Professional Documents
Culture Documents
This file describes a standard configuration of SSO in Dotmatics Browser. It is intended to be used
with Browser 5.5 or higher.
For assistance, please contact support@dotmatics.com or contact your local Dotmatics office, see
http://www.dotmatics.com/contact-dotmatics/ for details.
If you are using Studies, follow the steps in Studies Authenticate Experiments, below, once you have
configured SSO.
• Mitigate risk for access to 3rd-party sites (user passwords not stored or managed externally)
• Reducing password fatigue from different username and password combinations
• Reducing time spent re-entering passwords for the same identity
• Reducing IT costs due to lower number of IT help desk calls about passwords
• Centralised password management and application access control
Browser supports SSO via the SAML 2.0 standard. In this model, Browser acts as the service provider
(SP) and a third party (e.g. Okta, Centrify® , Google Apps etc.) acts as the identity provider (IdP):
Browser supports a generic SAML 2.0 IdP and also has specific support for Okta
(https://www.okta.com) and Centrify® (https://www.Centrify® .com/). Most customers should be
able to use the generic provider support with an IdP of their choice.
There are additional notes for PingFederate, ADFS and OneLogin™ at the end of the document.
To configure SAML 2.0 SSO you will need to configure Browser SSO login as a web application in your
IdP.
The most common settings are described below but some IdP’s may require additional settings that
are not documented here – in that event please contact your IdP and support@dotmatics.com for
assistance.
http(s)://server:port/browser/api/sso/<key>/login
You may have multiple IdP configurations, but each must use its own unique key.
Please note that if you use one of the keys provided by the default Browser installation (demo or
test) that they may be overwritten by future Browser upgrades. It is therefore recommended that
you choose your own unique key.
If required by your IdP, the Recipient URL and Destination URL should be set to the same value as
the SP SSO URL.
Browser does not require an Audience Restriction so this can be set to any value e.g. dummy.
Browser expects usernames (Name ID Format) in default format, often this is as an email address.
Browser will, by default, automatically strip any email domain “@corp.com” suffixes.
Once configured, your IdP should provide you with the following information:
IdP SSO URL – this is a link to your IdP which deals with user authentication and then redirects back
to the SP SSO URL. For example, in Google Apps, this takes the form:
https://accounts.google.com/o/saml2/initsso?idpid=short_guid_here&sp
id=number_here
IP Issuer (IPI) – this generally takes the form of a URL at your IdP. For example, in Google Apps, this
takes the form:
https://accounts.google.com/o/saml2?idpid=short_guid_here
IdP Metadata – this is an XML file containing configuration and certificate information. For example,
in Google Apps, this takes the form:
Default is True.
Default is
RelayState
generic.demo. Specifies • 1 No
fqurl whether the • 0
RelayState • True
should be sent as • False
a fully qualified
Browser URL
rather than a
relative path.
Default is False
generic.demo. Specifies • 1 No
doubleenc
whether the • 0
RelayState • True
should be sent as • False
doubly URL-
encoded value.
Default is False
generic.demo. Specifies • 1 No
samlrequest
whether the IdP • 0
authentication • True
request should • False
be sent as a
deflated, base64
encoded and URL
encoded
SAMLRequest
parameter.
Default is False
There is no
default value.
adfs.demo.nam Specifies the For example: No
eidpolicyform
Name ID urn:oasis:names:tc:SAML:1.1:nam
at
Policy eid-format:emailAddress
Format and is
only used when
SAMLRequest
s are enabled.
There is no
default value.
Additionally, the IdP Metadata gathered during the IdP configuration should be stored in an
appropriately named XML file:
…tomcat/browser/WEB-INF/sso.<provider>.<key>.metadata.xml file.
In Browser, navigate to Admin > Configure > System > Authentication and enable SSO
Authentication. Save your changes and you should see any enabled <provider>.<key> SSO
configurations listed:
If your configuration is not shown, double-check your settings and then select SSO reload
configurations. Save your settings to reload the SSO configuration.
If your configuration is still not shown, consult the browser log file
(…tomcat/logs/browser.log on Windows or …tomcat/logs/catalina.out on Linux)
or available in the Browser GUI (Admin > Configure > System > Logging) for error messages. If you
require further assistance, please contact Dotmatics Support, support@dotmatics.com, and attach
any relevant configuration and log files to your message.
Any users that use SSO must first be added to the Browser system as users with access to at least
one project. Usernames must match those returned by the IdP. If you intend on only providing SSO
access to your users, then use random complex passwords when creating their accounts.
Logout of Browser and you should see your configured SSO available as a login option:
Clicking on the green SSO button will take you to your IdP SSO URL and, assuming you are
authenticated there, bring you straight back in to Browser as a logged-in user.
If you are using Studies, then you will need to set the Studies Authenticate Experiments setting to
yes to ensure you can complete/countersign experiments correctly.
The setting can be found in Browser. Navigate to Configure > System > Application and enable the
setting, click the save icon at the bottom of the page.
Give the application a name, for example Test, and click Next
In the Single sign on URL field enter the SSO URL of your Browser instance which takes the form,
http(s)://server:port/browser/api/sso/<key>/login. For example,
https://dotmatics-server/browser/api/sso/test/login. In the Audience URI
(SP Entity ID) enter dummy, and click Next
Copy the:
• Identity Provider Single Sign-On URL – this will be used to populate your
okta.<key>.url setting
• Identity Provider Issuer – this will be used to populate your okta.<key>.ipi setting
Return to the Sign On page and then assign the application to your users in the normal way using the
People and Groups tabs
Follow the Browser Generic SSO Configuration section above but instead of using the generic
provider, specify okta. Below is a sample sso.properties file where we have used the value
test as the <key>
Continue to follow the steps in the Browser Generic SSO Configuration section above, from “Enable
SSO” onwards, to turn on SSO. Ultimately, you should see your Okta SSO available as a login option
Login to your Centrify® manager site. Click on Apps > Add Web Apps > Custom
Click on Add next to the SAML app and then Yes on the confirmation dialog
In the Assertion Consumer Service URL field enter the SSO URL of your Browser instance which
takes the form, http(s)://server:port/browser/api/sso/<key>/login. For
example, https://dotmatics-server/browser/api/sso/testcentrify/login
Copy the:
Scroll down and click to Download Identity Provider SAML Meta data. This will be stored as your
…tomcat/browser/WEB-INF/sso.centrify.<key>.metadata.xml file
Click Save then change the application desciption to something meaningful and assign the
application to your users in the normal way using the User Access tab.
Follow the Browser Generic SSO Configuration section above but instead of using the generic
provider, specify centrify. Below is a sample sso.properties file where we have used the
value test as the <key>
Continue to follow the steps the Browser Generic SSO Configuration section above, from “Enable
SSO” onwards, to turn on SSO. Ultimately, you should see your Centrify® SSO available as a login
option
In the PingFederate configuration, the option Always sign the SAML Assertion should be left
unchecked
• generic.demo.relay=TargetResource
• generic.demo.fqurl=1
adfs.demo.doubleenc=1
Additionally, Browser requires that the response/message body needs to be signed as well as the
assertion. This can be enabled on the ADFS server via a PowerShell command:
Browser should be configured as a new Enterprise application in the Azure portal. The metadata
XML file is referred to as the federation metadata document.
In most configurations, we have found that double URL encoding is not required:
adfs.demo.doubleenc=0
• adfs.demo.samlrequest=1
• adfs.demo.issuer=GUID
The issuer ID is referred to as the Application (client) ID and the IdP SSO URL is referred to as the
SAML-P sign-on endpoint.
In some configurations, you may have to set the NameIDPolicy Format to ensure the correct
identifier is returned by Azure AD. The default behaviour is to leave it unspecified. To specify that
the email address is returned you can use:
adfs.demo.sso.nameidpolicyformat=urn:oasis:names:tc:SAML:1.1:nameid-
format:emailAddress
Finally, Browser requires that the response/message body needs to be signed as well as the
assertion, see https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/certificate-
signing-options#certificate-signing-options. At the time of writing, this feature was only available in
certain (paid for) editions of Azure AD.
These steps show how to configure OneLogin™ as an IdP for Browser. We will use a slightly modified
Centrify® configuration.
Login to your OneLogin™ manager site. Navigate to the OneLogin™ applications page, click Add App
and then add SAML Test Connector (Advanced)
Give the application a Display Name e.g. Dotmatics Browser SSO and click Save
Click on the Configuration tab and set the following parameters (note that in the following examples
we are using ‘testOneLogin as our key):
• Recipient - https://dotmatics-
server/browser/api/sso/testOneLogin/login
• ACS (Consumer) URL Validator - ^https:\/\/dotmatics-
server\/browser\/api\/sso\/testOneLogin\/login$
• Login URL: -https://dotmatics-
server/browser/api/sso/testOneLogin/login
Note that the Validator takes the form of a regex prefixed with “^”, forward slashes escaped with
backslashes and suffixed with “$”.
The other options on the page should be cross-checked against the following screenshots in case any
of your defaults have been changed. In a vanilla OneLogin™ setup, they can be left as-is:
…continued…
Click Save.
Under More Actions on the top right-hand menu, click SAML Metadata to download your XML
configuration.
Edit the file as follows in order to render it compatible with a typical OneLogin™ configuration:
Continue to assign the application to your users in the normal way using the Users tab.
Follow the Browser Generic SSO Configuration section above but instead of using the generic
provider, specify onelogin. Below is a sample sso.properties file where we have used the
value testOneLogin as the <key>
Continue to follow the steps the Browser Generic SSO Configuration section above, from “Enable
SSO” onwards, to turn on SSO. Ultimately, you should see your OneLogin™ SSO available as a login
option
09AUG2018 --- AH Double URL encoding and ADFS specific XML added