Configuring SmartIQ SAML Settings

At a minimum, the SmartIQ installation should have Forms Authentication to verify user identities as well as applying authorization based on their groups, roles and permissions.

Prerequisites

An existing SmartIQ environment installed with default Forms Authentication.
A SAML 2.0 provider with an Identity Provider (Idp) configured to:
- Return a group memberships as an assertion attribute (e.g. IsMemberOf) (mandatory to ensure at least one user can be added to a SmartIQ Administrator Role after the switch to SAML) within the SAML assertion
- Return profile information such as first and last name (Optional)

📘
Refer to Okta and Azure Active Directory for configuration settings.

Identity Providers for both SmartIQ Manage and SmartIQ Produce whereby:
- The response is configured to be sent via HTTP-POST to: http://yourserver/Manage/account/samlauthenticate or http://yourserver/Produce/account/samlauthenticate respectively
- The HTTP-POST response is signed.
- A meaningful name is given to the Service Providers (usually Produce and Manage)
- A certificate either installed on the SmartIQ web server or uploaded as file that can be used to check the SAML response signature (i.e. the certificate used by the IdP to sign the response).
- A user configured in the SAML 2.0 provider for testing that is a member of at least one known group.
- For single logout service, the Identity Provider should have the Single Logout Service response configured to be sent via HTTP-POST to: http://yourserver/Manage/Account/SamlLogout or http://yourserver/Produce/Account/SamlLogout respectively

SAML Authentication in Multi-Tenant Environments

To allow navigation to a specific tenancy and to authenticate using SAML instead of forms authentication:

When navigating to a specific form, SmartIQ is able to determine the tenancy of that form and will, therefore, use the authentication method defined by that tenancy.
A TenantId may be used to specify what tenancy to log in to if navigation to the Produce home page is required. The produce homepage in this situation will be the normal home page with "/b/" appended to the URL.

For example, if Produce is normally http://IQtransform.com, then a specific tenancy can be navigated to at http://IQtransform/b/12345, where the tenant id is 12345.

📘
Once a SAML Produce instance is navigated to, a cookie will be stored on that computer and will remember that SAML login is preferred when accessing that instance of SmartIQ. In this situation, in the unlikely situation where forms authentication is desired, the SAML tenancy must be logged out and cookies cleared.

SmartIQ Configuration

Step 1 - Identify a SAML Administrator Group

When the first user (usually a server administrator) attempts to access SmartIQ via SAML Authentication, SmartIQ needs to assign permissions to an External Group so they can access appropriate functions. If this step is not completed, user will not be able to administer anything post authentication.

Step 2 - Enable and Configure SAML

Open the SmartIQ Manage application and log in as an Administrator with Change settings permission.
Click Settings > SAML 2.0.

Provide the necessary information. Refer to Okta and Azure Active Directory for configuration and settings.

Setting	Description
SAML 2.0	Provides the option to use SAML 2.0
Create Users	Provides the option to create a user in the SmartIQ platform. If unchecked, the user must already exist in SmartIQ to be able to login.
Manage Entity Id	The Entity Id of the Manage Service Provider. For example, `Manage`, `ManageTest`, `ManageProd` Etc. For Azure Active Directory, the Application (client) ID will be the Manage Entity Id and Produce Identity Id. For OKTA, this is the Audience URI (SP Entity Id). Note: Do this twice as the Manage Entity Id needs to be different from the Produce Entity Id.
Produce Entity Id	The Entity Id of the Produce Service Provider. For example, `Produce`, `ProduceTest`, `ProduceProd` Etc. For Azure Active Directory, the Application (client) ID will be the Manage Entity Id and Produce Identity Id. For OKTA, this is the Audience URI (SP Entity Id).
Metadata URL	Enables reading information about the requirements of the service from this URL. * For Azure Active Directory, paste the Federation Metadata Document.
Identity Provider Issuer	The Issuer ID of the Identity Provider. For example, `http://openam.example.com:8080/openam` * If using Okta, this information is labelled as “Identity Provider Issuer” when you click the “View Setup Instructions” button within the Settings page in Okta.
Identity Provider Login URL	The URL of the Single Sign on Service URL that SmartIQ will make the HTTP-Post Request to. For example, `http://openam.example.com:8080/openam/SSOPOST/metaAlias/idp` * If using Okta, this information is labelled as “ Identity Provider Single Sign-On URL” when you click the “View Setup Instructions” button within the Settings page in Okta.
Identity Provider Logout URL	The URL of the Single Sign on Service that SmartIQ will make a logout request to. This value is optional. To use a logout service, you must also supply the SmartIQ Signing Certificate. For example, `http://openam.example.com:8080/openam/metaAlias/#logout`
Identity Provider Certificate	The certificate SmartIQ will use to check the signature received in the HTTP-POST Response. A certificate can be installed in the server and referenced by a thumbprint or uploaded directly to the application. * If using Okta, the certificate can be downloaded by clicking Download Certificate from the “View Setup Instructions” button within the Settings page in Okta.
SmartIQ Signing Certificate	The certificate SmartIQ will use to create the signature for the logout request. A certificate can be installed on the server and referenced by a thumbprint (preferred) or uploaded directly to the application (not recommended as this requires the private key to be included without the password).
SmartIQ Signing Algorithm	Provides a selection of hashing methods for the SAML logout request.
Log Mode	Enables capturing a more verbose description of all events during a SAML authentication (i.e. success and fail).
Last Failed SAML Login	Displays the last failed message, if logging has been turned on.

Step 3 - User Profile Mapping

As attributes specified in a SAML response are arbitrary, it is necessary to map particular user profile fields to the values provided in the SAML response.

Open the SmartIQ Manage application and log in as an Administrator with Change settings permission.
Click Settings > User Profile Mapping.
Provide at least the name of the attribute where the user’s Group Memberships are specified. Optionally specify any other user fields.

Available User Profile Mapping Fields:

Setting	Description
User Name	A field to use for the SmartIQ Username if the default SAML ‘NameID’ element does not contain a meaningful value. This is a required field. For example, use the email address.
Groups	The element to look for the user’s group Memberships.
Prefix, Job Title, Organization, Last Name, Phone Number, Full Name, Fax Number, Email, Address Line 1, Address Line 2, Suburb/Town/City, State/Province/Region, Postal/Zip Code, Country	Regular fields
Culture	A culture code to use for example en-AU, zh-CN, es, etc
Language	A language to use must be supported by SmartIQ. Possible values: ar zh-cn zh-tw nl en en-us fr fr-ca de ko pt es * th
Time Zone	An appropriate user time zone. Possible Values: Dateline Standard Time UTC-11 Samoa Standard Time Hawaiian Standard Time Alaskan Standard Time Pacific Standard Time (Mexico) Pacific Standard Time US Mountain Standard Time Mountain Standard Time (Mexico) Mountain Standard Time Central America Standard Time Central Standard Time Central Standard Time (Mexico) Canada Central Standard Time SA Pacific Standard Time Eastern Standard Time US Eastern Standard Time Venezuela Standard Time Paraguay Standard Time Atlantic Standard Time Central Brazilian Standard Time SA Western Standard Time Pacific SA Standard Time Newfoundland Standard Time E. South America Standard Time Argentina Standard Time SA Eastern Standard Time Greenland Standard Time Montevideo Standard Time UTC-02 Mid-Atlantic Standard Time Azores Standard Time Cape Verde Standard Time Morocco Standard Time UTC GMT Standard Time Greenwich Standard Time W. Europe Standard Time Central Europe Standard Time Romance Standard Time Central European Standard Time W. Central Africa Standard Time Namibia Standard Time Jordan Standard Time GTB Standard Time Middle East Standard Time Egypt Standard Time Syria Standard Time South Africa Standard Time FLE Standard Time Israel Standard Time E. Europe Standard Time Arabic Standard Time Arab Standard Time Russian Standard Time E. Africa Standard Time Iran Standard Time Arabian Standard Time Azerbaijan Standard Time Mauritius Standard Time Georgian Standard Time Caucasus Standard Time Afghanistan Standard Time Ekaterinburg Standard Time Pakistan Standard Time West Asia Standard Time India Standard Time Sri Lanka Standard Time Nepal Standard Time Central Asia Standard Time Bangladesh Standard Time N. Central Asia Standard Time Myanmar Standard Time SE Asia Standard Time North Asia Standard Time China Standard Time North Asia East Standard Time Singapore Standard Time W. Australia Standard Time Taipei Standard Time Ulaanbaatar Standard Time Tokyo Standard Time Korea Standard Time Yakutsk Standard Time Cen. Australia Standard Time AUS Central Standard Time E. Australia Standard Time AUS Eastern Standard Time West Pacific Standard Time Tasmania Standard Time Vladivostok Standard Time Central Pacific Standard Time New Zealand Standard Time UTC+12 Fiji Standard Time Kamchatka Standard Time * Tonga Standard Time

Click Save.

Step 4 - Test

Close all browsers to ensure any existing SmartIQ sessions are removed.
Open a new browser and navigate to SmartIQ Manage or Produce.

SmartIQ will create a SAML session as per the configured settings. If logging in for the first time, the Identity Provider's Login screen should appear or, if you already have an existing session, you should be redirected to the Produce or Manage Home page.