Easy heading | linkText4 | linkText10 | linkText3 | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Easy heading | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
...
Info |
---|
Important note: The roles in the GYTPOL UI and the groups in your IDP must be identical, including the same name and case. During authentication, the IDP group token and the role token are exchanged and matched. |
Anchor | ||||
---|---|---|---|---|
|
...
Anchor | ||||
---|---|---|---|---|
|
In this step, you add an Amazon Cognito user pool as an application in Azure AD, to establish a trust relationship between them.
Anchor | ||||
---|---|---|---|---|
|
Log in to the Azure Portal.
In the Azure Services section, choose Azure Active Directory.
In the left sidebar, choose Enterprise applications.
Choose New application.
On the Browse Azure AD Gallery page, choose Create your own application.
Under What’s the name of your app?, enter a name for your application and select Integrate any other application you don’t find in the gallery (Non-gallery), as shown in Figure 1.
Choose Create.
After creating the application in Azure AD, it may take a few moments for the process to complete. Once finished, you will be automatically redirected to the Overview page for the newly added application.
...
Anchor | ||||
---|---|---|---|---|
|
On the Getting started page, in the Set up single sign on tile, choose Get started, as shown in Figure 2.
Proceed to the next screen and select SAML.
In the middle pane, navigate to the Basic SAML Configuration section, and click on the edit icon.
In the right pane, within the Basic SAML Configuration, replace the default Identifier ID (Entity ID) with the Identifier (Entity ID) provided by your account manager. Then, in the Reply URL (Assertion Consumer Service URL) field, input the Reply URL provided by your account manager, as depicted in Figure 3. Click on Save to confirm the changes.
In the middle pane under Set up Single Sign-On with SAML, in the User Attributes & Claims section, choose Edit.
Choose Add a group claim.
On the User Attributes & Claims page, in the right pane under Group Claims, select Groups assigned to the application, leave Source attribute as sAMAccountName, as shown in Figure 4.
Expand the Advanced options mark the “Customize the name of the group claim” checkbox. Write “groups” in the Name field, as shown in Figure 4 and Choose Save. This will allow automatic GYTPOL roles mapping to Azure AD groups.
Scroll down to the SAML Signing Certificate section and copy the App Federation Metadata URL by choosing the copy into clipboard icon (highlighted with red arrow in Figure 5).
Please send the URL to your account manager.
Assign the application to the relevant groups.
Info |
---|
Please note that the roles in the GYTPOL UI and the groups in your IDP must be identical, including the same name and case. During authentication, the IDP group token and the role token are exchanged and matched. |
...
Anchor | ||||
---|---|---|---|---|
|
Create a new App Integration and select SAML 2.0
...
Under General Settings, enter a name for your app.
(Optional) Upload a logo and choose the visibility settings for your app.
Choose Next.
Under General, for Single sign on URL, enter the Single sign-on URL provided by your account manager (as Reply URL) and Audience URI (SP Entity ID) which was also provided by your account manager,as shown in Figure 2.
...
Under Attribute Statements (optional), add a statement with the following information, as shown in Figure 3:
Name | Value |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | user.email |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | user.lastName |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | user.firstName |
...
For all other settings on the page, leave them as their default values or set them according to your preferences.
Choose Next.
Choose a feedback response for Okta Support.
Choose Finish.
Open the application and under the Sign On page, copy the Metadata-URL and send it to your account manager, as shown in Figure 4.
Anchor | ||||
---|---|---|---|---|
|
On the Assignments tab for your Okta app, for Assign, choose Assign to People.
Choose Assign next to the user that you want to assign.
Note: If this is a new account, the only option available is to choose yourself (the admin) as the user.Choose Save and Go Back. Your user is assigned.
Choose Done.
Info |
---|
Please note that the roles in the GYTPOL UI and the groups in your IDP must be identical, including the same name and case. During authentication, the IDP group token and the role token are exchanged and matched. |
...
After selecting the desired group or users and activating the GYTPOL app by marking the ON checkbox, click on the SAVE button to confirm your changes.
...
on the SAVE button to confirm your changes.
Info |
---|
Please note that the roles in the GYTPOL UI and the groups in your IDP must be identical, including the same name and case. During authentication, the IDP group token and the role token are exchanged and matched. |
PingFederate
Info |
---|
Ensure that you have valid Active Directory IdP connections, adapters, and policies configured before creating the GYTPOL integration. |
Integrating Ping Federate with another application involves several steps. These steps assume that you have already received the Reply URL (Assertion Consumer Service URL) and Entity ID from GYTPOL.
Here's a general outline of the process:
Set Up PingFederate as an Identity Provider (IdP):
Log in to the PingFederate administrative console.
Create an IdP Connection:
Navigate to the "Identity Provider" tab.
Select "Create New" under "SP Connections".
Choose "Browser SSO Profiles" and proceed with the "Next" button.
Basic Information:
Enter a connection name and an optional description.
Click "Next".
Connection Type:
Select the connection type. Choose "Browser SSO Profiles".
Click "Next".
Import Metadata:
Select "Manual Configuration" and click "Next".
Configure the Connection:
Connection Options:
Choose SAML 2.0 and proceed.
Connection Configuration:
Enter the Entity ID (e.g.,
urn:amazon:cognito:sp:eu-central-1_q1W2e3R4
).Enter the Assertion Consumer Service (ACS) URL (Reply URL) (e.g.,
https://gytpol-saas-tenant-name.auth.eu-central-1.amazoncognito.com/saml2/idpresponse
SAML Profiles:
Enable the SAML profiles required (e.g., SP-initiated SSO).
Assertion Lifetime:
Set the assertion validity period (default is usually sufficient).
Signature Policy:
Configure signing options based on SP requirements.
Attribute Mapping:
Map the attributes from your IdP to the attributes expected by the SP. Common attributes include names, email, and others. Please refer to the below screenshots for reference.
Click "Next".
...
Summary:
Review the configuration and click "Done" to complete the setup.
Configure Authentication Policies:
Define the authentication policies for the IdP connection, such as allowed authentication methods, multi-factor authentication, etc.
Publish the Connection:
Ensure the connection is activated and published.
Test the Connection:
Test the SSO flow by initiating a login from GYTPOL login page.
Adjust as Necessary:
If there are issues, check logs and adjust the configuration as needed.
Please see the troubleshooting steps below if necessary.
These steps provide a general framework for integrating PingFederate with GYTPOL using SAML 2.0. The exact steps and configuration details may vary based on the specific requirements of your organization.
Anchor | ||||
---|---|---|---|---|
|
...
Proceed with the login process. Then, click on the row labeled "token".
Navigate to the Preview tab. Copy the value of the id_token.
Visit https://jwt.io/ in your browser and paste the copied value into the provided field.
...
In the decoded part, check if there is a "custom:groups" field in the payload.
If the "custom:groups" field is missing, ensure that the IdP groups claim or statement is configured correctly.
In Okta, this may involve double-checking the filter (explanation on Regex filtering). In AzureAD, verify if groups are configured to sAMAccountName and ensure that the claim name is correct.
Anchor | ||||
---|---|---|---|---|
|
...
Anchor | ||||
---|---|---|---|---|
|
...