Instructions
The Single sign-on (SSO) feature is only accessible for accounts that are of integrated tier and has owner permissions to that account. By enabling this feature, an owner of an account will be granted the ability to configure an SSO provider in the FUYL Portal to allow users from their SSO provider directory to access the portal externally.
Setting up an SSO provider requires some technical knowledge of how Single sign-on works. As an account owner, you agree to take responsibility for any actions performed in the FUYL Portal by users in your SSO provider directory.
Configuring an SSO provider in the FUYL Portal
Please read the following instructions to configure an SSO provider:
- Log in to the FUYL Portal and head to the Single Sign-On (SSO) section under Integrations and click New SSO Provider to set up an SSO provider.
- There will be 2 provider options to select from (OIDC or SAML). Either provider types will work just as well but SAML is suggested to map custom attributes instead of authorising standard scopes using OIDC.
- For the provider name, this can be anything and does not have to match an SSO provider's name. The provider name will be required for SSO users to enter on the SSO screen. Please note that the name is unique in our system and if it is already taken, an alternative name will need to be provided.
OIDC provider
- Client ID - tenant ID of an OIDC application.
- Client Secret - secret password that should be kept confidential between LocknCharge and the OIDC application. This is optional for certain OIDC applications but it is highly recommended to provide this for a more secure authentication for SSO users.
- Domain - issuer URL of an OIDC application.
- Request Method - HTTP method used to fetch SSO user attributes from the userinfo endpoint of an OIDC application. If unsure, leave as GET.
- Authorise scopes - grant LocknCharge privileges to access specific user details. Each requested scope contains a set of information known as claims, which will be mapped and stored in the LocknCharge system on user Single sign-on.
- profile - name
- email - email
- Callback URL - FUYL Portal endpoint for where an access token is sent after an SSO user signs-in. This is required to be set in the SSO provider's OIDC application callback URLs. If the access token is valid, the user will be redirected back to the FUYL Portal and into the dashboard.
SAML provider
- Metadata document - XML file or endpoint URL that contains details of a SAML application such as issuer name, expiration details and keys used to validate authentication response (assertions).
- Entity ID - unique identifier of the FUYL Portal directory required for a SAML application to provide SAML-based services to.
- ACS URL - also known as Assertion Consumer Service URL, is an endpoint of the FUYL Portal service that accepts SAML responses from a SAML application to establish an authenticated session for a user.
- After configuring an SSO provider in both FUYL Portal and provider applications, SSO users will be able to sign-in with SSO. Also, an SSO URL link will be available in the list and configuration screens as a shortcut for SSO users to sign-in with ease.
- To verify the configuration, click Test on the selected provider to ensure the FUYL Portal is able to establish a connection to the SSO provider's login screen.
- If an SSO user wishes to sign-in with a different user, the user would need to log out of the provider and log in with a different user.
Attribute mappings
Authorising a profile scope will map personal user details to the LFUYL Portal. The names will be used to identify an SSO user for any actions performed while signed-in to the FUYL Portal. All actions will be logged and shown in the Event Logs page. Alternatively, uncheck the scope for an OIDC provider or leave the attribute mapping fields empty for a SAML provider to not map any user profile attributes.
Authorising an email scope will send any exported CSV data to the SSO user's email. This includes a directory of users and locker usage reports. Given the user profile attributes are not mapped, the email attribute will be used instead for user identification in the cloud. If the email scope is not authorised, the SSO user will receive in-app notifications for CSV exports in the cloud.
If neither scopes nor user attributes are mapped, a unique ID of an SSO user will be mapped by default from the SSO provider directory.