Configuring single sign on
FollowIf you hve already created your custom domain then:
- click on Setup\Account\Custom domains
- click on the name of the custom domain
- click on the Single sign on tab
There are several fields in the Single Sign on tab. First the Single Sign on group:
- Enable Single Sign On for this domain. Select this to enable single sign on for this domain. If you do not check this single sign on will be disabled
- Configure from identity provider metadata file. Click Choose file to upload the IdP metadata file. Once you have selected the file you can click on Save. The configuration metadata file will be read and the correct configuation will be set
- Service provider initiated binding. Select how the SAML request should be sent if the request is initiated by Altamira. This occurs when a user accesses the single sign on custom domain directly and they are not authenticated. HTTP POST is the default and works with most providers.
- Identity provider logout URL. This is the identity providers URL for single logout
- Identity provider initiated binding. Select how the SAML request should be sent if the request is initiated by the IdP. This occurs when a user starts the session from the IdP, for example from an Altamira HRM application button in the Microsoft 365 homepage. HTTP POST is the default and works with most providers.
- Identity provider certificate for response signing. This is the certificate with which the IdP signs responses. You onle need a public key for this certificate. This certificate is usually issued by the IdP
- Certificate for response encryption. This is the certificate with which the IdP encypts responses. You onle need a public key for this certificate. This certificate is usually issued by the IdP
- Certificate file. This is the certificate with which Altamira signs requests. You need a certificate with ha private key. You can generate a slf signed certificate by clicking on New\Generate self-signed certificate
- Sign SSO requests. Whether to sign requests and if so what encyption algorithm to use
Then the Identity group:
- Synchronize groups. If this is checked then groups will be syncronized. You will need to configure you IdP to send groups membership as a claim. See Synchronizing groups
- Automatically provision new users. If this is checked then Altamira HRM will provision new users if they they authenticate succesfully with the IdP but they do not exist in ALtamira HRM. See Self provisioning
- Form for creating the employee. Select the form to map users to SAML claims. You can select any form that built for the Employee entity. See Self provisioning
- Username source. Choose where Altamira should get the username from. If you select Subject NameIdentifier of the assertion, then Altamira HRM expects the response to contain a Subject element and a NameIdentifier in the assertion. If you select Use claim then Altamira will look for the username in the claim specified in the Name of the claim containing the username field
- Name of the claim containing the username: This is the full name, including namespace, of the claim containing the Username
- Name of the claim containing the users group: This is the full name, including namespace, of the claim containing the Username. See Synchronizing groups
Comments
0 comments
Please sign in to leave a comment.