SAML
Configuration
- For a SAML provider setup, create a new Regular or Single Page web application under Applications.
- Upon creation, head straight to Addons and select the SAML2 WEB APP plugin.
- Select settings and copy the ACS URL from the SSO provider form on the FUYL Portal into the Application Callback URL field.
- Within the Settings code section, uncomment the properties audience and mappings. The audience property represents the Entity ID of the FUYL Portal which is provided in the SSO provider form.
- The mappings property represents user attributes to be granted to FUYL Portal on user sign-in. Please refer to Auth0 SAML attribute mapping for more information. In the example below, the values on the right are to be set on FUYL Portal to map name and email user attributes:
{ "mappings": { "name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" } }
- Expand the Advanced Settings section below and look for the SAML Metadata URL endpoint under the Endpoints tab. Copy the endpoint URL into the Metadata document form field on the FUYL Portal. Alternatively, the raw Metadata file can be uploaded instead which can be found in the SAML usage configuration modal under Addons.
- Save the application.
Assigning custom roles for an SSO user
Custom roles need to be set up per user by configuring a key-value pair under the user app_metadata details. The key represents a custom attribute in Auth0 for mappings in the applications. The value represents the ID of a role listed in the FUYL Portal Roles section located within the accounts page.
- In your SAML application, go to the SAML2 web app and head to the Settings section.
- Under mappings, add a new key-value pair. The mapping key should match the key of the user's app_metadata as mentioned above.
- The value should be set to the same value as the Roles attribute map in the FUYL Portal.
If an invalid role ID is assigned to a user, the SSO login to the FUYL Portal will fail.
If the Roles attribute mapping is not set in FUYL Portal, all SSO users will be granted the default Admin role.
Troubleshooting
If there are any issues signing in with SSO after following the instructions above, please contact PC Locs support for assistance.
OIDC
Configuration
For an OIDC provider setup, create a new Regular Web Application under Applications. A new set of client details will be generated.
Copy the following details from the application basic information section into the SSO provider form on the FUYL Portal.
Client ID
Client Secret - optional but recommended
Domain - a https:// protocol needs to be prepended to the domain
Set the Token Endpoint Authentication Method under the Application Properties section to None if the client secret is not used. Otherwise, set the method to either Basic or Post.
As for the Application URIs, only the Allowed Callback URLs field needs to be set. Copy the callback URL from the SSO provider form on the FUYL Portal into the list. The other fields in the section can be left as is.
Ensure the Grant Types under Advanced Settings has Authorisation Code enabled as the code will be used in the FUYL Portal to exchange for authentication tokens after an SSO user signs-in.
Save the application.
Attribute mappings
Authorising the profile scope will map the name user attribute to the FUYL Portal.
Authorising the email scope will map the email user attribute to the FUYL Portal.
Assigning custom roles for an SSO user
Custom roles are currently not supported for Auth0 OIDC in FUYL Portal. Please use SAML to allow custom roles for SSO users.
All SSO users will be granted the Admin role by default.
Troubleshooting
If there are any issues signing in with SSO after following the instructions above, please contact PC Locs support for assistance.