XTRF Single Sign-On (SSO) configuration

This topic is to help the administrators configure SSO in all XTRF Portals.

SSO is optional and each XTRF Portal can be configured separately, to use traditional credentials, credentials + SSO, or SSO exclusively.

Basic SSO configuration

Check the compatibility

Once Single Sign-On is activated on the license server, it’s time to connect the selected Portal with the external Identity Provider compatible with OpenID Connect standard. Popular providers include Google, Microsoft Azure, GitHub, Paypal, Salesforce, among others.

XTRF SSO internally uses Google APIs Client Library to communicate with the provider over OAuth 2.0 protocol. Authorization flow is compatible with OpenID Connect Core specification on top of OAuth 2.0. XTRF SSO uses Authorization Code Flow from OpenID Connect specification which means you need to configure both authorization endpoint URL and token endpoint URL on the XTRF configuration page.

All top Identity Providers use protocols compatible with the one used by XTRF.

Register with the Identity Provider

To connect with the Identity Provider, you need to register XTRF as a client application on their server.

Steps:

  1. In the Home Portal go to General Configuration > Security > choose Home Portal / Vendor Portal or Client Portal.
    Get the Callback URL. It is the address you will be redirected to, after your application is authorized. You will need it for the registration form.
  2. Go to the Identity Provider’s web location and fill out their registration form. Here are the steps to follow with the most popular Identity Providers:

Instructions for Google

Instructions for Microsoft Azure

Instructions for GitHub

Note:

When the registration process is complete, you will receive two unique variables which need to be noted:

  • Client ID
  • Client Secret

Configure XTRF

Back in Home Portal’s General Configuration > Security > choose Home Portal / Vendor Portal / Client Portal and fill out the SSO configuration form, including the variables acquired during the registration.

The basic configuration includes the following parameters:

  • Auth URL - the endpoint for authorization server. It is used to obtain the authorization code (e.g. https://id.yourdomain.com/adfs/oauth2/authorize).
  • Access Token URL - the endpoint for the authorization server. It is used to exchange the authorization code for an access token (e.g. https://id.yourdomain.com/adfs/oauth2/token).
  • Client ID
  • Client Secret
  • Scopes (optional) - the scope of the access request used during advanced configuration. It may have multiple space-delimited values. Scopes are specific to other services the authentication provider grants access to.
    Example (Google): openid email profile
    Example (ActiveDirectory): openid

SSO configuration form in XTRF security settings

Requirements for Home Portal Users

Home Portal SSO will allow users who already exist in the XTRF System to sign in. It is crucial to remember that users will be mapped by e-mail address.

After the first sign in, the user will be matched by a key consisting of two fields: subject and issuer. Google Oauth2 documentation describes these fields as:

Claim

Provided

Description

iss

always

The Issuer Identifier for the Issuer of the response. Always https://accounts.google.com or accounts.google.com for Google ID tokens.

sub

always

An identifier for the user, unique among all Google accounts and never reused. A Google account can have multiple email addresses at different points in time, but the sub value is never changed. Use sub within your application as the unique-identifier key for the user. Maximum length of 255 case-sensitive ASCII characters.

Requirements for Vendor Portal / Client Portal Users

There is no way to sign into Vendor / Client Portal with SSO by using an account set up for an enterprise. Only contact persons within the enterprise account will be recognized by SSO as system users.

Advanced SSO configuration

The general purpose of advanced configuration is to enable elements of user provisioning functionality. Advanced configuration is carried out with a Groovy script that is run as a post-authentication action. The script can be used to synchronize certain pieces of user data between the XTRF database and SSO provider, including user profile details or group assignments (and thus the user rights)

To see the most popular cases of user provisioning configuration with default pieces of code, please contact the XTRF Helpdesk.

XTRF SSO Installation and Configuration Guide

Read also:

SSO or Single Sign-On

This article was helpful for 1 person. Is this article helpful for you?