Single Sign-On (SSO)


CivicReady
®

Single Sign-On (e.g. LDAP, Shibboleth)

CivicReady can integrate with your Single Sign-On system including LDAP, OpenLDAP, Active Directory(AD), SAML, CAS, and Shibboleth. Please find instructions below on what we will need to complete the integration.

Please Note once connection is established you will need to be sure that a UserName is uploaded for all users if that is the attribute you are passing us for authentication.

LDAP/AD Setup

To map the LDAP/AD authentication, we need:
  1. IP addresses enabled
  2. LDAP/AD connection details
  3. LDAP/AD account with read access
  4. Sample LDAP/AD entry.
CivicReady IP addresses to be Enabled:
  • 209.20.67.27
  • 67.207.132.197
  • 209.20.71.38
  • 67.207.138.71
  • 67.207.138.187
  • 209.20.68.52
Example of LDAP/AD Connection details:
 
Example 1:
CN=CivicReady Services,OU=Domain Users,DC=xxxxx,DC=local
 
Example 2:

IP: 2xx.xx.xx.xx:389 Username: CivicReady Password: xxxxx Base: DC=citylabs, DC=edu CN=Users CN Test case: citylabs\passw0rd

Whitelist CivicReady Emails

Please whitelist our email IP addresses found below:
  • vinayaka.regroup.com 67.207.143.248
  • anjaneya.regroup.com 162.209.9.103
  • veera.regroup.com 162.209.88.57
  • radha.regroup.com 166.78.237.237
  • ganga.regroup.com 192.237.185.183
  • yamuna.regroup.com 192.237.186.88

CAS Setup

Can you please provide us with the CAS link and the test user/password for your CAS server so that we can test and implement.

We will be using this URL for connecting to your CAS. Please add/authorize this domain on your CAS server.

https://network-coded-name.regroup.com  (https://civicplus.regroup.com) (civicplus and coded name are examples, you need the coded name for your organization we provide it during and after the implementation)

SAML Setup & Shibboleth

Please create a issuer for CivicReady at your end and the assertion consumer service URL must be https://network-coded-name.regroup.com/saml/consume (https://civicplus.regroup.com/saml/consume) and issuer title https://network-coded-name.regroup.com (https://civicplus.regroup.com). Also, provide us the IDP SSO URL and test account.

Please provide a test user including the user name and password.

-Configuring ADFS 2.0/3.0 to Communicate with SAML 2.0

ADFS Relying Party Configuration

  1. Open the ADFS Management console and select Relying Party Trusts.
  2. Select "Add Relying Party Trust…" from the top right corner of the window. (The add wizard appears.)
  3. Click Start to begin.
  4. Select "Enter data about relying party Manually"
  5. Give it a display name such as CivicReady and enter any notes you want.
  6. Select ADFS 3.0/2.0 Profile.
  7. You will be prompted to browse for a Certificate to encrypt and decrypt the claims. Please skip this step by pressing the Next.
  8. Do not enable any settings on the Configure URL.
  9. Enter the CivicReady Web site to which you connected as the Relying Party trust identifier. In this case use https://coded_name.regroup.com and click Add.
  10. Permit all users to access this relying party.
  11. Click Next and clear the Open the Claims when this finishes check box.
  12. Close this page. The new relying party trust appears in the window.
  13. Right-click on the relying party trust and select Properties.
  14. Browse to the Advanced tab and set the Secure hash algorithm to SHA-1.
  15. Browse to the Endpoints tab and add a SAML Assertion Consumer with a Post binding and a URL of https://coded_name.regroup.com/saml/consume

ADFS Relying Party Claim Rules

Edit the Claim rules to enable proper communication with CivicReady System.

  1. Right-click on the relying party trust and select Edit Claim Rules….
  2. On the Issuance Transform Rules tab select Add Rules….
  3. Select Send LDAP Attribute as Claims as the claim rule template to use.
  4. Give the claim a name such as Get LDAP Attributes.
  5. Set the Attribute Store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.
  6. Select Finish.
  7. Select Add Rule….
  8. Select Transform an Incoming Claim as the claim rule template to use.
  9. Give it a name such as Email to Name ID. (Incoming claim type should be E-mail Address (it must match the Outgoing Claim Type in rule #1. The Outgoing claim type is Name ID (this is requested in CivicReady policy urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) and the Outgoing name ID format is Email. Pass through all claim values and click Finish.)
  10. If you edit the existing rule and click View Rule Language…, they should match the following:

Rule #1:

c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] 

=> issue(store = "Active Directory",

types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"),

query = ";mail;{0}", param = c.Value); 

Rule #2:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"]

 => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier",

Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType,

Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"]

= "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");

Single Logout Support

To create a SAML logout endpoint in your RP trust configuration in ADFS:

  1. Go to ADFS manager > Trust Relationships > Relying Party Trusts > properties.
  2. Under the Endpoints tab, click Add.
  3. Configure the settings:
  4. Endpoint Type: SAML Logout
  5. Binding: POST
  6. URL: https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0

Single Logout Support

To create a SAML logout endpoint in your RP trust configuration in ADFS:

  1. Go to ADFS manager > Trust Relationships > Relying Party Trusts > properties.
  2. Under the Endpoints tab, click Add.
  3. Configure the settings:
    • Endpoint Type: SAML Logout
    • Binding: POST
    • URL: https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1

Once you are done please provide us:

the metadata URL(for example):

https://example.domain.edu/FederationMetadata/2007-06/FederationMetadata.xml

SSO URL(for example):
https://example.domain.edu/adfs/ls/

the LDAP Attribute/Outgoing Claim Type.

Also please provide CivicReady with a test account including the username and password in order for us to verify the implementation.

?



I'd Like to Request an Enhancement

0 out of 0 found this helpful

Updated:
Follow