Single Sign-On

Pricefx Core is only one of many applications our customers use. Their users do not want to have additional separate credentials, just because they’re using one more application.

Instead, they want to have one-time access to multiple applications, including Pricefx. So they need to integrate Pricefx into their Single-Sign-On infrastructure.

Pricefx supports single sign-on (SSO) with SAML.

SAML

SAML stands for Security Assertion Markup Language. It is an XML-based open-standard for transferring identity data between two parties: an identity provider (IdP) and a service provider (SP).

Service Provider (SP)

Trusts the Identity Provider and authorizes the given user to access the requested resource.In our case the Service Provider is the Pricefx Suite application.

Identity Provider (IdP)

Performs authentication and passes the user’s identity and authorization level to the service provider.The whole authentication process is delegated to the “Identity Provider”, i.e., all password management (expiry, complexity, reuse, etc.).Access management is indirectly delegated too (by disabling the user on their end).Note: SAML is only one of the services the IdP provides.Pricefx can integrate with any IdP using SAML, for example:

Azure
Okta
Salesforce (does IdP only for its apps)

The Authentication Process

The authentication process could be initiated either by SP or by IdP.

SP Initiated

Notice that there is no direct communication between the IdP and the SP and that every communication exchange happens via the user’s browser.

User accesses the Pricefx application via URL. The URL is in the format:
https://<customer>.pricefx.eu/pricefx/<partition>/saml/signon/<samlcfg>?RelayState=<value>
- customer - 3rd level domain name, usually a name of the customer company. If the shared PROD server is used, then it will be www.
- partition - A name of the partition to access.
- signon - Name of the Pricefx service, which initiates the SAML handshake.
- samlcfg (optional) - Name of the SAML configuration from the Pricefx SAML configuration. Used only if we have more SAML configurations.
- RelayState (optional) - A value, which will be passed there and back between the SP and IdP, until it finally reaches the SP. Used to find out, which resource the user should receive from Pricefx, for example:
  - which screen should be opened
  - which specific Quote (see "deep links")
  - or which UI - Classic or Unity
Pricefx generates the SAML Authentication Request for the IdP and returns it as redirection back to the browser.
- The URL of the IdP is set up on the Pricefx SAML configuration page, under SAML Identity Provider URL.
The browser redirects the SAML Authentication Request to the URL of the IdP.
The IdP parses the SAML request and Authenticates the request.
1. If the user is not yet authenticated, it will send them to the Login screen (of the IdP).
2. If the user is already authenticated on IdP, the IdP generates the SAML response and sends it via redirection to the ACS URL to the browser.
The browser redirects the SAML response to the ACS URL (i.e., Pricefx URL) for verification. The URL is in the format:
https://<customer>.pricefx.eu/pricefx/<partition>/saml/consume/<samlcfg>?RelayState=<value>
- consume - The name of the Pricefx service, which validates SAML response from the IdP.
- RelayState (optional) - A value which traveled all the way from the beginning of the handshake. Will be used to decide, which resource to deliver to the user.
Pricefx consume service verifies the SAML response.
1. If the verification is successful, the user will be logged in to Pricefx and granted access to the resources that they are authorized to view/modify.

IdP Initiated

This approach could be used e.g., in Salesforce, which itself acts as an IdP. So the Salesforce has already authenticated the user, and only redirects to the ACS URL with the SAML token.

The user is already on the website of the IdP, and only clicks on a link leading to the ACS URL of the service (Pricefx). Sample ACS URL:
https://<customer>.pricefx.eu/pricefx/<partition>/saml/consume/<samlcfg>?RelayState=<value>
Pricefx consume service verifies the SAML response.
1. If the verification is successful, the user will be logged in to Pricefx and granted access to the resources that they are authorized to view/modify.

Configuration

To configure SSO, you must configure it in several places:

Service Provider (Pricefx Core)
- SAML Configuration (IdP URL and the IdP certificate)
- User Management - If you want to disable direct login for particular users (i.e., allow only SSO for them).
Identity Provider (Azure, OKTA, SalesForce)
- Define and configure Pricefx Core (the Service Provider) as trusted/known service provider (sometimes called a trusted relying party, or trusted application). The configuration procedure and terminology used there is different for every IdP provider and the information you have to enter in the SAML configuration section varies.
- Assign users and groups to this new trusted application.

Pricefx Core Configuration

You can configure Pricefx Core for Single Sign-On using SAML 2.0. In Unity UI, navigate to Administration › Configuration › External Systems › SAML Configuration.

SAML Configurations

There can be more SAML configurations, if needed.Either click on "DEFAULT" to do a setup of the default SAML configuration, or click Add button to create a new SAML configuration.If you use more SAML Configurations in one partition, then you need to add the configuration name, e.g., "IPSTAGE" to the URLs – then this configuration set is used.If you do not specify it, it means that the DEFAULT is used. Examples:

Name ID Mapping

Select the User attribute from the Pricefx User Management which contains the user ID which matches to the one used by the IdP.This value is used to identify the user from the IdP.It must be unique per user – no two users can have the same value in that field, otherwise the login via SAML will fail.This is particularly important when you choose "Email", as unique email addresses are not enforced on the Pricefx side.The value is one of:

email
loginName
additionalInfo3
additionalInfo4

Name ID Format

The format of the Name Identifier sent from IdP to Service Provider.You can specify the format that is used (unspecified, emailAddress, persistent, transient).Set this field only if required.Read more about Persistent and Transient Identifiers.

SAML IdP Provider URL

Enter the URL address of the SAML SSO page of the Identity Provider.

SAML Base URL

Used only if the system should be accessed by a custom DNS name (but the cluster’s main/real DNS is a different one).Example: www.pricefx.eu for a customer on shared PROD; using DNS <customer>.pricefx.eu.

IdP Certificate

Paste the public certificate of the Identity Provider.It can be found in the IdP metadata.It is used to check the digital signature of the authentication request.Make sure you include the BEGIN and END tags! As per Vesper 6.0 release, multiple certificates can be added simply by pasting them one after the other (including the start/end tags).

Pricefx Metadata

The description of Pricefx endpoints (how IdP should call Pricefx).This is what Pricefx (Service Provider) gives to the IdP to automatically configure SAML for Pricefx on the IdP side.The content is provided to the IdP in the form of metadata.xml file.

ADFS/Azure/O365/Okta Federation Metadata URL

Provided by the IdP.Federation metadata are required to establish a trust relationship with the Identity Provider (IdP).The XML metadata found on that URL will be used by Pricefx to retrieve certificates and URL for SAML endpoint.The URL serves to do the settings dynamically, instead of statically (see Dynamic_metadata_exchange).Once the metadata URL is set and saved here, the configuration will be automatically updated when the IdP changes it.By uploading the metadata from URL, you can shorten the process to set up a relationship between the IdP and SP.

If the IdP gave you a federation metadata URL:

Enter it here.
Click the "Load metadata from URL" button to get and apply all the necessary SAML configuration information from the URL.

Service Provider Request Signing Private Key

You can enter here a private key which will be used to sign the SAML request.Warning: This option is meant only for special cases when the IdP explicitly requires it.

RelayStates

The RelayState parameter tells the Pricefx Core (the Service Provider) to which web page to redirect after a successful user login.

relayStateName - Is a name sent by the Identity Provider.
relayStateURL - Is a URL to jump to.The value can contain:
- replacements
- deep links

Authorization

Authorization management - i.e., Roles and Groups - must still be maintained in Pricefx.

The list of Roles and Groups - can be also synced by a custom integration job with Active Directory (or similar system).

User Provisioning

A matching User object has to exist in Pricefx. It cannot exist only at Identity Provider.

The list of Users can be also synced by a custom integration job with Active Directory (or similar system).

Identity Provider Configuration

This configuration is done by customer on their side.

Azure Identity Provider Specific Settings

The customer (using Azure as ID provider) may ask you for the "Identifier (Entity ID)" and "Reply URL". In both cases, the URL https://www.pricefx.eu/pricefx/<partition>/saml/signon (provide the right DNS name and partition) should be used. In case you are using a dedicated instance with a hostname other than "www.pricefx.eu", use your hostname instead.

Identifier (Entity ID)

Entity ID would be the so-called sign-on URL like https://www.pricefx.eu/pricefx/<partition>/saml/signon (provide the correct DNS name and partition).

Reply URL

Reply URL or ACS or assertion URL would be the "consume URL": https://www.pricefx.eu/pricefx/<partition>/saml/consume

OKTA Identity Provider Specific Settings

For details about the configuration options, see SAML Configuration in Documentation.

References

Documentation

Knowledge Base

External

SAML
Authentication vs Authorization: