Requirements:
SSO must be configured by the Company Admin of the Rainbow company.
There must be at least one Enterprise licence assigned to the company, else Security tab will not be displayed.
Procedure:
Log in with a Company Admin account
Open My Company> Settings> Security tab:
Add a new authentication method: OIDC or SAML.
For SAML, enter following information from your IDP :
- Login URL
- Logout URL (optional)
- User ID Attribute: Attribute ID doesn’t depend on the company should be always the same
For ADFS: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
For Azure AD: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
For Shibboleth: urn:oid:0.9.2342.19200300.100.1.3
- Certificates: this certificate has to be downloaded in pem format from your IDP
It is the token signing certificate.
As an example, it can be found here on Azure AD:
Advanced Options:
Default values should work for most cases, to be used with caution
- Force authentication: always triggers the authentication even if a session already exists, not checked by default
- Always sign the request: requests from Rainbow are signed, not checked by default
- Allow unencrypted assertions: Assertions are not encrypted, checked by default
Once finished, you can download Rainbow metadata file and import it in the IDP server.
For OIDC:
Enter following information from your IDP:
- Client ID
- Secret
- Discovery URL
Advance options - User authentication information:
Default values should work for most cases, to be used with caution
- User ID Attribute: the name of the attribute to use in the authentication request to identify the user
- Scope parameter: the scope parameter to include in the authenticaton request
- ACR value: a space separated string specifying the Authentication Context Class values to be used in the authentication request of the user, values appearing in the order of preference
Or use the manual method:
External Authentication Identifier
On a user basis, it is also possible to configure an External Authentication Identifier.
This identifier will be used to authenticate the user.
For example it might be useful if the Rainbow LoginEmail is different from the user's email address filled in Azure AD.
At the end of SSO configuration, it is possible to activate SSO for all members of the company by editing the SAML or OIDC menu:
Note: Company administrators will still have the choice to login using SSO or Login/Password.
For more information on OIDC, SAML, the list of supported servers and their configuration, you might have a look in following articles:
https://support.openrainbow.com/hc/en-us/sections/360003695979-Authentification
Kommentare
1 Kommentar
Hi,
in the Deskription @ https://support.openrainbow.com/hc/de/articles/360019304499-How-to-configure-SSO-in-Rainbow-admin-view-
You Descripe how to Configure SSO. At this Point, it is necessary to select the Certificate. But the DropDown is empty. Where is the PEM-Certificate to import?
THX
Bitte melden Sie sich an, um einen Kommentar zu hinterlassen.