SAML Configuration
You can configure Pricefx for single sign-on using SAML 2.0. In the SAML language, Pricefx acts as a Service Provider and can integrate with an Identity Provider (IdP) for SAML requests, such as Active Directory, Okta or Salesforce. The whole authentication process is delegated to the Identity Provider, i.e. all password management (expiry, complexity, reuse, etc.). Access management is indirectly delegated too (by disabling the user on their end).
The setup consists of these parts:
Configure Service Provider (= Pricefx, either standalone or integrated in a CRM)
Configure SAML in Pricefx
Note that you cannot do the configuration at the Pricefx side in one go; you will need inputs from the IdP configuration to finish it.
Configure Identity Provider (used at the customer's side, so this setup should done by the customer)
The following chapters are just examples:
Note:
Authorization management (i.e. roles and groups must still be maintained in Pricefx; or possibly by a custom integration job which syncs with Active Directory or similar system).
There is no direct communication between Identity Provider and Service Provider; every communication exchange happens via the user's browser. This is defined behaviour/design per SAML standards.
SAML SSO is only used to authenticate initially; subsequent requests use the same JSON Web Token (JWT) as is generated for the normal login.
Logging in via SSO and via username & password can be used in parallel; each method uses a different URL to access the application.
Once you are logged in, there is no difference between SSO-logged in session and username & password logged in session.
Further reading:
To understand the basic concepts of the SAML authentication flow, a good starting point can be https://auth0.com/blog/how-saml-authentication-works/ or similar pages.
How can I implement a relay state that defines a specific locale?
Internal resources:
Recording of SSO Training by Chris Tratz
Found an issue in documentation? Write to us.
Pricefx version 12.0