SAML
Configuration
- For a SAML provider setup, create a new App Integration under Applications and select SAML 2.0.
- Copy the ACS URL from the SSO provider form on the FUYL™ Portal into the Single sign on URL field. This will be used for both recipient and destination URLs so leave the option as enabled.
- Copy the Entity ID from FUYL Portal into the Audience URI (SP Entity ID) field.
- For the attribute statements, specify user attributes to map when a user signs in to FUYL Portal. The name fields are values that FUYL Portal expects from the SAML application. The value fields represent user properties defined in the default User profile editor. Example: (name = user.firstName).
- The other fields can be left as they are. Complete the steps.
- Click on the Identity Provider metadata link and copy the endpoint URL into the Metadata document form field on the FUYL Portal. Alternatively, the raw XML metadata from the setup instructions can be uploaded instead.
- Assign users or groups to the SAML application to grant access to the FUYL Portal. Users in the directory who are not assigned will not be able to sign-in.
Assigning custom roles for an SSO user
Custom roles need to be set up per user by adding a new attribute. The attribute name should match the Roles attribute mapping set in FUYL Portal. You will be required to set an attribute statement for the application to correctly map the user attribute.
The roles attribute value must be a valid ID of a role listed in the FUYL Portal Roles section located within the accounts page. If an invalid role ID is assigned to a user, the SSO login to the FUYL Portal will fail.
If the Roles attribute mapping is not set in FUYL Portal, all SSO users will be granted the default Admin role.
Troubleshooting
User attributes are not mapped on user sign-in:
Ensure that the attribute statements in the SAML application general settings are configured and mapped correctly in the SSO provider form on the FUYL Portal. Standard Okta user attributes such as firstName, lastName and email are primarily available.
Other issues signing in after entering the provider name:
Given that the instructions above are followed and the solutions suggested here do not resolve any of your issues, please contact PC Locs support for assistance.
OIDC
Configuration
- For an OIDC provider setup, create a new App Integration under Applications. Select OIDC - OpenID Connect and Web Application as the application type. Other application types are not supported.
- Update the Sign-in redirect URIs with the callback URL from the SSO provider form on the FUYL Portal. Ensure the Authorisation Code under General Settings is enabled. Set the controlled access for the OIDC application based on your preference. All other fields can be left as defaults.
- Copy the following details from the client credentials and general settings sections into the SSO provider form on the FUYL Portal.
- Client ID
- Client secret
- Okta domain - a https:// protocol needs to be prepended to the domain
- View the assignments section to determine which users or groups will have access to the FUYL Portal on sign-in.
- Assigned users will be able to sign-in with SSO on the FUYL Portal login screen given both sides have been set up correctly.
Attribute mappings
- Authorising the profile scope will map the name user attribute to the FUYL Portal. The name attribute will automatically be mapped and set by Okta as it concatenates first name and last name together.
- Authorising the email scope will map the email user attribute to the FUYL Portal.
Assigning custom roles for an SSO user
Custom roles are currently not supported for Okta OIDC in FUYL Portal. Please use SAML to allow custom roles for SSO users.
If the roles scope is authorised in FUYL Portal, SSO logins may fail.
All SSO users will be granted the Admin role by default.
Troubleshooting
If there are any issues signing in with SSO after following the instructions above, please contact PC Locs support for assistance.