- Created by Universal Importer for Confluence , last modified by Kim Landis (Unlicensed) on May 03, 2018
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 4 Next »
Home / Configuring SSO Connections / saml/ / Current: Registering SAML Apps
EmpowerID supports SAML-based identity transactions, allowing you to federate EmpowerID with third-party applications that use SAML to exchange identity data. In this way, if your organization has a corporate account with a service provider application that uses SAML, you can register that application in EmpowerID, giving your users the ability to access any accounts they may have in that application from EmpowerID.
This topic describes the general steps for registering a third-party SAML application in EmpowerID.
To register a SAML application in EmpowerID
- In the Navigation Sidebar, expand Applications and click Manage Applications.
From the Actions pane of the Application Management page, click the Create Application action.
This opens the Application Details form for the new application. This form contains various tabs and fields for registering the SAML application.In the following image, the Navigation Sidebar has been collapsed to conserve screen real estate.
- From the General tab of the Application Details form, do the following:
- Enter a name, display name and description for the application in the Name, Display Name and Description fields.
- Allow Access Requests - Specify whether to allow access requests. When this option is selected, the application appears in the IT Shop, allowing users to request or claim an account in the application.
- Allow Request Account - Specify whether to allow users to request an account in the application. When this option is selected and Allow Access Requests is selected, users can request an account in the application.
- Allow Claim Account - Specify whether to give users the ability to claim an account they have in the application. When this option is selected, users can claim their accounts and gain instant access after passing the requisite identity proofs.
- Login Is Email Address - Specify whether the login for the application is an email address. This setting is necessary for passing the appropriate identity assertion to the application when logging in from EmpowerID.
- Make me the Application Owner - Specify whether you are the owner of the application. Application owners have the ability to manage the application and approve or deny access requests.
- Configure Advanced Claim and Request Account Options - Select this option and then provide the appropriate advanced configuration information if you have custom pages and workflows configured in EmpowerID for processing access requests as well as for managing any accounts linked to the application's (internal to EmpowerID) account directory.
- Click the Single Sign-On tab and from the Single Sign-On Connection Type drop-down, select SAML.
- Select the Create a New SAML Connection checkbox.
- In the SAML Connection Information section that appears, do the following:
Select the template for your application from the SAML Application Template drop-down.
For example, if your SAML application configures your corporate Salesforce account for SSO with EmpowerID, select Salesforce SSO Connection Settings. This populates the SAML Connection Information section with the base information necessary for federating Salesforce.If you are configuring an application for SSO with EmpowerID and the application does not appear in the SAML Application Template drop-down, select Default SSO Connection Settings.
- Type a display name for the SAML Connection in the Display Name field.
- Select the appropriate certificate to sign the SAML assertions sent to the application from the Certificate drop-down.
- Edit the Assertion Consumer URL field as needed. This value is supplied by the service provider.
On the Users tab, either create a new account directory for the application, or select an existing account directory from which to add accounts for the application.
If you create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store.
A tracking-only account store is a container within EmpowerID that stores user and group records for SSO or attestation without making a connection to the external directory of the application. This is helpful because it creates a one-to-one correlation between the account store and the application, and the SSO connection for the application. This example creates a new account directory.
- Optionally, add a group to the application by doing the following:
- Click the Groups tab and then click the Add Button (+) in the Groups grid.
- In the Group Information dialog that appears, search for the group you want to add to the application and then click the tile for that group.
- Click Add and repeat step b for any other groups.
Optionally, define IP addresses that are allowed to access the application. This lets you secure access to the application based on the location of the user.
For example, you can choose to deny access to users logging in from home, but allow them access from the internal network. Expand the drop-down box to see how.- Click the Add to Cart button.
- Click the My Cart link located at the top of the page and in the Cart dialogue that appears type a reason for creating the application and then click Submit.
To claim an SSO application account
- Log in to the EmpowerID Web application as a person with an account in the SSO application you just created.
- In the Navigation Sidebar, expand Applications and click Request Access.
- From the Request Access page, search for the SSO application and then click the Request Access link for that application.
- Click Claim Existing Account.
- In the Register SSO Application Account form that appears, type the username for the application account in the SSO Application Login field and click Submit.
- Retrieve the one-time password (OTP) sent by EmpowerID to your email address, paste it in the Password field of the One-Time Password Validation form and click Submit. EmpowerID uses the OTP to verify that the access request originated from the user.
- In the Navigation Sidebar, expand Applications and click Login.
A button for the application appears. In this image, we requested access to the Salesforce application so we see a Salesforce button. - Click the button for the application.
EmpowerID logs you in to the application, which in this case is Salesforce.
- No labels