SAML
Configuration
- For a SAML provider setup, go to Applications under Connections on the sidebar menu in the administrators environment. Click on the + button to add a new application.
- Select either Web or Single page app application type and enter a name for it.
- Copy the ACS URL from the LocknCharge Cloud into both ACS URLs field. The signing certificate settings can be left as is. Encryption does not need to be enabled.
- Next, copy the Entity ID from the SSO provider form on the LocknCharge Cloud into the Entity ID field. All other fields below can be ignored.
- Set the attribute mappings for the SAML application. The saml_subject will be the user id that gets mapped by default on sign-in to the LocknCharge Cloud. The application attributes are to be set in the SSO provider form on the LocknCharge Cloud. Example: (name = given_name).
- Save the application and toggle the radio button to enable user access to the application.
- Lastly, search for the IDP Metadata URL under the configuration details section when editing the SAML application from the list. Copy the endpoint URL into the Metadata document form field on the LocknCharge Cloud. The raw Metadata file can be uploaded as an option as well.
- Users within the SSO provider directory will now be able to sign-in with SSO and access the LocknCharge Cloud externally.
Assigning custom roles for an SSO user
A custom user attribute will need to be manually set per user. The attribute should be named as roles to match the Roles attribute mapping set in the LocknCharge Cloud. The value assigned should be a valid ID of a role listed in the LocknCharge Cloud Roles section located within the accounts page. Users who login to the LocknCharge Cloud via SSO will be granted limited access based on the permissions set for the assigned role.
If an invalid role ID is assigned to a user, the SSO login to the LocknCharge Cloud will fail.
If the Roles attribute mapping is not set in LocknCharge Cloud, all SSO users will be granted the default Admin role.
Troubleshooting
Issues signing in after entering the provider name:
Given the instructions above are followed, this error may occur due to the SSO user not having permissions to access the LocknCharge Cloud. The SSO user needs to be added to the access control group setup associated to the SAML application. If the problem persists, please contact LocknCharge support for further assistance.
Other issues signing in after entering the provider name:
Given that the instructions above are followed and the solutions suggested here do not resolve any of your issues, please contact LocknCharge support for assistance.
OIDC
Configuration
- For an OIDC provider setup, go to Applications under Connections on the sidebar menu in the administrators environment. Click on the + button to add a new application.
- Select either Web or Single page app application type and enter a name for it.
- Copy the callback URL from the SSO provider form on the LocknCharge Cloud and add it as part of the Redirect URLs section.
- Drag scopes to grant LocknCharge access to the users' attributes. The scopes should match with the requested scopes in the SSO provider form. If none, leave as empty and continue.
- Set the attribute mappings for the OIDC application. The User ID is mapped to sub by default and this will be used as a unique identifier for an SSO user that signs-in to the LocknCharge Cloud. The following application attributes are expected:
- Name
- After the OIDC application has been created, toggle the radio button to enable user access to the application.
- Edit the OIDC application and go to the Configuration section. Copy the following details into the SSO provider form.
- Issuer - domain
- Client ID
- Client secret (optional for a web application but required for a single-page-application)
- Enable Code as one of the response types and Authorization Code as the grant type.
- Leave PKCE enforcement as optional as PKCE is not supported in the LocknCharge Cloud.
- If the client secret is used, the token endpoint authentication method must be set to either Client Secret Basic or Client Secret Post.
- Save the application to complete the configuration.
Attribute mappings
- Authorizing the profile scope will map the name user attributes to the LocknCharge Cloud.
- Authorizing the email scope will map the email user attribute to the LocknCharge Cloud.
- Authorizing the roles scope will map the roles user attribute to the LocknCharge Cloud.
Assigning custom roles for an SSO user
A custom user attribute will need to be manually set per user. The attribute should be named as roles to match the scope in the LocknCharge Cloud. The value assigned should be a valid ID of a role listed in the LocknCharge Cloud Roles section located within the accounts page. Users who login to the LocknCharge Cloud via SSO will be granted limited access based on the permissions set for the assigned role.
If an invalid role ID is assigned to a user, the SSO login to the LocknCharge Cloud will fail.
If the roles scopes is not authorized, all SSO users will be granted the default Admin role.
Troubleshooting
Issues signing in after entering the provider name:
Given the instructions above are followed, this error may occur due to the SSO user not having permissions to access the LocknCharge Cloud. The SSO user needs to be added to the access control group setup associated to the OIDC application. If the problem persists, please contact LocknCharge support for further assistance.
Other issues signing in after entering the provider name:
Given that the instructions above are followed and the solutions suggested here do not resolve any of your issues, please contact LocknCharge support for assistance.