SAML single sign-on configuration overview

(1)

19 19 19 19 Chapter 34

Confi

Configurin

gurin

guring Clarizen

gurin

g Clarizen

Configure the Clarizen Web-SAML application profile in Cloud Manager to set up single sign-on via SAML with Clarizen. Configuration also specifies how the application appears in the user portal, which users may access the application, if the application requires additional authorization, and how your internal user accounts are mapped to Clarizen accounts. Other application profile controls record and report changes to settings.

For general information about single sign-on (SSO) configuration, see Overview.

Preparing for configuration

Before starting configuration, it helps to understand the basic steps of configuration, to know Clarizen’s single sign-on (SSO) characteristics, and to have everything you need for configuration in place.

SAML single sign-on configuration

SAML single sign-on configuration overview

overview

Clarizen offers both IdP-initiated SAML SSO (for SSO access through the user portal or Centrify mobile apps) and SP-initiated SAML SSO (for SSO access directly through Clarizen). You can configure Clarizen for either or both types of SSO.

To configure Clarizen for single sign-on:

1111 Ensure that your Clarizen account is ready for single sign-on:

Have a Clarizen administrator account to provide the rights to set up SSO.

2222 In Cloud Manager, add the Clarizen application profile if it’s not already added and set the security certificate.

You’ll need information in the application profile to set up SSO. For detailed information, see "Adding Clarizen and setting a security certificate" on page 34-21.

3333 On the Clarizen web site, configure your organization’s Clarizen account

for SSO via SAML.

For detailed information, see "Configuring Clarizen for SSO" on page 34-22.

4444 In Cloud Manager, configure the AnswerHub application profile to control

(2)

Preparing for configuration

Chapter 34 Chapter 34 Chapter 34

Chapter 34 • Configuring Clarizen 20202020

Requirem

Requirements for SSO configuration

ents for SSO configuration

Before you can configure Clarizen for SSO, you need the following:

An active Clarizen account with administrator rights for your organization.

A signed security certificate that is recognized by both Cloud Manager and Clarizen.

Security certificates for SSO

A secure connection for SSO between the web application and the cloud service requires a security certificate and a public and private key pair. The web application must have a security certificate containing a public key. The cloud service must have the same certificate and a private key that matches the public key in the certificate.

You can use either a standard certificate provided by the cloud service or a certificate provided by your organization. If you use your own certificate, you must provide the certificate to the web application and then provide the same certificate along with your private key to Cloud Manager (both processes described later). Cloud Manager requires your private key to sign SAML responses or messages for the web application using your certificate.

If you use the cloud service signing certificate (the default setting), you don’t need to provide a private key—simply download the standard certificate from Cloud Manager and provide it to the web application as described later. The cloud service already has the matching private key needed to sign messages using the certificate.

Clarizen

Clarizen SSO characteristics

SSO characteristics

When you configure Clarizen for SSO and then administer it for your organization, it’s useful to know its SSO characteristics.

Feature Feature Feature

Feature DescriptionDescriptionDescriptionDescription

Available versions and clients SSO works for the SAML web application only. The Clarizen mobile apps for iOS and Android do not offer SSO.

SP-initiated SSO support Yes. Users may go directly to a supplied Clarizen URL and then use the cloud service SSO to authenticate. They may also use the cloud service SSO to authenticate through the standard Clarizen sign-in page if they’ve successfully authenticated there before.

IdP-initiated SSO support Yes. Users may use SSO to sign into Clarizen through the user portal or Centrify mobile apps.

User name/password sign-in still available after SSO set up

Yes, if configured to do so. You may also configure to turn off user name/password sign-in for everyone except network administrators, or for external users only (marked so within Clarizen).

Separate sign-in for administrators after SSO is enabled

(3)

Adding Clarizen and setting a security certificate

Cloud Manager user’s guide 21212121

Adding Clarizen and

Adding Clarizen and setting a security certificate

setting a security certificate

Before you can configure your Clarizen account for SSO and configure the Clarizen application profile, you must add Clarizen in Cloud Manager. You must then decide which security certificate to use.

If you’re going to use your organization’s certificate for connections to Clarizen, you must supply that certificate along with its matching private key in a PKCS #12 archive file. (PKCS #12 files end in a .pfx or .p12 filename extension.) Make sure the file is accessible from your computer before working through these steps.

To add Clarizen and set its security certificate: 1111 In Cloud Manager, click Apps.

2222 Click Add Web Apps.

The Add Web Apps screen appears.

3333 On the Search tab, enter the partial or full application name in the Search field and click the search icon.

4444 Next to the application, click Add.

5555 In the Add Web App screen, click Yes to confirm. Cloud Manager adds the application.

6666 Click Close to exit the Application Catalog.

The application that you just added opens to the Application Settings page.

The bottom of the page displays current security certificate settings. It’s set by default to use the standard cloud service certificate. If you want to use this standard certificate, skip

to Step 11.

Lockout possibility and lockout recovery

No lockout possible because user name/password sign-in is always available for administrators.

User provisioning through SAML Not supported. You may provision users through Clarizen’s SOAP API or through Clarizen’s User Sync tool.

User types Full users with or without administrator rights. Users may reset their own

passwords

Yes.

Administrators may reset other users’ passwords

Yes. Feature

Feature Feature

(4)

Configuring Clarizen for SSO

7777 If you want to use your own security certificate, select Use a certificate with a private key (pfx file) from your local storage then click Browse to open a file browser.

8888 Locate the archive file containing your certificate and private key, then click Open.

9999 If prompted for a certificate password for the archive file, enter the password then click OK.

The archive file uploads to the cloud service and the Application Settings page shows an uploaded private certificate under Use existing certificate.

10 10 10

10 Click Save to save your certificate setting to the application profile.

11 11 11

11 Download a copy of the security certificate specified by the application profile: click Download.

The certificate downloads through your web browser to a location set by the browser. Remember the location.

You can change to a different certificate at any time by making a different choice under the Security Certificate settings as just described.

To change from a private certificate to the cloud service standard certificate:

1111 In the Applications Settings page select Use the default tenant signing certificate

2222 Click Save.

Remember that if you change the certificate in the application profile you must also upload your new certificate to Clarizen as described in the next section.

Configuring Clarizen

Configuring Clarizen for SSO

for SSO

You must be signed into Clarizen with administrator rights to perform these steps. You’ll find the SAML settings you need to provide in Cloud Manager in the Application Settings tab of the Clarizen application profile.

Tip Tip Tip

Tip This process transfers information between Cloud Manager and Clarizen. If you open

Cloud Manager and the web application at the same time using either separate browser tabs or side-by-side windows, you can easily copy and paste information between them.

To configure Clarizen for SSO:

1111 In your web browser, go to the URL https://app.clarizen.com/Clarizen/Pages/

Service/Login.aspx and sign in with your administrator account.

(5)

3333 In the page’s Organization Settings section, click the edit... link for Federated Authorization to open the Federated Authentication (Clarizen’s term for SSO) dialog box.

4444 Specify and use the following for the SSO Settings:

Option OptionOption

Option Value Value Value Value Enable Federated

Authentication

Click to check this setting, which turns on SSO via SAML.

Certificate This field accepts the certificate specified under Security CertificateSecurity CertificateSecurity CertificateSecurity Certificate in the Clarizen application profile.

1111 Click Upload...Upload...Upload...Upload... to browse your computer for the certificate presented by the cloud service for each SSO session.

If the certificate isn’t available, see Step 11 in Adding Clarizen and setting a security certificate to download the certificate to your computer.

2222 Once you’ve selected your certificate in the file browser, click OpenOpenOpenOpen in the dialog box.

(6)

3333 Click Save into save the SAML settings and turn on SSO for your organization’s Clarizen account.

4444 Sign out of your Clarizen account.

SP-Initiated SSO

When you set up SSO on Clarizen, SP-initiated SSO is automatically enabled. The way it works depends on how you set password authentication and on the URL used to access Clarizen.

You can supply your users the custom Clarizen URL provided by the To login via SSO field in the Federated Authentication dialog box (as described previously). When users access the URL, Clarizen redirects them to the cloud service for SSO authentication. The cloud then returns the user to his or her account at Clarizen if authentication is successful. If the user goes to the standard Clarizen sign-in page and tries to sign in when Enable Password authentication is disabled, the page tells the user to use Federated

Authentication to connect, which requires them to use the custom Clarizen SSO URL. If

Sign-in URL Copy and paste the Sign-in URLSign-in URLSign-in URLSign-in URL setting from the Clarizen application profile.

Sign-out URL (Optional) Copy and paste the Sign-out URLSign-out URLSign-out URLSign-out URL setting from the Clarizen application profile. If this URL is specified, Clarizen redirects users to this URL (the user portal) when they sign out. If not specified, users redirect to the Clarizen sign-in page.

Enable Password authentication

This setting turns user name/password authentication on and off for different sets of users. Settings are:

• No oneNo oneNo one allows nobody from your organization except administrators No one to sign in through the Clarizen web site using user name/password instead of SSO.

• External users onlyExternal users onlyExternal users only allows only administrators and your organization’s External users only users who are not part of your organization’s internal authentication system to sign in through the Clarizen web site with user name/ password instead of SSO.

• Everyone (internal and external)Everyone (internal and external)Everyone (internal and external) allows all your users to sign in Everyone (internal and external) through the Clarizen web site with user name/password instead of SSO.

Enable API access If checked, allows applications that connect to Clarizen via the Clarizen API to authenticate for your users. When unchecked, these applications may not connect to Clarizen for your users.

Advanced verification Leave this option unchecked. Advanced request Leave this option unchecked.

To login via SSO Clarizen generates this URL as an SSO sign-in page for SP-initiated SAML for your users. You can provide it to users if they want to use SSO but don’t access Clarizen through the user portal or the Centrify mobile apps. Option

OptionOption

(7)

Configuring Clarizen in Cloud Manager

Enable Password authentication is not disabled for the user, they can sign in via user-password and bypass SSO. Once they’ve successfully signed in, a Clarizen cookie on their browser triggers a Federated Authentication link in the sign-in page so the user from then on has a choice between user/password sign-in and SSO from the standard sign-in page.

Configuring Clarizen in

Configuring Clarizen in Cloud Manager

Cloud Manager

Use Cloud Manager to configure the Clarizen application profile. Configuring specifies how Clarizen appears in the user portal and who has access to Clarizen. Some configuration is required to deploy Clarizen; other configuration is optional. The steps following describe all configuration settings and mark those that are optional.

Once you finish configuring the application profile and save your changes, Clarizen is deployed and appears as a deployed application in Cloud Manager.

To configure the Clarizen application profile in Cloud Manager:

1111 If the Clarizen application profile isn’t open in Cloud Manager, click the Apps tab to view all added applications, then click Clarizen Web-SAML to open its application profile.

2222 On the Application Settings page, the following settings are unique to this application. They are read-only so you don’t need to set them:

Option OptionOption

Option DescriptionDescriptionDescriptionDescription

Sign-in URL Paste this value as described earlier into the corresponding SAML SSO setting in Clarizen.

(8)

3333 On the Application Settings page, expand the Additional Options section and specify the following settings:

4444 (Optional) On the Description page, you can change the name, description, and logo for the application. For some applications, the name cannot be modified.

The Category field specifies the default grouping for the application in the user portal. Users have the option to create a tag that overrides the default grouping in the user portal.

Option OptionOption

Option DescriptionDescriptionDescriptionDescription

Application ID Configure this field if you are deploying a mobile application that uses the Centrify mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. The cloud service uses the Application ID to provide single sign-on to mobile applications. Note the following:

• The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

• There can only be one SAML application deployed with the name used by the mobile application.

The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters. Show in User app list Select Show in User app list Show in User app list Show in User app list Show in User app list to display this web application in the user

portal. (This option is selected by default.)

If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the user portal.

Security Certificate These settings specify the security certificate used for secure SSO authentication between the cloud service and the web application. Select an option to change the security certificate.

• Use existing certificateUse existing certificateUse existing certificate displays beneath it the certificate currently in Use existing certificate use. The DownloadDownloadDownload button below the certificate name downloads the Download current certificate through your web browser to your computer so you can supply the certificate to the web application during SSO

configuration. It’s not necessary to select this option—it’s present to display current status.

• Use the default tenant signing certificate Use the default tenant signing certificate Use the default tenant signing certificate selects the cloud service Use the default tenant signing certificate standard certificate for use. This is the default setting.

(9)

5555 On the User Access page, select the role(s) that represent the users and groups that have access to the application.

When assigning an application to a role, select either Automatic Install or Optional Install:

Select Automatic Install for applications that you want to appear automatically for users.

If you select Optional Install, the application doesn’t automatically appear in the user portal and users have the option to add the application.

6666 (Optional) On the Policy page, specify additional authentication control for this application.You can select one or both of the following settings:

Restrict app to clients within the Corporate IP Range: Select this option to prevent users outside the company intranet from launching this application. To use this option, you must also specify which IP addresses are considered as your intranet by specifying the Corporate IP range in Settings > Corporate IP Range.

Require Strong Authentication: Select this option to force users to authenticate using additional, stronger authentication mechanisms when launching an application. Specify these mechanisms in Policy > Add Policy Set > Account Security Policies > Authentication.

You can also include JavaScript code to identify specific circumstances when you want to block an application or you want to require additional authentication methods. For details, see Specifying application access policies with JavaScript.

7777 On the Account Mapping page, configure how the login information is mapped to the application’s user accounts. The options are as follows:

Use the following Directory Service field to supply the user name: Use this

option if the user accounts are based on user attributes. For example, specify an Active Directory field such as mail or userPrincipalName or a similar field from the Centrify user service.

Everybody shares a single user name: Use this option if you want to share access to an account but not share the user name and password. For example, some people share an application developer account.

Use Account Mapping Script: You can customize the user account mapping here

by supplying a custom JavaScript script. For example, you could use the following line as a script:

LoginUser.Username = LoginUser.Get('mail')+'.ad';

The above script instructs the cloud service to set the login user name to the user’s mail attribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mail attribute value is [email protected] then the cloud service uses

(10)

For more information about Clarizen

8888 (Optional) On the Advanced page, you can edit the script that generates the SAML assertion, if needed. In most cases, you don’t need to edit this script. For more information, see the SAML application scripting guide.

Note NoteNote

Note On the Changelog page, you can see recent changes that have been made to the

application settings, by date, user, and the type of change that was made.

9999 Click Workflow to set up a request and approval work flow for this application. The Workflow feature is a premium feature and is available only in the Centrify Identity Service App+ Edition. See Configuring Workflow for more information.

10 10 10

10 Click Save.

After configuring the application settings (including the role assignment) and the application’s web site, you’re ready for users to launch the application from the user portal.

For more infor

For more information about Clarizen

mation about Clarizen

For more information about configuring Clarizen for SSO, see the following links: