Single Sign On
Authenticate users with SSO

Overview

Single sign-on is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to a connected system or accomplished using the Lightweight Directory Access Protocol and stored LDAP databases on servers.
SAML 2.0 (Security Assertion Markup Language) is an XML-based protocol that uses security tokens that contain assertions to pass information about a user between a SAML identity provider and a SAML service provider (SP).
Labii ELN & LIMS supports SSO using SAML 2.0 protocol.

Enable SSO

To enable SSO, please contact [email protected] Additional fees might apply.
When enabled, the users can use both username and SSO to log in. To enforce a user to use SSO, set is_use_single_sign_on=false in personnel settings.

What will change

Once enabled SSO, the login page will change from https://www.labii.app/accounts/login/ to the login page of your IdP.

Configure SSO

Once enabled, the configuration of SSO is available in the Settings -> Organization Detail -> Single Sign-On.
Labii as SP (Service Provider):
Use this information in your IdP.
  • acs url - Assertion Consumer URL. This is an embedded Target process endpoint that is "listening" for requests from Identity providers.
  • entity id - SP Entity ID is usually a URL or other identifier given by the Service Provider (SP) that uniquely identifies it.
Information needed from IdP:
  • IdP login url - The URL set up from IDP to login for the organization.
  • IdP logout url - The URL set up from IDP to logout for the organization.
  • Metadata auto conf url - Auto SAML2 metadata configuration URL
  • Name id format - Set to the string 'None', to exclude sending the 'Format' property of the 'NameIDPolicy' element in authn requests. Default value if not specified is 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'.
  • Attributes map - Mapping of Django user attributes to SAML2 user attributes.
The attributes map defaults to:
1
{
2
"email": "email",
3
"username": "username",
4
"last_name": "last_name",
5
"first_name": "first_name"
6
}
Copied!

Google G Suite

Using Security Assertion Markup Language (SAML), a user can use their managed Google account credentials to sign in to enterprise cloud applications via single sign-on (SSO). An identity and access management (IAM) service provides administrators with a single place to manage all users and cloud applications. You don't have to manage individual user IDs and passwords tied to individual cloud applications for each of your users. An IAM service provides your users with a unified sign-on across all their enterprise cloud applications.
Full documentation is available at https://support.google.com/a/answer/6087519?hl=en
To use Google G Suite as your SAML IdP to connect with Labii:
  1. 1.
    Login to Google Admin
  2. 2.
    Create an app: App -> SAML App -> Click "+" button -> SETUP MY OWN CUSTOM APP
  3. 3.
    Download the "IDP metadata" and copy the content to Metadata XML in your Labii SSO Settings.
  4. 4.
    In the "Basic information for your Custom App" page, type in "Labii" or "Labii ELN & LIMS" for your app name. Use this link to download the Labii logo.
  5. 5.
    In the "Service Provider Details" page, copy and paste ACS URL, Entity ID. Set Name ID Format=Email
  6. 6.
    On the Attribution Mapping page, add
  7. 7.
    Create the app.
  8. 8.
    To use the app, the service has to be enabled. App -> Edit Services -> On for everyone. Now refresh your google pages, you shall be able to see Labii in the app list.
  9. 9.
    In the Labii SSO Setting page, copy the link of Labii login to IdP Login URL
Labii in Google App list

Okta

Okta is an integrated identity and mobility management service. Built from the ground up in the cloud, Okta securely and simply connects people to their applications from any device, anywhere, at any time. Okta integrates with existing directories and identity systems, as well as thousands of on-premises, cloud, and mobile applications, and runs on a secure, reliable, and extensively audited cloud-based platform.
To use Okta as your SAML IdP to connect with Labii:
  1. 1.
    Register an account with Okta.
  2. 2.
    Create an app: Admin -> Applications -> Create New App.
  3. 3.
    On the pop-out, choose Platform=Web, Sign on method=SAML 2.0, and click Create
  4. 4.
    In the General Settings page, Set Application Name=Labii ELN & LIMS
  5. 5.
    In the SAML Settings page, use acs url for the Single-Sign-On URL. Use Entity Id for your SP Entity Id.
  6. 6.
    For the Attribution statements, add username -> user.email first_name -> user.firstName last_name -> user.lastName email -> user.email
  7. 7.
    Click Finish to create the app.
  8. 8.
    On the Sign On tab, copy the link of Identity Provider metadata from and paste it to Metadata auto conf url.
  9. 9.
    On the General tab, find the EMBED LINK from App Embed Link section. Paste the link to IdP login url as described here.
  10. 10.
    Do not forget to add the attribution map in Labii
  11. 11.
    Add one or more users at Directory -> People of the Okta admin page.
  12. 12.
    Assign the application to the new user in the Applications -> Labii ELN & LIMS -> Assignments.
Okta SSO login page to Labii

OneLogin

OneLogin provides a cloud-based identity and access management (IAM) solution that offers simple single sign-on (SSO), making it easier for companies to secure and manage access to web applications.
Use OneLogin as IdP
To use OneLogin as your SAML IdP to connect with Labii:
  1. 1.
    Register an account with OneLogin.
  2. 2.
    Create a connector at Apps -> Custom Connectors.
  3. 3.
    On the Info page, set the Display Name as Labii ELN & LIMS.
  4. 4.
    On the Configuration page, copy the acs url from here to Recipient, ACS (Consumer) URL Validator, ACS (Consumer) URL.
  5. 5.
    On the Parameters page, add the parameters of email, first_name, last_name, username as following parameters.
    email -> Email first_name -> First Name last_name -> Last Name username -> Email
  6. 6.
    On the SSO page, do the following copy and paste: Issue URL -> Metadata auto conf url SAML 2.0 Endpoint (HTTP) -> Idp login url SLO Endpoint (HTTP) -> Idp logout url
  7. 7.
    Add the users and assign the app.
Parameters of OneLogin

Microsoft Azure

Applications created with Microsoft Azure support single sign-on and can be used to sign in to Labii.

To use Microsoft Azure as your IdP to connect with Labii:

  1. 1.
    Create an application. Please make sure to select Non-gallery.
  2. 2.
    Once created, go to the application and select Single sign-on on the left panel. Click SAML as the SSO method.
  3. 3.
    Basic SAML Configuration:
    1. 1.
      Identifier (Entity ID) -> Copy and paste Entity Id from Labii
    2. 2.
      Reply URL (Assertion Consumer Service URL) -> Copy and paste Acs Url from Labii
  4. 4.
    Update the Attribution Map in Labii: {
    "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "username": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
    "last_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
    "first_name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
    }
  5. 5.
    Update Metadata Auto Conf Url in Labii with App Federation Metadata Url from Azure or, update the Metadata Xml in Labii with the content from Federation Metadata XML downloaded at Azure
  6. 6.
    Update Idp Logout Url in Labii with Logout URL from Azure
  7. 7.
    For the Idp Login Url in Labii, the Login URL from Azure DOES NOT work. Please goes to Properties -> Copy the User access URL and update the Idp Login Url in Labii with the User access URL.