Integrate Single Sign-On
May 10, 2023
Prolaborate enables access to Enterprise Architect models through SAML Single Sign-On capability.
Note:
- Prolaborate Support only Service Provider (SP) Initiated Authentication.
While this integration should work with any identity provider, the tested ones are
- Azure Active Directory (Learn how to configure here)
- Okta (Learn how to configure here)
- Ping Identity (Learn how to configure here)
- Microsoft Active Directory Federation Services (Learn how to configure here)
- Jump Cloud (Learn how to configure here)
- Mini Orange (Learn how to configure here)
- Oracle Identity Cloud Service (Learn how to configure here)
- IBM Security Access Manager (Learn how to configure here)
In this guide, we will see how configure SAML Single Sign-on in general.
Prerequisites
Access Control Profile
Create an Access Control Profile with access to the required repository and user group membership in them where SSO users can directly access the Prolaborate. To know how create Access Control Profile Click here.
Configure SSO App
On top of the usual setup you do in your SSO app, do the following:
Prolaborate
Click on Hamburger Menu > SAML Single Sign On to go to the settings page.
Your Prolaborate site should have a valid SSL certificate and at least one repository should be added.
Service Provider Configuration
Please configure as below
| Field | Description |
|---|---|
| Name and ACU | These fields will be Pre-filled |
| Certificate File | Choose the .pfx file of your SSL certificate |
| Certificate Password | Enter the password of the .pfx file |
Note:
- If SSL certificate Expires, please upload the renewed certificate in SAML configuration as well as Prolaborate Service Management.
Identity Provider Configuration
Please configure as below:
| Field | Description |
|---|---|
| Identity Provider |
This allows you convert existing system users or AD users to IDP users if they have the same email address Others – System users to IDP users (Learn more) Active Directory Federation Services – AD users to IDP users (Learn more) |
| Name | Get this information from your Identity provider and paste it here. |
| Sign in URL | Get this information from your Identity Provider and paste it here. |
| Sign Out URL | Get this information from your Identity Provider and paste it here. |
| Certificate | Get this information from your Identity Provider. You need to select a .cer or .cert file. |
Attributes Mapping
Attribute Mapping will be pre-filled with default values in SAML Single Sign-On page and they cannot be edited.
If required, users can change the values by clicking the toggle button from Default to Custom. Then copy the Attributes & Claims values from the SAML Application and paste them in Prolaborate Attributes Mapping.
The following attributes must be created:
- firstname
- lastname
- User Group
Claims
The following claims, as applicable, must be configured:
- Emailaddress
- Givenname
- Name
- Name identifier
- User Group
- surname
Access Control Profile
Choose the Profile from the Drop down and save the configuration.
Link Role-based access directly with SAML User Groups
Most modern-day teams prefer to separate user management from individual tools to a central User Management System (IAM). Prolaborate 4.4 makes this easier with the ability to link SAML user group(s) to be directly linked to Role based access in Prolaborate
For SAML based authentication, toggle the SAML Group based Restriction to enable. Choose the required profile and add SAML user group(s).
Configuration is done click "Save"
Log in with SSO
Once the configuration is done, ensure SSO is enabled.
Your users will start to see a new button on the login page called Login with SSO and they can click on it to login with their SSO credentials.
