Single Sign-On With SAML
  • 27 Jun 2022
  • 4 Minutes to read
  • Dark
    Light

Single Sign-On With SAML

  • Dark
    Light

Module Details

Last Modified
Installation Location
Administration -> Features -> SAML
Restart Required?No
Step Location N/A
Settings Location Settings > SAML Settings
Prerequisites
  • SAML Module Installed.
  • Logout URL
  • Login URL
  • NameId Policy (Email or TransientID)
  • User ID Attribute Name
    (only needed if NameId Policy is Transient)

Configuring Single Sign-On (SSO) involves details that vary based on provider and customer environment, these settings are strict and must be at the knowledge of the administrator configuring the connection.

If SSO is a new concept, it may take time and multiple attempts to accurately configure all of the identifying data and settings, allowing for secure and reliable authentication. An administrator with experience in SSO or the IT infrastructure of the organization can help streamline the process.

The Decisions Support team is available to help, but may not be able to answer questions or solve problems that are unique to a customer organization. 

Accounts that are created before the required module is installed will need an update before using SSO. Please contact the Support team on how to update an account.

The SSO Basics article can provide an overview of SSO and how to update the accounts once configured.

In addition to the module prerequisites, an X.509 Certificate in PEM format is needed. Below is an example of a PEM formatted certificate:
-----BEGIN CERTIFICATE-----
MIIB9TCCAWACAQAwgbgxGTAXBgNVBAoMEFF1b1ZhZGlzIExpbWl0ZWQxHDAaBgNV
BAsME0RvY3VtZW50IERlcGFydG1lbnQxOTA3BgNVBAMMMFdoeSBhcmUgeW91IGRl
Y29kaW5nIG1lPyAgVGhpcyBpcyBvbmx5IGEgdGVzdCEhITERMA8GA1UEBwwISGFt
aWx0b24xETAPBgNVBAgMCFBlbWJyb2tlMQswCQYDVQQGEwJCTTEPMA0GCSqGSIb3
DQEJARYAMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCJ9WRanG/fUvcfKiGl
EL4aRLjGt537mZ28UU9/3eiJeJznNSOuNLnF+hmabAu7H0LT4K7EdqfF+XUZW/2j
RKRYcvOUDGF9A7OjW7UfKk1In3+6QDCi7X34RE161jqoaJjrm/T18TOKcgkkhRzE
apQnIDm0Ea/HVzX/PiSOGuertwIDAQABMAsGCSqGSIb3DQEBBQOBgQBzMJdAV4QP
Awel8LzGx5uMOshezF/KfP67wJ93UW+N7zXY6AwPgoLj4Kjw+WtU684JL8Dtr9FX
ozakE+8p06BpxegR4BR3FMHf6p+0jQxUEAkAyb/mVgm66TyghDGC6/YkiKoZptXQ
98TwDIK/39WEB/V607As+KoYazQG8drorw==
-----END CERTIFICATE-----

Version 8 Endpoints

Below is a list of endpoints used for version 8, along with an example for the endpoints.

SAML Assertion Consumer Endpoints
For some SAML ACS endpoints, identity providers may require Primary to be included as part of the endpoint ie, [baseportalurl]:[port]/Primary/SAML/AssertionConsumer
EndpointExample endpoint
LoginURL[baseportalurl]:[port]/Account/Login
LogoutURL[baseportalurl]:[port]/Account/Logout
SAML[baseportalurl]:[port]/SAML/AssertionConsumer
or
[baseportalurl]:[port]/Primary/SAML/AssertionConsumer
TokenHandler[baseportalurl]:[port]/HandleTokenResponse


AD Sync and SSO

Users cannot set up an Active Directory Sync simultaneously with Single Sign-On (via SAML and OpenID Modules). Doing so will result in an error that requires users to reset their sign-on setup.

Example

This example will demonstrate how to configure Single Sign-On using the SAML module.

  1. Navigate to the System> Settings. Right-click SAML Settings and select Edit.
  2. In the Edit SAML Setting window, check the Enabled option. Then, under Identity Providers sectionselect ADD.
    When users close out of their browser or close out of Decisions their session will end. This can be resolved through enabling Session Persistence in SAML Settings. To enable this feature, Enable Session Persistence will need to be checked. This will allow users to remain signed into Decisions until they log out.
  3. Configure the appropriate fields in the Add Identity Providers window. This information is based on the SSO provider information used for the organization. When complete, click OK.
    Setting NameDescription
    Display NameName for Identity Provider
    Login URLThe SSO login of the Identity Provider
    Logout URLThe SSO logout URL of the Identity Provider
    Sign Logout Requests/ResponsesWhen set to true, logouts will be signed with a private certificate.
    Logout Signature AlgorithmRSA-SHA1 and RSA-SHA256 are the available signature algorithms.
    Filename of PFX FilePath to the private cert file on the server's filesystem.
    Password for PFXPassword for the private cert 
    IdP Issuer/Entity IDThe ID of the identity provider. This value is only required to allow Identity Provider initiated logins.
    SP Issuer/Entity IDUsually, the Base URL to the Decisions Portal. The Portal Base URL can be found by clicking the Profile icon in the Designer Studio, then selecting About from the menu.
    Name ID PolicyEither email or transient ID based on Identity Provider
    X.509 CertificateThe PEM formatted string of the X.509 cert
    Process If User Not FoundWhen enabled, the selected Flow will be run if a user with an unknown ID tries to log in. This Flow is typically used to create the unknown user in the Decisions Portal so that they can log in. Users can choose to pick a Flow or create the Flow Behavior SAML User Not Found Flow.
    Processing TypeSet to Run Flow In Background.
    Pick FlowThis is the Flow that will be run when an unknown user tries logging in. The default Flow can be used for creating unknown users. It is named SAMLDefaultCreateAccount.
    Retry Login AfterWhen set to true, the System will try to log in the user after running the selected Flow. If the Flow creates the user, it should be set to be true so that the user seamlessly gets logged in, or else they would have to try logging in a second time to get in.

  4. In the Edit SAML Settings window, click the dropdown list under Primary Identity Provider and select the created Identity Provider. Click SAVE to save SAML Settings.


    When using a SAML Login Flow from the option Run Flow on Each Login, Relay State is available as input in the Flow Designer on the Data Explorer panel. Auto Timeout should only be used with the built-in SignOn. In the HTML Portal, log out the user so that they go back to their SSO Sign-in Page. To get Attributes passed in from the SAML Response, navigate to the Data Explorer panel then SAML Response > Assertion > AttributeStatement.
  5. Navigate to System> Security > Accounts and right-click an account that should be able to use SAML SSO. Select Edit Account.
  6. In the Edit Entity window, locate the PERSONAL INFORMATION section and define the User Identifier value. This value should be used as the value for the Identity Provider to send as the User IdClick SAVE.
  7. Once at least one admin user is enabled to work with SSO, open the Settings.xml file located at C:\Program Files\Decisions\Decisions Services Manager.
  8. Find the line <EnableSingleSignOn>false</EnableSingleSignOn> and set the value to true. Save changes to the file. 
    If the line is not present, add the line to the Settings.xml file.
    <EnableSingleSignOn>true</EnableSingleSignOn>

  9. Restart the Decisions Server service to enable SAML SSO mode. 

Metadata

Replace the "http://myDecisionsServer.Decisions.com/decisions" with the URL to the Decisions installation.

Using Email Address nameId Policy

When Identity Provider is using Email Address nameId Policy, use the following code:

$metadata['http://myDecisionsServer.Decisions.com/decisions'] = array(
'AssertionConsumerService' => 'AssertionConsumerService' => 'http://myDecisionsServer.Decisions.com/decisions/Primary/SAML/AssertionConsumer', 'SingleLogoutService' => 'http://myDecisionsServer.Decisions.com/decisions/Primary/Logout',
'NameIDFormat' => ***'urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'***	  
);

Using Transient namedId Policy

When Identity Provider is using Transient nameId Policy, use the following code:

$metadata['http://myDecisionsServer.Decisions.com/decisions'] = array(
'AssertionConsumerService' => 'http://myDecisionsServer.Decisions.com/decisions/Primary/SAML/AssertionConsumer', 'SingleLogoutService' => 'http://myDecisionsServer.Decisions.com/decisions/Primary/Logout',
'NameIDFormat' => ***'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'***	  
);

For further information on Modules, visit the Decisions Forum.



Was this article helpful?