Single Sign On

YW
Last updated 14 days ago

Authenticate users with SSO

Overview

Single sign-on is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to a connected system or accomplished using the Lightweight Directory Access Protocol and stored LDAP databases on servers.

SAML 2.0 (Security Assertion Markup Language) is an XML-based protocol that uses security tokens that contain assertions to pass information about a user between a SAML identity provider and a SAML service provider (SP).

Labii ELN & LIMS supports SSO using SAML 2.0 protocol.

Enable SSO

Please contact help@labii.com to enable SSO.

Each individual has options to disabled SSO. To do that, set is_use_single_sign_on=false in the member settings.

Overall, to use SSO in Labii, these two settings need to be true:

Levels

Settings

Organization Level

enable_single_sign_so=true

Member Level

is_use_single_sign_on=true

What will change

Once enabled SSO, the login page will change from https://v3.labii.com/accounts/login/ to the login page of your IdP.

Configure SSO

Once enabled, the configuration of SSO is available at Settings -> Organization Detail -> Single Sign On.

Labii as SP (Service Provider):

Use this information in your IdP.

  • acs url - Assertion Consumer URL. This is embedded Target process endpoint which is "listening" for requests from Identity providers.

  • entity id - SP Entity ID is usually a URL or other identifier given by the Service Provider (SP) that uniquely identifies it.

Information needed from IdP:

  • IdP login url - The URL set up from IDP to login for the organization.

  • IdP logout url - The URL set up from IDP to logout for the organization.

  • Metadata auto conf url - Auto SAML2 metadata configuration URL

  • Name id format - Set to the string 'None', to exclude sending the 'Format' property of the 'NameIDPolicy' element in authn requests. Default value if not specified is 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'.

  • Attributes map - Mapping of Django user attributes to SAML2 user attributes.

The attributes map is default to:

{
"email": "email",
"username": "username",
"last_name": "last_name",
"first_name": "first_name"
}

Google G Suite

Okta

Okta is an integrated identity and mobility management service. Built from the ground up in the cloud, Okta securely and simply connects people to their applications from any device, anywhere, at anytime. Okta integrates with existing directories and identity systems, as well as thousands of on premises, cloud and mobile applications, and runs on a secure, reliable and extensively audited cloud based platform.

To use Okta as your SAML IdP to connect with Labii:

  1. Register an account with Okta.

  2. Create an app: Admin -> Applications -> Create New App.

  3. On the pop-out, choose Platform=Web, Sign on method=SAML 2.0, and click Create

  4. In General Settings page, Set Application Name=Labii ELN & LIMS

  5. In the SAML Settings page, use acs url for Single Sing On URL. Use Entity Id for your SP Entity Id.

  6. For the Attribution statements, add username -> user.email first_name -> user.firstName last_name -> user.lastName email -> user.email

  7. Click Finish to create the app.

  8. On Sign On tab, copy the link of Identity Provider metadata from and paste it to Metadata auto conf url.

  9. On General tab, find the EMBED LINK from App Embed Link section. Paste the link to IdP login url as described here.

  10. Add one or more users at Directory -> People of the Okta admin page.

  11. Assign the application to the new user at Applications -> Labii ELN & LIMS -> Assignments.

Okta SSO login page to Labii

OneLogin

OneLogin provides a cloud-based identity and access management (IAM) solution that offers simple single sign-on (SSO), making it easier for companies to secure and manage access to web applications.

Use OneLogin as IdP

To use OneLogin as your SAML IdP to connect with Labii:

  1. Register an account with OneLogin.

  2. Create a connector at Apps -> Custom Connectors.

  3. On the Info page, set the Display Name as Labii ELN & LIMS.

  4. On the Configuration page, copy the acs url from here to Recepient, ACS (Consumer) URL Validator, ACS (Consumer) URL.

  5. On the Parameters page, add the parameters of email, first_name, last_name, username as following parameters.

  6. On the SSO page, do the following copy and paste: Issue URL -> Metadata auto conf url SAML 2.0 Endpoint (HTTP) -> Idp login url SLO Endpoint (HTTP) -> Idp logout url

  7. Add the users and assign the app.

Parameters of OneLogin