Single Sign On
Authenticate users with SSO
Single sign-on is a property of access control of multiple related, yet independent, software systems. With this property, a user logs in with a single ID and password to gain access to a connected system or accomplished using the Lightweight Directory Access Protocol and stored LDAP databases on servers.
SAML 2.0 (Security Assertion Markup Language) is an XML-based protocol that uses security tokens that contain assertions to pass information about a user between a SAML identity provider and a SAML service provider (SP).
The SCIM (System for Cross-domain Identity Management) protocol is an application-level REST protocol for provisioning and managing identity data on the web. The protocol supports creation, discovery, retrieval, and modification of core identity resources.
An identity provider (IdP) is a system that creates, stores, and manages digital identities.
A SAML Service Provider (SP) is a system entity that receives and accepts authentication assertions in conjunction with a Single Sign-On (SSO) profile of the Security Assertion Markup Language (SAML).
Labii ELN & LIMS supports SSO using SAML 2.0 protocol and user provisioning with SCIM 2.0.
The list of identify providers can be managed by clicking Settings on the side menu and then clicking SSO. It displays list of providers you added to the platform.
You can search a credit by typing a keyword into the search bar in the provider list view, and then clicking Search. The search results can always be cleared by clicking the Clear button.
With the Filter function, you can limit the number of providers displayed. You can do that by clicking Active providers and then selecting a filter from the dropdown. Here are a list of filters:
- All providers. Filter to display all SSO providers.
- Active providers. Filter to display the SSO providers that is active.
- Archived providers. Filter to display the SSO providers that is archived
The details of a provider can be viewed by clicking its name.
A provider typically has these columns:
- Sid - the id of the provider
- Name - name of the provider
- Description - the description of the provider
- Service provider
- Acs Url - Assertion Consumer URL. This is an embedded Target process endpoint that is listening for requests from Identity providers.
- Entity Id - SP Entity ID is usually a URL or other identifier given by the Service Provider (SP) that uniquely identifies it.
- Information needed from IdP
- Idp Login Url - The URL set up from IDP to login for the organization.
- Idp Logout Url - The URL set up from IDP to logout for the organization.
- Metadata Auto Conf Url - Auto SAML2 metadata configuration URL.
- Metadata Xml - Paste the XML SAML2 metadata here if your IdP does not provide a link
- Name Id Format - Set to the string 'None', to exclude sending the 'Format' property of the 'NameIDPolicy' element in authn requests. Default value if not specified is 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'.
- Attributes Map- Mapping of Django user attributes to SAML2 user attributes.
- SCIM Base URL
- SCIM Bearer Token - In case the administrator of the company leaves the company, please make sure that the bearer token in your IdP is updated.
- Purchase Order
- Is Paid
Provider can be added by the administrator. To do that:
- 1.Click the Settings at the side menu, and then select SSO
- 2.Click the "+ Add provider" button
- 3.A form will be displayed.
- 4.Provide the Name of the provider.
- 5.Provide Purchase Order number. Leave it empty if no purchase order.
- 6.Click Submit button
Clicking the Submit button will take you to the payment page. You will be guided back to Labii once the payment information is provided.
Once enabled, the configuration of SSO is available in the Settings -> Organization Detail -> Single Sign-On.
Labii as SP (Service Provider):
Use this information in your IdP.
- acs url - Assertion Consumer URL. This is an embedded Target process endpoint that is "listening" for requests from Identity providers.
- entity id - SP Entity ID is usually a URL or other identifier given by the Service Provider (SP) that uniquely identifies it.
Information needed from IdP:
- IdP login url - The URL set up from IDP to login for the organization.
- IdP logout url - The URL set up from IDP to logout for the organization.
- Metadata auto conf url - Auto SAML2 metadata configuration URL
- Name id format - Set to the string 'None', to exclude sending the 'Format' property of the 'NameIDPolicy' element in authn requests. Default value if not specified is 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient'.
- Attributes map - Mapping of Django user attributes to SAML2 user attributes.
- SCIM Base URL
- SCIM Bearer Token
The attributes map defaults to:
- userType - Set the user type to define the role in Labii:
- Invalid SAML Response - The SAML response received from your IdP was invalid.
- Invalid Auth Response - The Auth response received from your IdP was invalid.
- Invalid User Identify - Check with your IT department to ensure you have been added to the SSO list and that you are allowed to use Labii.
- Your account has not been activated - You have not activated your account. Click the link in your labii access email to complete the activation. If you cannot find such an email, please check the spam folder or ask your administrator to send it again.
- Your account does not exist - If you do not have an account, you should ask your administrators to create one for you. Emails must be identical in your identity provider (IDP) and Labii.
- Incorrect SSO redirect URL - There is a problem with the return URL.