Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide

Similar documents
Add OKTA as an Identity Provider in EAA

Five9 Plus Adapter for Agent Desktop Toolkit

Enabling Single Sign-On Using Microsoft Azure Active Directory in Axon Data Governance 5.2

Configuring Alfresco Cloud with ADFS 3.0

RSA SecurID Access SAML Configuration for Datadog

esignlive SAML Administrator's Guide Product Release: 6.5 Date: July 05, 2018 esignlive 8200 Decarie Blvd, Suite 300 Montreal, Quebec H4P 2P5

All about SAML End-to-end Tableau and OKTA integration

Morningstar ByAllAccounts SAML Connectivity Guide

Configuring Single Sign-on from the VMware Identity Manager Service to Marketo

RECOMMENDED DEPLOYMENT PRACTICES. The F5 and Okta Solution for High Security SSO

VMware Identity Manager Administration. MAY 2018 VMware Identity Manager 3.2

TECHNICAL GUIDE SSO SAML. At 360Learning, we don t make promises about technical solutions, we make commitments.

SAML-Based SSO Solution

RSA SecurID Access SAML Configuration for Kanban Tool

D9.2.2 AD FS via SAML2

Oracle Utilities Opower Solution Extension Partner SSO

Integrating YuJa Active Learning into ADFS via SAML

Five9 Plus Adapter for Microsoft Dynamics CRM

Integration Guide. PingFederate SAML Integration Guide (SP-Initiated Workflow)

Configuration Guide - Single-Sign On for OneDesk

Enabling Single Sign-On Using Okta in Axon Data Governance 5.4

April Understanding Federated Single Sign-On (SSO) Process

Integrating VMware Workspace ONE with Okta. VMware Workspace ONE

Dell One Identity Cloud Access Manager 8.0. Overview

Integration Guide. SafeNet Authentication Service. Using SAS as an Identity Provider for Better MDM

Advanced Configuration for SAML Authentication

WebEx Connector. Version 2.0. User Guide

DocuSign Single Sign On Implementation Guide Published: June 8, 2016

Identity Provider for SAP Single Sign-On and SAP Identity Management

Introduction to application management

Cloud Access Manager Overview

Qualys SAML 2.0 Single Sign-On (SSO) Technical Brief

RSA SecurID Access SAML Configuration for StatusPage

Integrating YuJa Active Learning into Google Apps via SAML

ComponentSpace SAML v2.0 Okta Integration Guide

SAML-Based SSO Solution

Introduction... 5 Configuring Single Sign-On... 7 Prerequisites for Configuring Single Sign-On... 7 Installing Oracle HTTP Server...

TECHNICAL GUIDE SSO SAML Azure AD

VMware Identity Manager Administration

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for PingFederate

Quick Connection Guide

Nimsoft Service Desk. Single Sign-On Configuration Guide. [assign the version number for your book]

Integration Guide. SafeNet Authentication Service. Protecting SugarCRM with SAS

Single Sign-On Administrator Guide

This section includes troubleshooting topics about single sign-on (SSO) issues.

CA SiteMinder Federation Security Services

Integrating YuJa Active Learning with ADFS (SAML)

Integration Documentation. Automated User Provisioning Common Logon, Single Sign On or Federated Identity Local File Repository Space Pinger

Google Auto User Provisioning

Table of Contents. Single Sign On 1

Single Sign-On (SSO)Technical Specification

INTEGRATING OKTA: VMWARE WORKSPACE ONE OPERATIONAL TUTORIAL VMware Workspace ONE

Single Sign-On Administrator Guide

Webthority can provide single sign-on to web applications using one of the following authentication methods:

E X O S T A R, LLC D A T E : M AY V E R S I O N : 4.0

Box Connector. Version 2.0. User Guide

Setting Up Resources in VMware Identity Manager (SaaS) Modified 15 SEP 2017 VMware Identity Manager

PingOne. How to Set Up a PingFederate Connection to the PingOne Dock. Quick Start Guides. Version 1.1 December Created by: Ping Identity Support

Security Provider Integration SAML Single Sign-On

Using Your Own Authentication System with ArcGIS Online. Cameron Kroeker and Gary Lee

Security Provider Integration SAML Single Sign-On

SAML-Based SSO Configuration

Integration Guide. SafeNet Authentication Manager. Using SAM as an Identity Provider for Okta

MyWorkDrive SAML v2.0 Okta Integration Guide

Zendesk Connector. Version 2.0. User Guide

Security Provider Integration: SAML Single Sign-On

RSA SecurID Access SAML Configuration for Samanage

Slack Connector. Version 2.0. User Guide

Single Sign-On User Guide. Cvent, Inc 1765 Greensboro Station Place McLean, VA

Integrating the YuJa Enterprise Video Platform with ADFS (SAML)

ServiceNow Okta Identity Cloud for ServiceNow application Deployment Guide Okta Inc.

Cloud Access Manager Configuration Guide

MyWorkDrive SAML v2.0 Azure AD Integration Guide

SAML 2.0 SSO. Set up SAML 2.0 SSO. SAML 2.0 Terminology. Prerequisites

Cloud Access Manager How to Configure for SSO to SAP NetWeaver using SAML 2.0

Administering Workspace ONE in VMware Identity Manager Services with AirWatch. VMware AirWatch 9.1.1

ServiceNow Deployment Guide

ISA 767, Secure Electronic Commerce Xinwen Zhang, George Mason University

CA SiteMinder Federation

SafeNet Authentication Manager

Unified Communications Manager Version 10.5 SAML SSO Configuration Example

Enhancing cloud applications by using external authentication services. 2015, 2016 IBM Corporation

Dropbox Connector. Version 2.0. User Guide

Workday Deployment Guide Version 4.0

CA SiteMinder. Federation Manager Guide: Legacy Federation. r12.5

ArcGIS Server and Portal for ArcGIS An Introduction to Security

SafeNet Authentication Service

Qualys SAML & Microsoft Active Directory Federation Services Integration

McAfee Cloud Identity Manager

Synchronization Agent Configuration Guide

Five9 Plus Adapter for NetSuite

CA SiteMinder Federation

McAfee Cloud Identity Manager

Secure Access Manager (SAM) Administrator Guide December 2017

Qvidian Proposal Automation System Requirements

This documentation will go over how to install Sharepoint for configuring with Panopto.

Quick Connection Guide

McAfee Cloud Identity Manager

BEST PRACTICES GUIDE MFA INTEGRATION WITH OKTA

Slack Cloud App SSO. Configuration Guide. Product Release Document Revisions Published Date

Transcription:

Upland Qvidian Proposal Automation Single Sign-on Administrator's Guide Version 12.0-4/17/2018

Copyright Copyright 2018 Upland Qvidian. All rights reserved. Information in this document is subject to change without notice. The software described in this document is furnished under a license agreement or nondisclosure agreement. The software may be used or copied only in accordance with the terms of those agreements. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or any means electronic or mechanical, including photocopying and recording for any purpose other than the purchaser's personal use without the written permission of Upland Qvidian. Upland Qvidian 401 Congress Ave #1850 Austin, TX 78701 833.875.2631 Upland Qvidian Single Sign-on Administrator's Guide i

Single Sign-on Configuration Single Sign-on (SSO) provides users access to Qvidian using their organization's identity provider (IdP) or Service Provider(SP). The Qvidian SSO model includes the customer external IdP acting as the authentication authority, using either a SAML 2.0 compliant IdP from within the customer s network or a Salesforce.com IdP from the cloud or internet, and Qvidian SP. This document is of two parts: Configuration Customer Side Configuration: SSO/IT administrator is required. Qvidian Subscriber SSO Configuration: Qvidian administrator is required. Customer Side Configuration As part of the deployment, configuration details must be shared between Qvidian personnel and the customer s IT staff. These configuration details include settings such as endpoint URL information, partner entity ID, etc. Additionally, optional configuration settings to achieve the full capabilities of Qvidian SSO, such as creating and updating user and group attributes, should also be communicated. Following the notes below, please generate the metadata file from your SSO authority in xml or txt format and submit the file as well as the security signing certificate to Qvidian Support via email, support@qvidian.com. The following provides key configuration settings necessary for the full capabilities of Qvidian SSO to be operational: Qvidian URL/SERVER processing SAML requests: https://sso1.qvidian.com/sp/acs.saml2 Qvidian s SAML2 implementation uses HTTP-POST Bindings for maximum reliability with large attribute fields. HTTP-Redirect bindings are available but not preferred. SingleSignOnService Location in the metadata must be filled in with a URL accessible to the customer s users. The product may redirect customers to this URL to begin IDP-initiated sign in. The customer s Public-key SSL Certificate for SSO-related authentication is also required. Any of the fixed Qvidian attributes (user properties and customer groups membership list) that are to be supplied by the customer s SSO authority (LDAP, Active Directory, Siteminder, etc.) as part of the user connection, must be specified. None, some, or all of the fixed Qvidian attributes may be defined depending on availability of those property values from the customer s SSO authority. Required attributes have to be defined as shown below. Qvidian requires the following attributes be passed as part of the login security assertion: SAML_SUBJECT Email FirstName LastName Upland Qvidian Single Sign-on Administrator's Guide 1

Note SAML_SUBJECT is a fixed, core attribute and must contain the user s login name. It should be in an email format. The customer can either pass the value as email address or Organization ID and Qvidian will append the domain to match what exists in Qvidian. Qvidian supports the following optional attributes be passed as part of the login security assertion: Groups* Address1 Country Phone Title State MiddleName Address2 City Fax Salutation Zip * Named groups can be used in Qvidian to assign roles. Qvidian Subscriber SSO Configuration The final SSO configuration step for a Qvidian subscriber is performed by the customer s Qvidian Administrator within the Qvidian application s Administration interface. To configure the Qvidian for SSO, follow the steps below. 1. Log on to Qvidian with an administrative credential, including the Manage Single Sign-On Settings application permission. 2. On the Administration tab, click Application Settings, and then click Single Sign-On Settings. Example of Single Sign-on screen in Qvidian. Upland Qvidian Single Sign-on Administrator's Guide 2

Note The Authentication Mode setting is set by the service provider. If you need to modify this setting, please contact Qvidian Support. 3. Under User Settings, select the radio button next to one of the Enable New User Provisioning options below. Yes: SSO will automatically provision new users into Qvidian including setting any Qvidian user properties and role memberships as specified by the customer s SSO values within bounds of the remaining SSO settings. No: Users must already have Qvidian user accounts to connect. 4. Select the radio button next to one of the Enable SP-Initiated Single Logout? options below. Yes: When the user logs out of Qvidian, they are automatically logged out of the SP. This ensures the users must log in each time they exit and return to Qvidian. No: When the user logs out of Qvidian, it does not log them out of the SP. This may allow users who have previously logged in to Qvidian to open Qvidian without providing their credentials. 5. Select the radio button next to one of the Manage Existing User Properties options below. Yes: For existing Qvidian users, every time the user connects, the user properties updates specified by the customer s SSO authority will be applied. No: For existing Qvidian users, the user properties will not update in Qvidian. 6. Select the radio button next to one of the Manage Existing User Roles options below. Yes: For existing Qvidian users, every time the user connects, Qvidian role memberships will be updated based on group memberships specified by the customer s SSO authority within the bounds of the other SSO settings for Qvidian roles management. No: For existing Qvidian users, Qvidian role memberships will not be updated regardless of group memberships specified by the customer s SSO value. 7. Under User Group/ QPA Settings, in the Default QPA User Roles Default QPA User Roles field, enter one or more (vertical-bar delimited list) low-level Qvidian roles (Case sensitive) so that connecting Qvidian user whose list of user group memberships do not map to any of the Group/Role mapping stated in step 10 below, will get their account provisioned and assigned to those low-level roles giving the user basic access to Qvidian. This is required if the customer enabled New User Provisioning from step 3. Everyone Role can be used as the Default QPA User Role if there is no other custom low level role existing. If you enable new user provisioning from step 3, new users will have to have a Default Role assigned to them. Additionally, you can have SSO handle Role assignments based on Groups being passed via SSO. Mapping of customer user groups to Qvidian user roles are specified below in step 10. If Default QPA User Roles is not configured AND SSO assertion s group membership list does not map to any Qvidian user roles (step 10), the connection will be denied. Upland Qvidian Single Sign-on Administrator's Guide 3

You can change the assigned QPA roles for a specific user after their account is provisioned. However, if Manage Existing User Roles (step 6) is set to Yes, the QPA role memberships will be reset to those specified by the SSO assertion s Groups attribute the next time the user connects to Qvidian. 8. In the Authorized User Groups field, type a vertical-bar delimited list of customer user groups that are authorized to connect to Qvidian (Case sensitive). This is required if the customer is passing Groups values via SSO and needs to limit access to Qvidian only for specific Groups. If no user groups are specified, no further processing for this setting is necessary. If one or more user groups are specified in this setting, processing continues as follows: Within the user connection SSO assertion s Groups attribute, the customer s SSO authority provides the list of customer groups the connecting user is a member of. As long as at least one of these customer groups is in this Authorized User Groups setting, the user s connection continues to be processed within the bounds of the remaining SSO settings. If none of the assertion s groups exist in this Authorized User Groups setting the user s connection is denied. 9. Enter the User Group Keys Delimiter, which specifies the delimiter character to use when parsing the connecting user s customer group membership list into individual groups. The list of customer groups the user is a member of is provided by the customer s SSO authority in the user connection SSO assertion s Groups attribute. If left empty, the default delimiter is a vertical-bar ( ). 10. Under User Group / QPA Role Mappings, click Add. This is required if the customer is passing Groups values via SSO and New User Provisioning is enabled, and needs to automate Role assignment. For each group, a User Group / QPA Role Mappings setting is required, which includes a list of Qvidian roles that the customer IdP group is mapped to delimited with a vertical-bar ( ). a. In the User Group box, type the name of your IdP group (Case sensitive). b. In the Description box, type a general description of your IdP group and mapped QPA roles. This is only for display purposes. c. In the QPA Roles box, type a vertical-bar delimited list of the QPA user roles that are mapped to the IdP group specified in the Setting (Case sensitive). d. Click Save. Upland Qvidian Single Sign-on Administrator's Guide 4

Examples of Group / QPA Role Settings Process Flow For an incoming user connection, the Qvidian portal application retrieves the contents of the original SSO assertion s Groups attribute and parses that list of customer IdP groups into the individual groups using the delimiter specified by User Group Keys Delimiter setting (step 9). Upland Qvidian Single Sign-on Administrator's Guide 5

For each individual group extracted from this IdP groups list, the Qvidian portal application looks for an entry in the User Group / QPA Role Mappings settings with a User Group setting that matches the IdP group name (Step 10): For matched entries, the incoming user is granted membership to the corresponding mapped QPA user roles. Unmatched entries are ignored. Once all specified IdP groups are processed, if no Qvidian user roles have been assigned for the incoming connection s user: If valid Qvidian user role(s) are specified in the Default QPA User Roles setting, the user will be granted membership to those Qvidian user role(s). If Default QPA User Roles is unspecified or does not contain any valid Qvidian user roles, the user connection is denied with an appropriate message. About Email Triggers Under Administration > Application Data > Email Notification Triggers, there are three Email Notification Triggers for New User creation. New users are automatically notified when they are set up in Qvidian with the trigger set to enabled, and the Send Status is set to Auto-Send or Customizable. The email trigger that is used depends on what authentication mode is defined (Step 2). This means that a site that is set to use Explicit Login Only (users have to enter credentials for Qvidian each time they login) will use the New User Created trigger. A site that is Mixed mode (users can access by using SSO or logging in explicitly) will use the New User Mixed Authentication trigger. A site that is SSO only (users can only access Qvidian using SSO) will use the New User Single Sign-On trigger. Upland Qvidian Single Sign-on Administrator's Guide 6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback