

The certificate SmartIQ will use to create the signature for the logout request.

A certificate can be installed on the server and referenced by a thumbprint (preferred) or uploaded directly to the application (not recommended as this requires the private key to be included without the password).

SmartIQ Signing Algorithm

Provides a selection of hashing methods for the SAML logout request.

Log Mode

Enables capturing a more verbose description of all events during a SAML authentication (i.e. success and fail).

Last Failed SAML Login

Displays the last failed message, if logging has been turned on.

Step 3 - User Profile Mapping

As attributes specified in a SAML response are arbitrary, it is necessary to map particular user profile fields to the values provided in the SAML response.

  1. Open the SmartIQ Manage application and log in as an Administrator with Change settings permission.

  2. Click Settings > User Profile Mapping.

  3. Provide at least the name of the attribute where the user’s Group Memberships are specified. Optionally specify any other user fields.

920

Available User Profile Mapping Fields:

Setting

Description

User Name

A field to use for the SmartIQ Username if the default SAML ‘NameID’ element does not contain a meaningful value. This is a required field.

For example, use the email address.

Groups

The element to look for the user’s group Memberships.

Prefix, Job Title, Organization,
Last Name, Phone Number, Full Name, Fax Number, Email, Address Line 1, Address Line 2, Suburb/Town/City, State/Province/Region, Postal/Zip Code, Country

Regular fields

Culture

A culture code to use for example en-AU, zh-CN, es, etc

Language

A language to use must be supported by SmartIQ. Possible values:

  • ar
  • zh-cn
  • zh-tw
  • nl
  • en
  • en-us
  • fr
  • fr-ca
  • de
  • ko
  • pt
  • es
  • th

Time Zone

An appropriate user time zone. Possible Values:

  • Dateline Standard Time
  • UTC-11
  • Samoa Standard Time
  • Hawaiian Standard Time
  • Alaskan Standard Time
  • Pacific Standard Time (Mexico)
  • Pacific Standard Time
  • US Mountain Standard Time
  • Mountain Standard Time (Mexico)
  • Mountain Standard Time
  • Central America Standard Time
  • Central Standard Time
  • Central Standard Time (Mexico)
  • Canada Central Standard Time
  • SA Pacific Standard Time
  • Eastern Standard Time
  • US Eastern Standard Time
  • Venezuela Standard Time
  • Paraguay Standard Time
  • Atlantic Standard Time
  • Central Brazilian Standard Time
  • SA Western Standard Time
  • Pacific SA Standard Time
  • Newfoundland Standard Time
  • E. South America Standard Time
  • Argentina Standard Time
  • SA Eastern Standard Time
  • Greenland Standard Time
  • Montevideo Standard Time
  • UTC-02
  • Mid-Atlantic Standard Time
  • Azores Standard Time
  • Cape Verde Standard Time
  • Morocco Standard Time
  • UTC
  • GMT Standard Time
  • Greenwich Standard Time
  • W. Europe Standard Time
  • Central Europe Standard Time
  • Romance Standard Time
  • Central European Standard Time
  • W. Central Africa Standard Time
  • Namibia Standard Time
  • Jordan Standard Time
  • GTB Standard Time
  • Middle East Standard Time
  • Egypt Standard Time
  • Syria Standard Time
  • South Africa Standard Time
  • FLE Standard Time
  • Israel Standard Time
  • E. Europe Standard Time
  • Arabic Standard Time
  • Arab Standard Time
  • Russian Standard Time
  • E. Africa Standard Time
  • Iran Standard Time
  • Arabian Standard Time
  • Azerbaijan Standard Time
  • Mauritius Standard Time
  • Georgian Standard Time
  • Caucasus Standard Time
  • Afghanistan Standard Time
  • Ekaterinburg Standard Time
  • Pakistan Standard Time
  • West Asia Standard Time
  • India Standard Time
  • Sri Lanka Standard Time
  • Nepal Standard Time
  • Central Asia Standard Time
  • Bangladesh Standard Time
  • N. Central Asia Standard Time
  • Myanmar Standard Time
  • SE Asia Standard Time
  • North Asia Standard Time
  • China Standard Time
  • North Asia East Standard Time
  • Singapore Standard Time
  • W. Australia Standard Time
  • Taipei Standard Time
  • Ulaanbaatar Standard Time
  • Tokyo Standard Time
  • Korea Standard Time
  • Yakutsk Standard Time
  • Cen. Australia Standard Time
  • AUS Central Standard Time
  • E. Australia Standard Time
  • AUS Eastern Standard Time
  • West Pacific Standard Time
  • Tasmania Standard Time
  • Vladivostok Standard Time
  • Central Pacific Standard Time
  • New Zealand Standard Time
  • UTC+12
  • Fiji Standard Time
  • Kamchatka Standard Time
  • Tonga Standard Time
  1. Click Save.

Step 4 - Test

  1. Close all browsers to ensure any existing SmartIQ sessions are removed.

  2. Open a new browser and navigate to SmartIQ Manage or Produce.

SmartIQ will create a SAML session as per the configured settings. If logging in for the first time, the Identity Provider's Login screen should appear or, if you already have an existing session, you should be redirected to the Produce or Manage Home page.

Updated about 13 hours ago