Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. Using SAML you can enable Single Sign Ons for the following portals:
Okta
If Okta SSO configuration is done for the End Users, the End Users can access the Apex application in any of the following ways:
From Okta URL: Log into the Okta URL, click the Apex icon and access the application using the Okta credentials.
From Apex URL: Specify the Apex URL in the address bar. On the Apex login page, click the Okta icon. You are redirected to the Okta URL. Provide the Okta credentials to log into the Apex application.
Note
If only Okta is configured, on accessing the Apex URL, you are automatically redirected to the Okta URL and on providing Okta credentials, you are logged into the Apex application.
You can also access the Apex application by providing the Apex credentials. This option is available if Form login configuration is done by the Administrator.
Enabling SSO for Apex Using SAML (Okta Configuration)
Adding Apex as SAML App
You can add Apex as SAML app from the OKTA Console.
Log into OKTA Admin Console. Click Admin. Click Add Applications under Shortcuts menu.
Figure: Okta page: Adding Apex appClick Create a new app. The Create a New Application Integration pop-up is displayed. Select the SAML 2.0 option and click Create.
Figure: Okta page: Apex app integrationProvide the required details under the General Settings and click Next.
Provide the SAML details under SAML Settings and click Next.
Provide the feedback details under Feedback and click Finish.
Figure: Okta page: FeedbackClick View Setup Instructions. Provide the required details.
Updating Apex Details as SAML App
If Apex is already added as a SAML app, you can modify the details as required.
Log into OKTA Admin Console. Click Admin. Click Add Applications under Shortcuts menu.
Figure: Okta page: Editing Apex app detailsClick Apps you created. Select the Apex app that you want to update and click Edit.
Figure: Okta page: Editing Apex app detailsUpdate the required details under the General Settings and click Next.
Figure: Okta page: Editing Apex app detailsUpdate the SAML details under SAML Settings and click Next.
Figure: Okta page: Editing Feedback detailsUpdate the feedback details under Feedback and click Finish.
Figure: Okta page: Editing Feedback detailsClick View Setup Instructions. Update the required details.
Adding User and Activating Them
You can add the users for whom SSO will be available for the Apex SAML app.
Log into OKTA Admin Console. Click Admin. Select People from the Directory menu.
Figure: Adding PeopleClick Add Person. The Add Person pop-up is displayed. Provide the details about the user you are adding and click Add Person. If you want to add more users, click Save and Add Another.
Figure: Adding People detailsThe added user needs to be activated so that the user can use SSO from OKTA for Apex . Click Activate. A confirmation pop-up page is displayed. Click Activate User.
Figure: Activating the added person
SSO Configuration in Apex (For Okta)
To configure SSO in the Apex application for Okta, perform the following steps:
Navigate to Admin > Infrastructure > SSO Configuration.
The SSO Configuration page is displayed.Select SAML and click Add New under Actions panel.
Type in the SSO configuration details.
For more information about the fields on the SSO Configuration page, see Field Description.
Figure: SAMLClick Validate. The certificate information is displayed if the uploaded certificate is valid.
For invalid certificate, an error message is displayed.Click Submit. The SSO is configured successfully.
Field Description
The following table describes the fields on the SSO Configuration page:
Field | Description |
Domain | Select the domain name from the list. The SAML based authentication will be configured for the selected domain.
|
URL | Provide the URL. |
Redirect URL | Copy the SSO URL details from Okta configuration page and paste the URL details in this text box. |
SSO Type | Select the SSO Type from the drop-down list. |
Response Attribute | Select the response attribute from the drop-down list. |
Upload Certificate | Upload the certificate that you downloaded during the SSO configuration using Okta SAML apps. |
Request Authentication Context | This field lists the conditions to match the authentication context. In order to create a user, the authentication context must match with the authentication method. The available matching criterion are Better, Exact, Maximum, and Minimum. |
User Creation | Upon enabling this checkbox, the user is created if that user is not available in Apex database but wants to login into the application using Okta authentication method. |
Time Zone | Select the time zone from the drop-down list. The selected time zone will be assigned to the newly created user.
|
Template Name | Select the role template from the list. The selected role template will be assigned to the newly created user.
|
Logo | Upload an image to be displayed as Google icon. |
Google
Enabling SSO for Apex Using SAML (Google Configuration)
Adding Apex as SAML App
You can add Apex as SAML app from the Google Admin Console.
Log into Google Admin Console. Click Apps and select SAML Apps.
Figure: Google App Settings pageClick the Plus icon to enable SSO for SAML application. Click SETUP MY OWN CUSTOM APP.
Figure: Setting up Apex as custom appProvide the SSO URL, Entity ID, and download the certificate. Click NEXT.
Figure: Downloading the certificatesProvide basic information about the Apex application and click NEXT.
Figure: Basic detailsProvide the Service Provider details and click NEXT.
Figure: Service Provider detailsProvide mappings between service provider attributes to available user profile fields. You can also come back later to complete the attribute mapping. Click FINISH.
Figure: Attribute mapping
Updating Apex Details as SAML App
If Apex is already added a SAML app, you can modify the details as required.
Log into Google Admin Console. Click Apps and select SAML Apps.
Figure: Google App Settings pageSelect the Apex SAML app that you want to update.
Figure: Updating Apex details
Figure: Updating Apex detailsClick the Service Provide Details and the Attribute Mapping sections to modify details in the respective sections.
Figure: Updating Service Provider details
Figure: Updating Attribute Mapping
Enabling/Disabling the Apex SAML App
You can enable or disable the Apex SAMP app configuration for all the users or for selected organizations.
Log into Google Admin Console. Click Apps and select SAML Apps.
Figure: Google App Settings pageAll the configured SAML apps are displayed. Click the three dots next to the Apex SAML app that you want to enable or disable for users. Select the appropriate option from the options. The available options are ON for everyone, ON for some organizations, and OFF.
Figure: Enabling Apex app
Field Descriptions
Option | Description |
ON for everyone | If selected, the SAML app is available to all the users. |
ON for some organizations | If selected, the SAML app is available to users of the selected organizations |
OFF | If selected, the SAML app is not available to anybody. |
Adding Users
You can add the users for whom SSO will be available for the Apex SAML app.
Log into Google Admin Console and select Users from the left menu.
Figure: Adding UsersMouse hover on the Add icon, the available icons are: Invite users, Add multiple users, and Add user.
Figure: Adding User
Figure: Multiple options to add usersInvite users: Select this option to invite users to use the Apex SAML app as SSO from Google. Specify the e-mail ids of the users to whom you want to send the invitation.
Figure: Inviting users
Figure: Inviting usersAdd multiple users: Select this option to add multiple users. You can upload a Microsoft Excel sheet with the names of the users and other details (download the template AS.CSV).
Figure: Adding multiple users
Add user: Select this option to a user. Provide the first name, last name, and the e-mail id of the user.
Figure: Adding single user
SSO Configuration in Apex (For Google)
To configure SSO in the Apex application for Google, perform the following steps:
Navigate to Admin > Infrastructure >SSO Configuration.
The SSO Configuration page is displayed.Select SAML and click Add New under Actions panel.
Type in the SSO configuration details.
For more information about the fields on the SSO Configuration page, see Field Description.Click Validate. The certificate information is displayed if the uploaded certificate is valid. For invalid certificate, an error message is displayed.
Click Submit. The SSO is configured successfully.
Field Description
The following table describes the fields on the SSO Configuration page:
Field | Description |
Domain | Select the domain name from the list. The SAML based authentication will be configured for the selected domain. |
URL | Provide the URL. |
Redirect URL | Copy the SSO URL details from Google configuration page and paste the URL details in this text box. |
SSO Type | Select the SSO Type from the drop-down list. |
Response Attribute | Select the response attribute from the drop-down list. |
Upload Certificate | Upload the certificate that you downloaded during the SSO configuration using Google SAML apps. |
Request Authentication Context | This field lists the conditions to match the authentication context. In order to create a user, the authentication context must match with the authentication method. The available matching criterion are Better, Exact, Maximum, and Minimum. |
User Creation | Upon enabling this checkbox, the user is created if that user is not available in Apex database but wants to login into the application using Google SAML authentication method. |
Time Zone | Select the time zone from the drop-down list. The selected time zone will be assigned to the newly created user.
|
Template Name | Select the role template from the list. The selected role template will be assigned to the newly created user.
|
Logo | Upload an image to be displayed as Google icon. |
Ping Federate
Prerequisites to be performed in Ping Federate Server
Login to Ping Federate server.
Figure: Ping Federate Login ScreenOn the Identity Provider tab, under SP Connections section, click Create New.
Figure: Identity Provider tabOn the SP Connection section, configure the tabs as follows
Connection Type
Figure: SP Connection _ Connection Type
Connection Options
Figure: SP Connection _ Connection Options
Import Metadata
If you have a Metadata URL or FILE, select the respective options and provide the information. If you do not have an URL or a FILE, Select NONE.
Figure: SP Connection _ Import Metadata
General Info
On the General Info tab, specify the PARTNER'S ENTITY ID, CONNECTION NAME, and the BASE URL. Select the LOGGING MODE as STANDARD.
Figure: SP Connection _ General Info
Browser SSO
On the Browse SSO tab, click Configure Browse SSO.
Figure: SP Connection _ Browse SSO
SAML Profiles
On the SAML Profiles section, select IDP-INITAIATED SSO.
Figure: SAML PROFILES
Assertion Lifetime
Figure: Assertion Lifetime tab
Assertion Creation
On the Assertion Creation tab, click Configure Assertion Creation.
Figure: Configure Assertion
Protocol Settings
On the Protocol Settings tab, click Configure Protocol Settings.
Figure: Protocol Settings tab
Assertion Consumer Service URL
Select Binding as POST and specify the Endpoint URL as /Apex_SAMLResponse.aspx.
Figure: Assertion Consumer Service URL
Signature Policy
Select ALWAYS SIGN THE SAML ASSERTION and click Next.
Figure: Signature Policy
Encryption Policy
Figure: Encryption Policy
Summary
Figure: Summary
Browser SSO Summary
On the Summary tab, click Done. You will redirected to SP Connection Page.
Figure: Browser SSO _ Summary
Credential
Click Configure Credentials.
Figure: Credentials
Digital Signature Settings
Click Manage Certificates and configure Signing Certificate.
Figure: Digital Signature Settings
Credential Summary
On the Summary tab, click Done. You will be redirected to SP Connection page.
Figure: Credentials Summary
Activation and Summary
Select the Connection Status as Active and click Save.
Figure: SP Connection _ Summary
Click Server Configuration and then click Metadata Export under ADMINISTRATIVE FUNCTIONS.
Metadata Role
Figure: Metadata Role
Metadata Mode
Figure: Metadata Mode
Connection Metadata
Select the configured SP Connection from the drop-down list.
Figure: Connection Metadata
Metadata Signing
Select the Signing Certificate from the drop-down list.
Figure: Metadata Signing
Export and Summary
On the Export & Summary tab, click Export and then click Done. An XML file is downloaded.
Figure: Export & Summary
Note
Redirect URL : Select Identity Provider > SP CONNECTIONS. Click the SP Connection that you have configured. The SSO Application Endpoint displayed here is the Redirect URL to be entered in Apex Application.
Figure: Redirect URL - Sample
Upload Certificate : The Certificate is available in the Metadata file, under the tag <ds:X509Certificate>. Copy this data and enter under Upload Certificate section.
SSO Configuration in Apex (For Ping Federate)
To configure SSO in the Apex application perform the following:
Navigate to Admin > Infrastructure >SSO Configuration.
The SSO Configuration page is displayed.Select SAML and click Add New under Actions panel.
Type in the SSO configuration details.
For more information about the fields on the SSO Configuration page, see Field DescriptionClick Validate. The certificate information is displayed if the uploaded certificate is valid. For invalid certificate, an error message is displayed.
Click Submit. The SSO is configured successfully.
Field Description
The following table describes the fields on the SSO Configuration page:
Field | Description |
Domain | Select the domain name from the list. The SAML based authentication will be configured for the selected domain. |
URL | Provide the URL. |
Redirect URL | Copy the SSO URL details from Ping Federate configuration page and paste the URL details in this text box. |
SSO Type | Select the SSO Type from the drop-down list. |
Response Attribute | Select the response attribute from the drop-down list. |
Upload Certificate | Upload the certificate that you downloaded during the SSO configuration using Ping Federate SAML apps. |
Request Authentication Context | This field lists the conditions to match the authentication context. In order to create a user, the authentication context must match with the authentication method. The available matching criterion are Better, Exact, Maximum, and Minimum. |
User Creation | Upon enabling this checkbox, the user is created if that user is not available in Apex database but wants to login into the application using SAML PingFederate authentication method. |
Time Zone | Select the time zone from the drop-down list. The selected time zone will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled. |
Template Name | Select the role template from the list. The selected role template will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled. |
Logo | Upload an image to be displayed as Ping Federate icon. |
ADFS
Prerequisites to be performed in ADFS:
Login to your ADFS account. On the Start screen, in the Search bar type in ADFS Management. Click ADFS Management.
Figure: ADFS Start screen
Under Trust Relationships, click Relying Party Trusts and then click Add Relying Party Trust.
Figure: Add Relying Party TrustOn the Welcome tab of Add Relying Party Trust Wizard, click Start.
Figure: Welcome tabOn the Select Data Source tab, select Enter data about the relying party manually.
Figure: Select Data Source tabOn the Specify Display Name tab, specify a Display name and click Next.
Figure: Specify Display Name tabOn the Choose Profile tab, select ADFS Profile and click Next.
Figure: Choose Profile tabOn the Configure Certificate tab, click Next.
On the Configure URL tab, Select Enable Support for the SAML 2.0 Web SSO Protocol
Figure: Configure URL tab
Note
For Mobile App Relying party SAML 2.0 SSO service URL should be:
https://customer.domain.com/SSO/MobileSAMLResponse.aspx
On the Configure Identifiers tab, specify a Relying Party trust identifier and click Next.
Figure: Configure Identifiers tabConfigure Multi-factor Authentication Now
Figure: Configure Multi-factor Authentication NowChoose Issuance Authorization Rules
Figure: Choose Issuance Authorization Rules tabReady to Add Trust
Figure: Ready to Add Trust tabFinish
Figure: Finish tabClick Add Rule and Choose Claim Rule as Send LDSP Attributes as Claims on the Edit Claim Rules for ADFSSAML window.
Figure: Add RuleOn the Choose Rule Type section, select Claim Rule Template as Send LDAP Attributes as Claims.
Figure: Choose Rule TypeSpecify the details in Configure Claim Rule tab as shown in the image below and click Finish.
Figure: Configure Claim Rule
Note
Apex Application uses Email of the user as a login ID. For this to work, you need to set up the Email as the NameID on the SAML login request. This can be achieved by setting up a Transform Rule.
Click Add Rule again, choose Transform an Incoming Claim and click Next.
Figure: Choose Rule Type tabSetup Email ID to be sent as NameID as shown below and click Finish.
Figure: Configure Claim RuleOn the ADFS Management window, right click on the Relying Party for Apex and choose properties. Under the Advanced tab, choose SHA-256 as the Secure Hash Algorithm.
Figure: Secure hash AlgorithmOn the ADFS Management Window, choose Services > Certificates and double click Token Signing Certificate, which will give you an option copy to file. By doing this, you will be able to export the X509 certificate from the raw file.
Figure: Certificates SectionSelect the format as shown below.
Figure: Export File Format
SSO Configuration in Apex (For ADFS)
To configure SSO in the Apex application, perform the following steps:
Navigate to Admin > Infrastructure >SSO Configuration.
The SSO Configuration page is displayed.Select SAML and click Add New under Actions panel.
Type in the SSO configuration details.
For more information about the fields on the SSO Configuration page, see Field Description.Click Validate. The certificate information is displayed if the uploaded certificate is valid. For invalid certificate, an error message is displayed.
Click Submit. The SSO is configured successfully.
Field Description
The following table describes the fields on the SSO Configuration page:
Field | Description |
Domain | Select the domain name from the list. The SAML based authentication will be configured for the selected domain. |
URL | Provide the URL. |
Redirect URL | Copy the SSO URL details from ADFS configuration page and paste the URL details in this text box. |
SSO Type | Select the SSO Type from the drop-down list. |
Response Attribute | Select the response attribute from the drop-down list. |
Upload Certificate | Upload the certificate that you downloaded during the SSO configuration using ADFS SAML apps. |
Request Authentication Context | This field lists the conditions to match the authentication context. In order to create a user, the authentication context must match with the authentication method. The available matching criterion are Better, Exact, Maximum, and Minimum. |
User Creation | Upon enabling this checkbox, the user is created if that user is not available in Apex database but wants to login into the application using ADFS SAML authentication method. |
Time Zone | Select the time zone from the drop-down list. The selected time zone will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled. |
Template Name | Select the role template from the list. The selected role template will be assigned to the newly created user. Note: This field is displayed only when the User Creation checkbox is enabled. |
Logo | Upload an image to be displayed as ADFS icon. |
Actions
This section explains all the icons displayed on the Actions panel of the SSO Configuration page.
Show List
Click Show List to display the List table showing the SSO configured in the Apex application for SAML.
Filters
On the Filters pop-up page, select a domain name from the list and then click Submit. A list of SAML based authentications configured for the selected domain is displayed.
Add New
Click Add New to configure a new SAML based authentication for a domain.