SAML
Configuration
- For a SAML provider setup, create a new App Integration under Applications and select SAML 2.0.
- Copy the ACS URL from the SSO provider form on the LocknCharge Cloud into the Single sign on URL field. This will be used for both recipient and destination URLs so leave the option as enabled.
- Copy the Entity ID from LocknCharge Cloud into the Audience URI (SP Entity ID) field.
- For the attribute statements, specify user attributes to map when a user signs in to LocknCharge Cloud. The name fields are values that LocknCharge Cloud expects from the SAML application. The value fields represent user properties defined in the default User profile editor. Example: (name = user.firstName).
- The other fields can be left as they are. Complete the steps.
- Click on the Identity Provider metadata link and copy the endpoint URL into the Metadata document form field on the LocknCharge Cloud. Alternatively, the raw XML metadata from the setup instructions can be uploaded instead.
- Assign users or groups to the SAML application to grant access to the LocknCharge Cloud. Users in the directory who are not assigned will not be able to sign-in.
Assigning custom roles for an SSO user
Custom roles need to be set up per user by adding a new attribute. The attribute name should match the Roles attribute mapping set in LocknCharge Cloud. You will be required to set an attribute statement for the application to correctly map the user attribute.
The roles attribute value must be a valid ID of a role listed in the LocknCharge Cloud Roles section located within the accounts page. If an invalid role ID is assigned to a user, the SSO login to the LocknCharge Cloud will fail.
If the Roles attribute mapping is not set in LocknCharge Cloud, all SSO users will be granted the default Admin role.
Troubleshooting
User attributes are not mapped on user sign-in:
Ensure that the attribute statements in the SAML application general settings are configured and mapped correctly in the SSO provider form on the LocknCharge Cloud. Standard Okta user attributes such as firstName, lastName and email are primarily available.
Other issues signing in after entering the provider name:
Given that the instructions above are followed and the solutions suggested here do not resolve any of your issues, please contact LocknCharge support for assistance.
OIDC
Configuration
- For an OIDC provider setup, create a new App Integration under Applications. Select OIDC - OpenID Connect and Web Application as the application type. Other application types are not supported.
- Update the Sign-in redirect URIs with the callback URL from the SSO provider form on the LocknCharge Cloud. Ensure the Authorisation Code under General Settings is enabled. Set the controlled access for the OIDC application based on your preference. All other fields can be left as defaults.
- Copy the following details from the client credentials and general settings sections into the SSO provider form on the LocknCharge Cloud.
- Client ID
- Client secret
- Okta domain - a https:// protocol needs to be prepended to the domain
- View the assignments section to determine which users or groups will have access to the LocknCharge Cloud on sign-in.
- Assigned users will be able to sign-in with SSO on the LocknCharge Cloud login screen given both sides have been set up correctly.
Attribute mappings
- Authorising the profile scope will map the name user attribute to the LocknCharge Cloud. The name attribute will automatically be mapped and set by Okta as it concatenates first name and last name together.
- Authorising the email scope will map the email user attribute to the LocknCharge Cloud.
Assigning custom roles for an SSO user
Custom roles are currently not supported for Okta OIDC in LocknCharge Cloud. Please use SAML to allow custom roles for SSO users.
If the roles scope is authorised in LocknCharge Cloud, SSO logins may fail.
All SSO users will be granted the Admin role by default.
Troubleshooting
If there are any issues signing in with SSO after following the instructions above, please contact LocknCharge support for assistance.