Quick guide to setup ADFS access protocol in Exivity.
On ADFS side, go to Trust Relationships -> Relying Party Trusts, click on Add Relying Party Trust
Select Data Source: Enter data about the relying party manually
Specify Display Name: Exivity
Choose Profile: AD FS Profile
Configure Certificate: Leave blank
Configure URL: Leave blank
Configure Identifier: https://EXIVITY-URL /v1/auth/saml/metadata
Configure Multi-factor authentication now?: Choose I do not want to configure multi-factor authentication settings for this relying party trust at this time.
Choose Issuance Authorization Rules: Permit all users to access this relying party
Ready to Add trust: --
Click on Finish.
Right click the newly added trust: Properties
Go to Endpoints – Add SAML:
Endpoint type: SAML Assertion Consumer
Binding: POST
Trusted URL: https://EXIVITY-URL/v1/auth/saml/acs
Click on Save.
Right click the newly added trust: Edit Claim Rules
Go to Issuance Transform Rules – Add Rule
Choose Rule Type: Send Claims using a Custom Rule
Configure Claim Rule:
Claim Rule Name – Exivity
Custom Rule:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"]
=> issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress");
Finally, click on Save.
Make sure to perform the following steps with an Exivity user with enough rights (admin user)
First, go to Administration - Settings - Single sign-on and choose the SAML tab:
In a separate browser tab, open the Exivity SAML configuration and fill the following settings:
As the last step, enable Single Sign-On in Exivity by navigating to Administration > Settings and then clicking on the System tab. Make sure the Single Sign-On option is set to Enabled, and click the Update button:
SSO is now configured and enabled, and you can now use ADFS to login to your Exivity instance. The login screen will look something like this:
And by clicking on the Login button, you'll be taken to the ADFS login screen.
Exivity can act as a SAML Service Provider (SP) which can be connected to a SAML Identity Provider (IdP). Some configuration is required to setup a secure connection.
The SAML configuration can be accessed by navigating to Administration > Settings and then clicking on the SAML tab. On this page, you'll find two sub-tabs:
Configuration: Your IdP endpoints can be entered here, along with details about the certificate used by the IdP.
Endpoints: When registering Exivity with your IdP, you need to provide these Exivity endpoints.
The configuration settings are listed below:
Using the advanced settings editor, even more options are exposed for configurating the integration. Please note that settings should be entered using a valid JSON format. Please consult with your implementation partner first before editing the advanced settings.
To view the full SAML endpoints for your Exivity instance, navigate to Administration > System and then click on the SAML tab and then the Endpoints sub-tab.
Exivity SAML setting
Use value
Entity ID
Sometimes called the Issuer or Metadata URL. Example: http://ADFS-URL/adfs/services/trust
SSO URL
The URL of the Single Sign On service endpoint. Sometimes called the SAML 2.0 Endpoint. Example: https://ADFS-URL/adfs/ls
SLO URL
The URL of the Single Logout service endpoint, suffix with ?wa=wsignout1.0
Example: https://ADFS-URL/adfs/ls/?wa=wasignout1.0
X-509 certificate
Base-64 encoded (DER) certificate, enclosed between -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
Advanced settings
{
"security": {
"wantXMLValidation": false
}
}
Option
Description
Entity ID
Sometimes called the Issuer or Metadata URL.
SSO URL
The URL of the Single Sign On service endpoint. Sometimes called the SAML 2.0 Endpoint.
SLO URL
The URL of the Single Logout service endpoint.
X-509 certificate
Base-64 encoded (DER) certificate: - on a single line - without -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
Default user group
When a new user logs in using SSO, a user will be created in this user group.
Name
Endpoint
Description
Login URL
/v1/auth/saml/login
Initiate SAML login request. Redirects to SAML Identity Provider SSO URL set in the SAML configuration. After a successful authentication (possibly interactive), it will redirect back to this APIs ACS endpoint.
Logout URL
/v1/auth/saml/logout
Initiate SAML login request. Redirects to SAML Identity Provider SLO URL set in the SAML configuration. After the user has been logged out, it will redirect back to this APIs SLS endpoint.
Entity ID / Metadata URL
/v1/auth/saml/metadata
Metadata about the SAML Service Provider instance will be published at this URL.
Assertion Consumer Service
/v1/auth/saml/acs
If the received response from the SAML Identity Provider is valid, redirects to the Exivity dashboard.
Single Logout Service
/v1/auth/saml/sls
If the received response from the SAML Identity Provider is valid, redirects back to the login screen of Exivity.
In order to use OneLogin as an Identity Provider, we need to set up a new application. To do so, navigate to the OneLogin administration, hover over Applications in the navigation bar, and click on Applications:
Click on the Add App button:
In the list of applications, search for "saml" and click on the item SAML Test Connector (IdP w/ attr w/ sign response):
Choose a descriptive name for your application and click the Save button:
Click the Configuration tab:
Refer to the endpoints section in the Single Sign On article how to obtain the endpoints values. Fill in these fields:
You need to add the OneLogin domain for your organisation to the CORS whitelist as well.
Now, we have to copy and paste some values from our OneLogin application into the Exivity instance Single Sign-on settings. In OneLogin, click on the SSO tab:
In a separate browser tab, open the Exivity SAML setting (See SAML configuration) and copy over the following settings:
Now, let's set up the OneLogin certificate in Exivity. Under the label X.509 Certificate, click the View Details link. Copy the X.509 Certificate and paste it in the X-509 certificate field in the Exivity settings.
As the last step, copy and paste this JSON object in the Advanced settings in the Exivity settings:
Now you're ready to use OneLogin as a SAML Identity Provider. Enable Single Sign-On in Exivity by navigating to Administration, Settings and then click on the System tab. Make sure the Single Sign-On option is set to an option including SAML2 Authentication:
OneLogin is now configured and enabled, and you can now use it to log in to your Exivity instance. The login screen will look something like this:
And by clicking on the Login button, you'll be taken to the OneLogin login screen. Exivity will receive the users e-mail address and create a new user in the configured user group (see configuration) if no existing user is found.
Setting up Azure Active Directory is pretty straight-forward, but it helps to know the exact steps to follow, as configuraing SAML can be a bit daunting.
To add Exivity to your Azure AD applications, follow these steps:
In your Azure portal, go to the Azure Active Directory service:
In the sidebar, click Enterprise applications:
Click the New application button:
Click the Non-gallery application button:
Enter a name for the new application (i.e. My Exivity instance) and click the Add button.
Click the Configure single sign-on (required) button:
From the Single Sign-On Mode dropdown list, select SAML-based Sign-on:
Now enter the following details on this page:
The resulting page could look something like this:
Click the Configure [your application name] button:
A new pane will open with instructions. Navigate to the Exivity SAML configuration (see configuration) and copy the following options from the pane in your Azure portal:
The Exivity configuration page could look something like this:
Now unfold the Advanced menu at the bottom of the screen, and paste the following JSON data:
Then in Exivity, click the Update button
And in your Azure Portal, click the Save button:
As the last step, enable Single Sign-On in Exivity by navigating to Administration > Configuration and then clicking on the System tab. Make sure the Single Sign-On option is set to Enabled, and click the Update button:
SSO is now configured and enabled, and you can now use Azure AD to login to your Exivity instance. The login screen will look something like this:
And by clicking on the Login button, you'll be taken to the Azure AD login screen. Exivity will receive the Azure AD e-mail address and create a new user with a minimal set of permissions if no existing user is found.
Field
Value
Audience
Entity ID / Metadata URL endpoint
Recipient
Assertion Consumer Service endpoint
ACS (Consumer) URL Validator
.*
(or specify a custom RegEx)
ACS (Consumer) URL
Assertion Consumer Service endpoint
Single Logout URL
Single Logout Service endpoint
Exivity configuration value
OneLogin field
Entity ID
Issuer URL
SSO URL
SAML 2.0 Endpoint (HTTP)
SLO URL
SLO Endpoint (HTTP)
Azure AD setting
Use value
Identifier
Exivity Entity ID / Metadata URL endpoint (see endpoints)
Reply URL
Exivity Assertion Consumer Service endpoint (see endpoints)
Show advanced URL settings
Checked
Sign on URL
Optional, you can enter the URL for the Exivity interface here.
Relay State
Leave empty
User Identifier
Select user.mail
Exivity SAML setting
Use value
Entity ID
SAML Entity ID
SSO URL
SAML Single Sign-On Service URL
SLO URL
Sign-Out URL
X-509 certificate
Download the certificate by clicking the SAML Signing
Certificate - Base64 encoded link. Open the .cer
file
with a text editor and remove the text
-----BEGIN CERTIFICATE-----
,
-----END CERTIFICATE-----
and all line breaks so you
end up with a single-line base64 encoded string.
Quick guide to setup LDAP access protocol in Exivity
Make sure you are performing the following steps with a Exivity user with enough rights (admin user)
First, go to Administration - Settings - Single sign-on and choose the LDAP tab:
Fill the required Server and Attributes section parameters, and click on UPDATE.
Server section:
Attributes section:
Finally, go to the System tab, in the Core section, set the Single Sign-On parameter to Local and LDAP Authentication and click on UPDATE.
Now you can start login in Exivity using LDAP authentication.
This section only needs to be performed if you have chosen encryption SSL or TLS to authenticate with LDAP. These steps are done in the Exivity server side.
If you don't have a certificate in .pem format you can convert your current certificate with the OpenSSL tool.
Once you have your pem certificate stored in the server hard drive, take a note of its path, and create a system environmental variable LDAPTLS_CACERT . The value of this environmental variable will be the certificate full path.
Finally, restart the Exivity Web Service.
First, we need to add Exivity to your Auth0 applications. Follow these steps:
On the Auth0 dashboard, click the Applications menu item, and then the Create application button:
Choose a descriptive name for your application, click the Single Page Web App button, and finally the Create button:
On the application overview page, click the Settings tab:
On this page, fill out the following details and click on the Save changes button:
Click on the SAML2 addon button. On the Settings tab, fill out the following details and click the Save button:
Click on the Usage tab.
As the last step, enable Single Sign-On in Exivity by navigating to Administration > Settings and then clicking on the System tab. Make sure the Single Sign-On option is set to Enabled, and click the Update button:
SSO is now configured and enabled, and you can now use Auth0 to login to your Exivity instance. The login screen will look something like this:
Replace the text[Exivity Single Logout Service endpoint]
with the Single Logout Service endpoint of your Exivity instance (see )
In a separate browser tab, open the Exivity SAML configuration (see ) and copy over the following settings:
And by clicking on the Login button, you'll be taken to the Auth0 login screen. Exivity will receive the Auth0 e-mail address and create a new user in the configured user group (see ) if no existing user is found.
Parameter
Explanation
Domain controllers
The domain controllers option is an array of servers located on your network that serve Active Directory. You can insert as many servers or as little as you'd like depending on your forest (with the minimum of one of course). Separate multiple servers with a single space.
Port
Depending on your chosen encryption use 389 (unencrypted or TLS) or 686 (SSL)
Timeout
The timeout option allows you to configure the amount of time in seconds that your application waits until a response is received from your LDAP server.
Encryption
Choose your desired encryption, SSL and TLS are supported. If you choose encryption make sure you read the section Setting up your security certificate.
Parameter
Explanation
Base DN
The base distinguished name is the base distinguished name you'd like to perform query operations on. (optional)
Account prefix
The account prefix option is the prefix of your user accounts in LDAP directory. This string is prepended to all authenticating users usernames. (optional)
Account suffix
The account suffix option is the suffix of your user accounts in your LDAP directory. This string is appended to all authenticating users usernames. (optional)
Default user group
When a new user logs in using LDAP, a user will be created in this user group. (recommended)
Exivity SAML setting | Use value |
Entity ID | Issuer |
SSO URL | Identity Provider Login URL |
SLO URL | Identity Provider Login URL, suffix with |
X-509 certificate | Download the certificate by clicking the Download Auth0 certificate link. Open the the text and all line breaks so you end up with a single-line base64 encoded string. |
Advanced settings |
|
Field | Value |
Allowed Callback URLs |
Allowed Logout URLs |
Field | Value |
Application callback URL |
Settings | See below |
Exivity Entity ID / Metadata URL endpoint (see ) and
Exivity Assertion Consumer Service endpoint (see )
Exivity Single Logout Service endpoint (see )
Exivity Entity ID / Metadata URL endpoint (see )