Account Single Sign-On

You can configure PlatformManager for single sign-on (SSO) using SAML: PlatformManager acts as a Service Provider and can integrate with an Identity Provider (IdP), such as Active Directory, Okta or Salesforce. The whole authentication process is delegated to the Identity Provider, i.e. all password management (expiry, complexity, reuse, etc.). 

The SSO setting is account specific.

The setup consists of configuring Service Provider (= PlatformManager) and Identity Provider (used at the customer's side, so this setup should done by the customer). For details see How to Set up SSO.

Options Description

On the account level, the Single Sign-On section has the following options: 

  • Pricefx Identification – Allows you to generate connection information for the given account. It consists of two URLs which the IdP needs to know to connect to Pricefx PlatformManager:

    • Entity ID – Identifies PlatformManager at the IdP side. This is an account specific value. (Depending on IdP terminology, it may also be called Service Provider or Identifier.)

    • Redirect URL – Determines where the IdP should send their response. 

  • Pricefx Certificate – Signs outgoing communication from Pricefx. Currently, this is not used and may be left empty. More certificates can be added here – expiring one and new one.

  • Expiry Notification – Notifies selected account users that the Pricefx certificate will expire in one month. 

  • Account Certificate – Signs communication of the given Identity Provider. It must be added here to establish trust relationship with the IdP. More certificates can be added here; e.g. expiring one and new one or when IdP uses multiple certificates of a request signature.

  • SAML Identity Provider URL – Enter the web address of the SAML SSO page of the Identity Provider. This is where SAML requests from PlatformManager are sent.

  • Email Domain – Enter your company email domain. Only users with this domain in their PlatformManager username will be able to use the SSO login for this account. Any change to the email domain will be sent for approval to ensure that a user is not registering a domain belonging to another client.

  • Entity ID – Identifies the Identity Provider. This URL is unique for use with PlatformManager. (You will get this URL from the customer configuration of the IdP.)

  • Log in using – You can select either email (= PlatformManager username) or SSO username, depending on the setup in the selected IdP. 
    Note:

    • Individual SSO usernames can be set for each user in Administration or users do it themselves in Profile Settings. This value is then mapped to the PlatformManager username (which is an email).

    • When logging in to PlatformManager, users still enter their PlatformManager username (email) to proceed with the first step of the login. In the second step, after the Email Domain check (see above) is successful, they are verified by IdP.

  • Single Sign-On – Enables or disables the SSO functionality for the given account. This is done only the PlatformManager side; it has no impact on the IdP. Available options:

    • SSO only: All login methods except SAML are disabled for the user. When the user's username is entered on the login screen, they are redirected to the SAML IdP.

    • SSO + Username/Password (default): User can use both login methods.

    • Disabled: The Single Sign-On login method is disabled. The user can log in only with a username and password.

All actions are logged in both Account Activity Log and global Activity Log. These records include who added/changed/deactivated an SSO record, who created/deleted a certificate and an SSO username. 

The login is done in two steps. 

 

SSO.png

 

PlatformManager version 1.75.0