SAML
Configuration
- For a SAML provider setup, create a new Regular or Single Page web application under Applications.
- Upon creation, head straight to Addons and select the SAML2 WEB APP plugin.
- Select settings and copy the ACS URL from the SSO provider form on the PC Locs Cloud into the Application Callback URL field.
- Within the Settings code section, uncomment the properties audience and mappings. The audience property represents the Entity ID of the PC Locs Cloud which is provided in the SSO provider form.
- The mappings property represents user attributes to be granted to PC Locs Cloud on user sign-in. Please refer to Auth0 SAML attribute mapping for more information. In the example below, the values on the right are to be set on PC Locs Cloud to map name and email user attributes:
{
"mappings": {
"name": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name",
"email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
}
}
- Expand the Advanced Settings section below and look for the SAML Metadata URL endpoint under the Endpoints tab. Copy the endpoint URL into the Metadata document form field on the PC Locs Cloud. Alternatively, the raw Metadata file can be uploaded instead which can be found in the SAML usage configuration modal under Addons.
- Save the application.
Assigning custom roles for an SSO user
Custom roles need to be set up per user by configuring a key-value pair under the user app_metadata details. The key represents a custom attribute in Auth0 for mappings in the applications. The value represents the ID of a role listed in the PC Locs Cloud Roles section located within the accounts page.
- In your SAML application, go to the SAML2 web app and head to the Settings section.
- Under mappings, add a new key-value pair. The mapping key should match the key of the user's app_metadata as mentioned above.
- The value should be set to the same value as the Roles attribute map in the PC Locs Cloud.
If an invalid role ID is assigned to a user, the SSO login to the PC Locs Cloud will fail.
If the Roles attribute mapping is not set in PC Locs Cloud, all SSO users will be granted the default Admin role.
Troubleshooting
If there are any issues signing in with SSO after following the instructions above, please contact PC Locs support for assistance.
OIDC
Configuration
For an OIDC provider setup, create a new Regular Web Application under Applications. A new set of client details will be generated.
Copy the following details from the application basic information section into the SSO provider form on the PC Locs Cloud.
Client ID
Client Secret - optional but recommended
Domain - a https:// protocol needs to be prepended to the domain
Set the Token Endpoint Authentication Method under the Application Properties section to None if the client secret is not used. Otherwise, set the method to either Basic or Post.
As for the Application URIs, only the Allowed Callback URLs field needs to be set. Copy the callback URL from the SSO provider form on the PC Locs Cloud into the list. The other fields in the section can be left as is.
Ensure the Grant Types under Advanced Settings has Authorisation Code enabled as the code will be used in the PC Locs Cloud to exchange for authentication tokens after an SSO user signs-in.
Save the application.
Attribute mappings
Authorising the profile scope will map the name user attribute to the PC Locs Cloud.
Authorising the email scope will map the email user attribute to the PC Locs Cloud.
Assigning custom roles for an SSO user
Custom roles are currently not supported for Auth0 OIDC in PC Locs Cloud. Please use SAML to allow custom roles for SSO users.
All SSO users will be granted the Admin role by default.
Troubleshooting
If there are any issues signing in with SSO after following the instructions above, please contact PC Locs support for assistance.