Please enable JS

Integrate Single Sign-On

May 10, 2023

Prolaborate allows access to Enterprise Architect models through SAML Single Sign-On authentication by integrating with an identity provider.

Note:
  • Prolaborate supports only Service Provider (SP) Initiated Authentication.

While this integration works with any identity provider, the following are the ones that are tested by integrating with Prolaborate,

  1. Azure Active Directory (Learn how to configure here)
  2. Microsoft Active Directory Federation Services (Learn how to configure here)
  3. Okta (Learn how to configure here)
  4. Mini Orange (Learn how to configure here)
  5. Oracle Identity Cloud Service (Learn how to configure here)
  6. IBM Security Access Manager (Learn how to configure here)
  7. Ping Identity (Learn how to configure here)
  8. Jump Cloud (Learn how to configure here)

In this guide, we will see how configure SAML Single Sign-on in general.

Note:
  • Only Admin users can access SAML Single Sign On page and configure it.
  • SAML Single Sign On is free for Large Teams and Enterprise edition of Prolaborate. For the Growing Teams edition, the feature must be purchased as an add-on.

Create Access Control Profile

The first step is to create an Access Control Profile(s) with access to the required repository and user group membership. This allows the SSO users to directly login to the Prolaborate and access information. To know how to create an Access Control Profile, Click here.

Configure SSO in Prolaborate

On top of the usual setup and configurations that are done in the SAML provider, do the following in Prolaborate:

Click on Menu > SAML Single Sign On under Portal Settings to go to the configuration page.

Menu

Click Enable to enable the SAML Single Sign On.

Your Prolaborate site should have a valid SSL certificate and at least one repository should be added.

Service Provider Configuration

Under Service Provider Configuration, the Domain Name, Assertion Consumer URL (ACU) and Sign Out URL fields are all pre-filled. Upload the .pfx file of your SSL Certificate and its password in the Certificate File and Certificate Password field.

service provider Configuration
Note:
  • If the SSL certificate expires, upload the renewed certificate in SAML configuration as well as in the Prolaborate Management application.

Identity Provider Configuration

Under Identity Provider (IDP) Configuration, do the following:

Field Description
Identity Provider This allows you convert existing system users or AD users to IDP users if they have the same email address
Others – System users to IDP users (Learn more)
Active Directory Federation Services – AD users to IDP users (Learn more)
Name Get this information from your Identity provider and paste it here.
Sign in URL Get this information from your Identity Provider and paste it here.
Sign Out URL Get this information from your Identity Provider and paste it here.
Certificate Get this information from your Identity Provider. You need to select a .cer or .cert file.
IDP Configure

Attributes Mapping

Attribute Mapping will be pre-filled with default values in SAML Single Sign-On page and they cannot be edited.

If required, users can change the values by clicking the toggle button from Default to Custom. Then copy the Attributes & Claims values from the SAML Application and paste them in Prolaborate Attributes Mapping.

Configure Prolaborate

The following attributes must be created:

  1. firstname
  2. lastname
  3. email
  4. group

Claims

The following claims, as applicable, must be configured:

  1. emailaddress
  2. Givenname
  3. surname
  4. name
  5. Name identifier
  6. usergroup

Choose Access Control Profile

Choose the required Access Control profile from the drop down and save the configuration.

access control profile choose

Link Role-based access directly with SAML User Groups

Most modern-day teams prefer to separate user management from individual tools to a central User Management System (IAM). Prolaborate 4.4 makes this easier with the ability to link SAML user group(s) to be directly linked to Role based access in Prolaborate

For SAML based authentication, toggle the SAML Group based Restriction to enable. Choose the required profile and add SAML user group(s).

To Use SAML user groups in Prolaborate, we need to add the user group claim in SAML configuration. Please enter the User group attribute and its claims in the respective field.

saml acl cofig

Once the configuration is completed, click Save.

Log in with SSO

Once the configuration is done and SSO is enabled, users will start to see a new button on the login page called Login with SSO and they can click on it to login with their SSO credentials.

Log in with SSO

Customize Login Screen for SSO users

Login screen can be customized to show only LOG IN WITH SSO button whenever SAML Single Sign On is configured.

A new option is introduced in SAML Single Sign On configuration page from Prolaborate V4.5.0 where if the option Toggle SSO Login is enabled, the login page shows only LOG IN WITH SSO option and only SSO users can login into Prolaborate.

Toggle Login
SSO Login

An option Switch to Admin Login Page is provided at the bottom, when clicked on it redirects to a new login page where admin users can login using their email and password

admin login

Users can navigate back to SSO login page by clicking the Switch to SSO Login Page at the bottom.

Note:
  • Non-Admin system users cannot login using their email and password.
  • AD users and AD group users cannot login even though the user is an admin.
  Get Started with EA Cloud      Get Started with Prolaborate
Any questions? Contact us
Book a Demo