If your organization would like to set up Single Sign-on, note the following requirements and guidelines:
- Your organization must choose and set up an identity provider. This is the provider that is responsible for authenticating users for the sign-on process. Examples are Auth0, Okta, and Keycloak.
- The identity provider configuration includes setting up users and assigning them to groups. The groups (which may also be called roles, depending on the identity provider), are used for role mapping, and ensure that the users are assigned the proper permissions at login.
- A configuration file defines the SSO options that are available on the login page. meshIQ support provides assistance in setting up the configuration file for our customers.
- If applicable, more than one identity provider may be named within a configuration file. meshIQ support will work with you to determine the order in which providers will appear on the login page.
- When the configuration file is complete, it will be placed in the expected location in your system, and the required pointer to it will be updated in Apache Tomcat. Each time a configuration file is updated, Apache Tomcat must be restarted.
The Global Settings SSO tab is for systems that have single sign-on (SSO) configured. Use the SSO tab to preview the connection settings for service providers. If no SSO connections are detected, then this tab will not be filled in.
If SSO is configured, the following configuration settings are displayed on this tab:
- Name
- Description
- Status (Active or Passive)
- Position
- Client Issuer (Client Entity ID)
- Assertion Consumer Service URL
- SSO Issuer (Provider Entity ID)
- IdP (Identity Provider) SSO Service URL
- IdP (Identity Provider) Artifact Resolve URL
- Authentication Request Signed (Active or Passive)
- Artifact Resolve Request Signed (Active or Passive)
- Client Certificate, in JKS or PKS12 format (Type, Key Store File, and Key Alias)
- IdP (Identity Provider) Signing Certificate (X.509 Certificate from IdP metadata)