Versions Compared

Version Old Version 1 New Version Current
Changes made by

Ondřej Tesař

Jan Panoušek

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • NameID Mapping* – Select the attribute from the User Management which contains the user ID which is also used by the identity provider. This value is used to identify the user from the IdP. It must be unique per user – no two users can have the same value in that field, otherwise the login via SAML will fail. This is particularly important when you choose Email, as unique email addresses are not enforced on the Pricefx side.

  • Name ID Format – You can specify the name identifier format that is used (unspecified, emailAddress, persistent, transient). Only set this field to a value if required.

  • ADFS/Azure/O365/Okta federation metadata URL – If the identity provider gave you a federation metadata URL, enter it here. Click the Load metadata from URL button to get and apply all the necessary SAML configuration information from the URL. Once the metadata URL is set and saved here, the configuration will be automatically updated when the IdP changes it.

  • SAML Identity Provider URL* – Enter the web address of the SAML SSO page of the Identity Provider.

  • SAML base URL – Used only if the system should be accessed by a custom DNS name (but the cluster’s main/real DNS is a different one). Example: www.pricefx.eu for a customer on shared PROD using DNS some-customer.pricefx.eu.

  • EntityID (optional, generated if not set explicitly) – Overrides the generated EntityID (signon URL). It can be used for setups with multiple systems/partitions to one IdP where you no longer need to create a separate SAML configuration for each partition. (But on the identity provider side, all the different reply URLs still have to be specified.)

  • IdP Certificate* – Paste the public certificate of the identity provider. It can be found in the identity provider metadata. It is used to check the digital signature of the authentication request. Make sure you include the BEGIN and END tags. Multiple certificates can be added simply by pasting them one after the other (including the start/end tags).

    Example

    Code Block
    -----BEGIN CERTIFICATE-----
MIIErDCCA5SgAwIBAgIOAVJBxy7NAAAAAEW0CPwwDQYJKoZIhvcNAQELBQAwgZAx
KDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzE0SmFuMjAxNl8yMDE1MTgxGDAWBgNV
BAsMDzAwRDU4MDAwMDAwSjBpNzEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAU
BgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0Ew
HhcNMTYwMTE0MjAxNTE4WhcNMTgwMTE0MTIwMDAwWjCBkDEoMCYGA1UEAwwfU2Vs
ZlNpZ25lZENlcnRfMTRKYW4yMDE2XzIwMTUxODEYMBYGA1UECwwPMDBENTgwMDAw
MDBKMGk3MRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZy
YW5jaXNjbzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcN
AQEBBQADggEPADCCAQoCggEBAMwkls4jyq6+x7oy4YOhIy7S38qXvS1iqXDrm//P
XduiHBnuSGDCrp+BbIe5RVJa5V9oKUl8H+tORgygn6PRsWBUaT1XArZ17H2nlS7O
yD/KrfkIxnVOekTnDvpCj5pL99cxMJ2GwfEgvuGHzsNU6Q19r4XE9rSIIBz1o44j
vcTfe6723ZnxTqPHOrPcQ7G20TYY4w//hz4W0zk69aCBPNewy49OEIQFDgxYqw5L
VMx9plIwBkUImeIhH+kB87WQxNZsNiVZFpV2BMY3HfzDcXsWh2bF9acOyoYObUdH
w+HYgSpDW40Cp26b8bfuUCcbXzkp+Dpj8n0UQHu+YMh6FxUCAwEAAaOCAQAwgf0w
HQYDVR0OBBYEFEsMeamXkO+Ao8wTUFkfvXMBj63FMA8GA1UdEwEB/wQFMAMBAf8w
gcoGA1UdIwSBwjCBv4AUSwx5qZeQ74CjzBNQWR+9cwGPrcWhgZakgZMwgZAxKDAm
BgNVBAMMH1NlbGZTaWduZWRDZXJ0XzE0SmFuMjAxNl8yMDE1MTgxGDAWBgNVBAsM
DzAwRDU4MDAwMDAwSjBpNzEXMAUGB1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNV
BAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFS
QccuzQAAAABFtAj8MA0GCSqGSIb3DQEBCwUAA4IBAQAQXbLnTnp39x6zgNVT6UoD
I86zLkCdpmEqigx3oqRlWABrNKv/1SAwC82qDbyIxPKpJvRK7SOlxSYgkcEwr/bA
2YqGSqtjRV6sFiH1PkK1UrwZyc6l99HcH1uzBw+LIOWdF2w3QOdW6EnhRZvt7l7r
WUrzmnUQku1hUoCnI4UVHdUzSCt0aCCYO52ctolnH3qW5sEnRvHujsb5lDazP5F6
2hV3fyPrP6obZQBlzRbO3fucw6ThZVPzVvcTuErkRWnMZMkP688yuejYnspYF1M7
TgoEerTPtl512RIarvDVXSEhoOoB1ZAY8eFRBXigT8vWBVjS5X2dF6xyee+AwbjK
-----END CERTIFICATE-----

  • Auto Provisioning – In this section, you can enable and configure the auto-provisioning feature (described below).

  • Anchor
    RelayStates
    RelayStates
    RelayStates – The RelayState parameter tells the Service Provider to which web page to redirect after a successful user login. (Technically, it is just a URL parameter with a defined name which identity provider just passes it through.) By default, you are logged into Unity UI (with or without RelayState) and the module which is set as Home Page opens (if no targetPage and targetPageState parameters are specified).

    • If you want to create a deep link that directly opens an Agreement/Promotion, Quote or Rebate Agreement, append the relay state name in the link with parameters identifying the document. For example:

      Code Block
      /pricefx/martin/saml/signon/?RelayState=MyRelayState--targetPage%3Dquotes%26targetPageState%3DP-202

      The string right of the double dash delimiter will be appended to the relay state URL. The targetPage parameter is listed in AppPages in API and the targetPageState is the uniqueName.
      (info) See more about configuring /wiki/spaces/KB/pages/3380904153.

    • The RelayState parameter can be generated dynamically. There are the following placeholders supported:

      • USERNAME – Allows you to use the same URL for multiple usernames.

      • PARTITION – Allows you to use the same URL for multiple partitions. (As the whole SAML configuration is per partition only, this placeholder makes sense when reusing a configuration over more partitions.)

      • SSOSELECTOR – Allows you to use the same URL for multiple IdPs.

      • LOCALE – If you need to dynamically set/replace the configured locale of the user (as stored in emailLocale of the Pricefx user object) in the final redirect URL.

    • There is also a special built-in relay state named “PricefxStudio” which exists there by default. It does not redirect anywhere but emits an HTML response that returns the JWT token for Studio. The relay state can also be “PricefxStudio-Something”. The “Something” would be available in the HTML response template and is shown there as additional info (e.g., to identify Studio’s connection name).

    • Relay state can also contain an arbitrary/dynamic redirect URL. This can be useful to support e.g., SSO-enabled deep links in emails or an ad-hoc SSO round-trip when the user hits a deep link unauthorized. Redirect URL (after successful authorization roundtrip) can be set like this:

      Code Block
      https://qa.pricefx.eu/pricefx/mvich/saml/signon/?RelayState=URL--aHR0cHM6Ly93d3cuZ29vZ2xlLmNvbQ==The part after the "URL--" prefix is a base64-encoded URL (https://www.google.com in this example). It can be a full URL or a relative one. Parameter substitution for USERNAME, PARTITION, SSOSELECTOR and LOCALE are still applied before sending the redirect.

    • At your convenience, a relay state builder is available that helps you construct the URL with the correct syntax.

  • Pricefx metadata – Copy and paste this metadata to create a file that can be used to automatically configure SAML for Pricefx on the IdP side.
    You can also generate the metadata file via an API endpoint:

    • /pricefx/<partition>/admin.generateFederationMetaData
      or

    • /pricefx/<partition>/admin.generateFederationMetaData/<SAML config name>

    • Note that the parameter is case sensitive and must always be "RelayState".
      (info) See also /wiki/spaces/KB/pages/3380904153.

...

Code Block
https://www.pricefx.eu/pricefx/<partition>/saml/signon/

Auto-Provisioning

Pricefx supports an auto-provisioning feature which creates a user account on the fly if the SAML authentication is valid but no corresponding user account is found.

...