Single Sign On

Authenticate users with SSO

Overview

Single sign-on is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to a connected system or accomplished using the Lightweight Directory Access Protocol and stored LDAP databases on servers.

SAML 2.0 (Security Assertion Markup Language) is an XML-based protocol that uses security tokens that contain assertions to pass information about a user between a SAML identity provider and a SAML service provider (SP).

Labii ELN & LIMS supports SSO using SAML 2.0 protocol.

Enable SSO

Please contact help@labii.com to enable SSO.

Each individual has options to disabled SSO. To do that, set is_use_single_sign_on=false in the member settings.

Overall, to use SSO in Labii, these two settings need to be true:

Levels

Settings

Organization Level

enable_single_sign_so=true

Member Level

is_use_single_sign_on=true

What will change

Once enabled SSO, the login page will change from https://v3.labii.com/accounts/login/ to the login page of your IdP.

Configure SSO

Once enabled, the configuration of SSO is available in the Settings -> Organization Detail -> Single Sign On.

Labii as SP (Service Provider):

Use this information in your IdP.

  • acs url - Assertion Consumer URL. This is an embedded Target process endpoint which is "listening" for requests from Identity providers.

  • entity id - SP Entity ID is usually a URL or other identifier given by the Service Provider (SP) that uniquely identifies it.

Information needed from IdP:

  • IdP login url - The URL set up from IDP to login for the organization.

  • IdP logout url - The URL set up from IDP to logout for the organization.

  • Metadata auto conf url - Auto SAML2 metadata configuration URL

  • Name id format - Set to the string 'None', to exclude sending the 'Format' property of the 'NameIDPolicy' element in authn requests. Default value if not specified is 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'.

  • Attributes map - Mapping of Django user attributes to SAML2 user attributes.

The attributes map is default to:

{
"email": "email",
"username": "username",
"last_name": "last_name",
"first_name": "first_name"
}

Google G Suite

Using Security Assertion Markup Language (SAML), a user can use their managed Google account credentials to sign in to enterprise cloud applications via single sign-on (SSO). An identity and access management (IAM) service provides administrators with a single place to manage all users and cloud applications. You don't have to manage individual user IDs and passwords tied to individual cloud applications for each of your users. An IAM service provides your users with a unified sign-on across all their enterprise cloud applications.

Full documentation is available at https://support.google.com/a/answer/6087519?hl=en

To use Google G Suite as your SAML IdP to connect with Labii:

  1. Login to Google Admin

  2. Create an app: App -> SAML App -> Click "+" button -> SETUP MY OWN CUSTOM APP

  3. Download the "IDP metadata" and copy the content to Metadata XML in your Labii SSO Settings.

  4. In the "Basic information for your Custom App" page, type in "Labii" or "Labii ELN & LIMS" for your app name. Use this link to download Labii logo.

  5. In the "Service Provider Details" page, copy and paste ACS URL, Entity ID. Set Name ID Format=Email

  6. On the Attribution Mapping page, add

  7. Create the app.

  8. To use the app, the service have to be enabled. App -> Edit Services -> On for everyone. Now refresh your google pages, you shall be able to see Labii in the app list.

  9. In the Labii SSO Setting page, copy the link of Labii login to IdP Login URL

Labii in Google App list

Okta

Okta is an integrated identity and mobility management service. Built from the ground up in the cloud, Okta securely and simply connects people to their applications from any device, anywhere, at anytime. Okta integrates with existing directories and identity systems, as well as thousands of on premises, cloud and mobile applications, and runs on a secure, reliable and extensively audited cloud based platform.

To use Okta as your SAML IdP to connect with Labii:

  1. Register an account with Okta.

  2. Create an app: Admin -> Applications -> Create New App.

  3. On the pop-out, choose Platform=Web, Sign on method=SAML 2.0, and click Create

  4. In General Settings page, Set Application Name=Labii ELN & LIMS

  5. In the SAML Settings page, use acs url for Single Sign On URL. Use Entity Id for your SP Entity Id.

  6. For the Attribution statements, add username -> user.email first_name -> user.firstName last_name -> user.lastName email -> user.email

  7. Click Finish to create the app.

  8. On Sign On tab, copy the link of Identity Provider metadata from and paste it to Metadata auto conf url.

  9. On General tab, find the EMBED LINK from App Embed Link section. Paste the link to IdP login url as described here.

  10. Add one or more users at Directory -> People of the Okta admin page.

  11. Assign the application to the new user in the Applications -> Labii ELN & LIMS -> Assignments.

Okta SSO login page to Labii

OneLogin

OneLogin provides a cloud-based identity and access management (IAM) solution that offers simple single sign-on (SSO), making it easier for companies to secure and manage access to web applications.

Use OneLogin as IdP

To use OneLogin as your SAML IdP to connect with Labii:

  1. Register an account with OneLogin.

  2. Create a connector at Apps -> Custom Connectors.

  3. On the Info page, set the Display Name as Labii ELN & LIMS.

  4. On the Configuration page, copy the acs url from here to Recipient, ACS (Consumer) URL Validator, ACS (Consumer) URL.

  5. On the Parameters page, add the parameters of email, first_name, last_name, username as following parameters.

  6. On the SSO page, do the following copy and paste: Issue URL -> Metadata auto conf url SAML 2.0 Endpoint (HTTP) -> Idp login url SLO Endpoint (HTTP) -> Idp logout url

  7. Add the users and assign the app.

Parameters of OneLogin