Configuring SSO Settings

You can configure the Single Sign-on (SSO) settings for your instance on this tab, including customizing the login page, user provisioning settings, and identity provider connection settings. You can enable SSO with the identity providers configured in this section.

Important: Only 1 administrator should manage configurations in the Archer Instance Manager (AIM).

On this page

Prerequisites

Use your Archer Community credentials to sign into AIM.

Task 1: Add a New Identity Provider

On the Identity Providers section of the AIM dashboard, click Add New Identity Provider.

Task 2: Configure the Login Page Settings

  1. Select “Enable Single Sign-on using SAML with the identity providers configured below”.

    Important: You must select this for the following Login Page settings to take effect.

  2. In the Login Page section, set the following:

    The following table describes the login page settings.
    Option Description
    Page title

    The text that appears as the heading on the Archer login page. This option corresponds to the Decision Page Header in the Archer Control Panel.

    For example, for the Archer instance login page, this option may correspond to “Archer Login”.
    Login header

    The text that appears on the login page as the label for the drop-down that lists all identity providers.

    For example, on the Archer instance login page, this option may correspond to “Please select your login type”.
    Allow manual bypass

    Activates manual login to Archer. When this option is selected, users see the username and password fields rather than an identity provider selection field. Users can log into the associated Archer instance using their instance specific credentials.

    If this option is not selected, users must log into the associated Archer instance using SSO.
    Deeplink Bypass

    Generates deep links to pages in Archer that when clicked, bypass the Archer login page, and automatically log users into Archer through the SSO process.

    Important: Deep link bypass is only available for users that do not use multiple identity providers on their Archer instance.

Task 3: Configure Identity Providers

  1. In the Identity Providers > Single Sign On section, enter the Identity provider dropdown name, which is the user-friendly name of the identity provider that you linked to the Archer instance.

  2. In the the Archer Service Provider Metadata section, click Download, which provides you with the metadata file from Archer SaaS as an XML file. You can import the metadata file into your identity provider to configure the connection.

    AIM displays content from 2 fields in the Archer SaaS metadata file:

    The following table describes the fields.

    Option

    Description

    Assertion Consumer Service URL

    The URL where Archer expects to receive SAML authentication, which is also included in the metadata file from Archer. This URL is required to configure your identity provider for AIM.

    Audience URI

    A unique identifier for the SAML connection between AIM and your identity provider.

    Instance Direct URL

    This is the URL that can be used to bypass the Archer selection screen and automatically sign in using this identity provider.

  3. In the Customer Identity Provider Metadata section, click Import, which uploads the XML metadata file generated by your identity provider to display in AIM .

    AIM displays content from 5 fields in your metadata file.

    The following table describes these fields.

    Option

    Description

    Issuer URI

    The unique identifier of your identity provider.

    Sign-on URL

    The URL as part of the SAML connection used to sign into the identity provider.

    Certificate dates

    The dates between which the identity provider certificate is valid.

    Thumbprint

    The thumbprint of the certificate associated with your identity provider.

  4. In the User Provisioning section, set the following settings.

    The following table describes the fields.

    Option

    Description

    Default user role

    The default user role that Archer uses if no user roles were specified at the time of user creation in your IDP. You can manually update the user role in your Archer instance.

    Default first & last name

    The default name that Archer assigns to a user if no name was specified at the time of user creation in your IDP. You can manually update the first and last name in your Archer instance.

    Enable auto user provisioning

    If any new users are added to the identity provider, Archer  automatically creates a user record in the instance if that user does not already exist.

    Enable user update on Single Sign-on login

    If any updates are made to existing users in the identity provider, the next time updated user accounts log into Archer, Archer automatically updates the user records in the instance.

    Enable group update on Single Sign-on login

    If any updates are made to existing user groups in the identity provider, the next time updated user accounts log into Archer, Archer automatically updates the user group records in the instance.

  5. Click Save.

Task 4: (Optional) Add Another Identity Provider

If you want to add another identity provider to AIM, repeat Tasks 1, 2, and 3.