SAML
Configuration
- For a SAML provider setup, go to Applications and search for SAML Custom Connector (Advanced). Select the option, set a display name and save the application.
- In the Configuration section, copy the Entity ID from the SSO provider form on the FUYL Portal into the Audience (EntityID) field.
- Copy the ACS URL from FUYL Portal into both ACS (Consumer) fields. The validator should match the primary URL. The other settings in the configuration can be left as they are.
- To map user attributes to PC Locs on user sign-in, head to the Parameters section. The NameID attribute is defaulted to email given the format set in the configuration. Given no other parameters are set, the email will be mapped as the user id. The field name is the attribute mapping key to be set on the FUYL Portal, ensuring the fields are included in the SAML assertion. Example: (name = name).
- Next, copy the Issuer URL in the SSO section into the Metadata document form field on the FUYL Portal. Alternatively, upload the SAML metadata which can be found in the More Actions dropdown in the SAML application.
- Save the application.
- To allow access for SSO users to the FUYL Portal, each user will need to be assigned to the SAML application. This can be done by selecting a user in the Users section and assigning a new login to the application for the selected user.
Assigning custom roles for an SSO user
Before assigning a custom role to an SSO user, a Custom User Field will need to be created which can be found within the Users dropdown list.
- Create a new user field which can be of any value.
- Select a user that you would like to assign a custom role to and update the new field. The value should be the ID of a role listed in the FUYL Portal Roles section located within the accounts page.
- Next, select the SAML application used for FUYL Portal and head to the Parameters section.
- Add a new field, the name should match the Roles attribute mapping set in FUYL Portal and select the newly added custom user field as the value.
- Enable the Include in SAML assertion flag and save.
It may take a few minutes for the changes to apply and should take effect on next login. Otherwise, re-apply the entitlement mappings under More Actions.
If an invalid role ID is assigned to a user, the SSO login to the FUYL Portal will fail.
If the Roles attribute mapping is not set in FUYL Portal, all SSO users will be granted the default Admin role.
Troubleshooting
If there are any issues signing in with SSO after following the instructions above, please contact PC Locs support for assistance.
OIDC
Configuration
- For an OIDC provider setup, go to Applications and search for OpenId Connect, there should only be 1 result. Select the application and set a display name for it.
- In the Configuration section, copy the callback URL from the SSO provider form on the FUYL Portal and add it as part of the Redirect URI's list.
- Next, copy the following details in the SSO section into the SSO provider form.
- Client ID
- Client Secret
- Issuer URL - domain
- Leave the application type as Web. Native is not supported.
- Set the token endpoint authentication method to POST. Other methods are not supported.
- All other fields in the OIDC application can be left as is.
- Save the application.
- To allow access for SSO users to the FUYL Portal, each user will need to be assigned to the OIDC application. This can be done by selecting a user in the Users section. Ensure the Allow the user to sign in option is enabled on assignment.
Attribute mappings
Authorising the profile scope will map the name user attribute to the FUYL Portal. The name attribute will automatically be mapped and set by OneLogin as it concatenates first name and last name together.
Authorising the email scope will map the email user attribute to the FUYL Portal.
Assigning custom roles for an SSO user
Custom roles are currently not supported for OneLogin OIDC in FUYL Portal. Please use SAML to allow custom roles for SSO users.
If the roles scope is authorised in FUYL Portal, SSO logins will fail.
All SSO users will be granted the Admin role by default.
Troubleshooting
Issues signing in after entering the provider name:
Given the instructions above are followed, this error will occur if there is a recent update to the OIDC application configuration or a user's details. Usually, it takes a few moments before the FUYL Portal is able to verify the SSO user credentials successfully on single-sign-on. If the problem persists, please contact PC Locs support for further assistance.