...
Configuration
To configure SSO, you must configure it on several places:
Service Provider (Pricefx Core)
SAML Configuration (IdP URL and the IdP certificate)
User Management - if you want to disable direct login for particular users (i.e. allow only SSO for them)
Identity Provider (Azure, OKTA, SalesForce)
Define and configure Pricefx Core (the Service Provider) as trusted/known service provider (sometimes called a trusted relying party, or trusted application) The configuration procedure and terminology used there is different for every IdP provider and the information you have to enter in the SAML configuration section varies.
Assign users and groups to this new trusted application.
Pricefx Core Configuration
You can configure Pricefx Core for Single Sign-On using SAML 2.0. In Unity UI, Navigate to
.There can be more SAML configurations, if needed.Either click on "DEFAULT" to do setup of the default SAML configuration, or click Add button to create a new SAML configuration.If you use more SAML Configurations in one partition, then you need to add the configuration name, e.g. "IPSTAGE" to the URLs – then this configuration set is used.If you do not specify it, it means that the DEFAULT is used. Examples:
- https://<customer>.pricefx.eu/pricefx/<partition>/saml/consume/DEFAULT?RelayState=quoteConfigurator
- https://<customer>.pricefx.eu/pricefx/<partition>/saml/consume/IPSTAGE?RelayState=quoteConfigurator
Name ID Mapping
Select the attribute of User from the Pricefx User Management which contains the user ID which matches to the one used by the IdP.This value is used to identify the user from the IdP.It must be unique per user – no two users can have the same value in that field, otherwise the login via SAML will fail.This is particularly important when you choose "Email", as unique email addresses are not enforced on the Pricefx side.The value is one of:
- loginName
- additionalInfo3
- additionalInfo4
Name ID Format
Format of the Name Identifier sent from IdP to Service Provider.You can specify the format that is used (unspecified, emailAddress, persistent, transient).Set this field only if required.Read more about the Persistent and Transient Identifiers
SAML IdP Provider URLEnter the URL address of the SAML SSO page of the Identity Provider.
SAML base URLUsed only if the system should be accessed by a custom DNS name (but the cluster’s main/real DNS is a different one).Example: www.pricefx.eu for a customer on shared PROD; using DNS <customer>.pricefx.eu.
IdP CertificatePaste the public certificate of the Identity Provider.It can be found in the IdP metadata.It is used to check the digital signature of the authentication request.Make sure you include the BEGIN and END tags! As per Vesper 6.0 release, multiple certificates can be added simply by pasting them one after the other (including the start/end tags).
Pricefx metadatadescription of Pricefx endpoints (how IdP should call Pricefx).This is what we Pricefx (Service Provider) gives to the IdP to automatically configure SAML for Pricefx on the IdP side.The content is provided to the IdP in form of metadata.xml file.
ADFS/Azure/O365/Okta federation metadata URLprovided by the IdP.Federation metadata required to establish a trust relationship with the Identity Provider (IdP).The XML metadata found on that URL will be used by Pricefx to retrieve certificates and URL for SAML endpoint.The URL serves to do the settings dynamically, instead of statically (see Dynamic_metadata_exchange).Once the metadata URL is set and saved here, the configuration will be automatically updated when the IdP changes it.By uploading the metadata from URL, you can short the process to set up a relationship between the IdP and SP.
If the IdP gave you a federation metadata URL:
- enter it here.
- Click the "Load metadata from URL" button to get and apply all the necessary SAML configuration information from the URL.
Service Provider request signing private key
You can enter here a private key which will be used to sign the SAML request.Warning: This option is meant only for special cases when the IdP explicitly requires it.
RelayStatesThe RelayState parameter tells the Pricefx Core (the Service Provider) to which web page to redirect after a successful user login.
- relayStateName - is a name sent by the Identity Provider
- relayStateURL - is a URL to jump to.The value can contain:
- replacements
- deep links
Authorization
Authorization management - i.e. Roles and Groups - must still be maintained in Pricefx.
The list of Roles and Groups - can be also synced by a custom integration job with Active Directory (or similar system).
User provisioning
A matching User object has to exist in Pricefx. It cannot exist only at Identity Provider.
The list of Users can be also synced by a custom integration job with Active Directory (or similar system).
Identity Provider configuration
This configuration is done by customer on their side.
Azure Identity Provider Specific Settings
The customer (using Azure as ID provider) may ask you for the "Identifier (Entity ID)" and "Reply URL". In both cases, the URL https://www.pricefx.eu/pricefx/<partition>/saml/signon (provide the right DNS name and partition) should be used. In case you are using a dedicated instance with a hostname other than "www.pricefx.eu", use your hostname instead.
Entity ID would be the so-called sign-on URL like https://www.pricefx.eu/pricefx/<partition>/saml/signon (provide the correct DNS name and partition)
Reply URLreply URL or ACS or assertion URL would be the "consume URL": https://www.pricefx.eu/pricefx/<partition>/saml/consume
OKTA Identity Provider Specific Settings
For details about the configuration options, see SAML Configuration in Documentation.
...