Configuring an Instance for Single Sign-on

Single Sign-on (SSO) reduces administrative overhead that is related to user accounts. With SSO authentication enabled, you can retrieve user profile information at the time of initial account creation from an LDAP directory server. This optional step automates the configuration of basic user profile data. Configure Secure Sockets Layer (SSL) for SSO or as a stand-alone method. Set up the SSO authentication for Windows Integrated or for Windows Integrated and SSL. Setting up the authentication requires you to modify the web.config file.

On this page

Supported authentication mechanisms

Archer supports two basic authentication mechanisms:

  • Username/password login scheme (default)
  • SSO configuration, which facilitates user login in corporate computing environments and supports most popular web authentication products.

The Archer Control Panel provides controls for enabling SSO and selecting an SSO method. When configuring SSO, you must set up LDAP integration from the Manage LDAP Data Configuration page on the Access Control feature.

Important: Before you configure LDAP synchronization for your Archer SaaS environment, you must first contact Archer Customer Support for assistance connecting your organization's LDAP server to the Archer cloud environment. You must provide the IP address or address range for your LDAP server.

Single Sign-on properties

The following table describes the SSO properties.

Option

Description

Single Sign-on Mode

Specifies the user login method By default, the method is Disabled. When you have enabled this option, the system grants the user access if the user exists in Archer. If the user does not exist, an LDAP query retrieves the user profile information and creates an account.

The other options are:

  • HTTP Header. This method requires an HTTP header parameter that identifies the user attempting to access the application.
  • Request Parameter. This method requires a request form or query string parameter that identifies the user attempting to access the application.
  • Windows Integrated uses the “Integrated Windows Authentication” built into Internet Information Services (IIS) that uses the user credentials using NTLM/Active Directory.
  • Federation. This method allows Archer to process Windows Federated claims from Active Directory Federation Services (ADFS). Use Federation to process claims generated from ADFS directly. You can also set up ADFS as a service provider to a SAML 2.0 identity provider (IDP) and convert the SAML 2.0 assertions to Federated claims.
  • SAML. This method allows you to set up a SAML 2.0 capable provider to work with Archer and authenticate based on SAML assertions of IDPs.

Use ADFS as the service provider for the Federation option.

Username Parameter

Specifies the username of the user logging on to Archer. This option is required when you have selected the Request Parameter or HTTP Header methods as the Single Sign-on Mode.

Domain Parameter

Specifies the domain to which the user can connect. This option is required when the Request Parameter or HTTP Header methods is selected as the Single Sign-On Mode.

Allow Manual Bypass

Activates manual login. Users can connect to the system manually by adding the parameter manuallogin with a value of true to the query string passed to default.aspx. For example, https://archerirm.com/default.aspx?manuallogin=true.

When this parameter is in the query string, users see the Login dialog box rather than passing the user credentials into the application. This option benefits a system administrator who logs in with the System Administrator user account instead of SSO sending the credentials of the personal user account.

Authentication options

  • Windows-Integrated SSO only
  • Windows-Integrated SSO with SSL
  • SSL only

Configuration procedure

Task 1: Enable authentication for Single Sign-on

  1. Go to Internet Information Services (IIS) Manager.
  2. Enable authentication for the following SSO modes for the current server desktop connection:
    • For HTTP Header, enable Anonymous Authentication.
    • For Request Parameter, enable Anonymous Authentication.
    • For Windows Integrated, enable Windows Authentication.
    • For Federation, enable Anonymous Authentication.
    • For SAML, enable Anonymous Authentication.

    Note: Archer requires that only one authentication type be enabled at a time.

  3. In the Archer Control Panel, specify and then enable the instance for which you are configuring SSO.

Task 2: Configure Single Sign-on

Note: You must have system administrator rights on the server running the Archer web application.

  1. Click the Single Sign-on tab of the instance you want to configure.

    1. Open the Archer Control Panel.
    2. From the Instance Management list, double-click the instance.
  2. In the Single Sign-on Mode field, select one of the following:
    • HTTP Header
    • Request Parameter
    • Windows Integrated
    • Federation
    • SAML
  3. Do one of the following:
    • If you selected Request Parameter or HTTP Header methods, go to the next step.
    • If you selected Windows Integrated method, go to step 6.
    • If you selected Federation, go to step 7.
    • If you selected SAML, go to Configuring SAML Single Sign-on Mode.
  4. In the Username Parameter field, enter the name of the user logon.
  5. In the Domain Parameter field, enter the domain to which the user can log in.
  6. Do one of the following:
    • To enable manual login to, click Allow Manual bypass, and then go to step 14.
    • To force SSO regardless of the user, go to step 14.
  7. Configure the following options in the Single Sign-on section:
    1. Select Override Federation metadata to ignore Federation metadata at the installation level, which enables instances to use a different ADFS service provider.

      Note: Any change of the entity name or change of any certificates in ADFS requires that you reimport metadata into Archer.

    2. If you selected Override Federation Metadata, you can click Select to go to a different metadata .xml file, and then select the file.

      Note: For instructions about how to get federationmetadata.xml, see the documentation from the service provider. For example, in ADFS, the URL to obtain the .xml file looks like https://{server}/FederationMetadata/2007-06/FederationMetadata.xml, where server is the name of your service provider.

    3. In the Relying Party Identifier field, enter the replying party identifier, which is provided in ADFS for this instance.
    4. In the Home Realm Parameter field, enter the name that you created to identify your realm. This name is the identifier that is used in the vanity URL. The syntax for this string is:

      https://{servername}/../Default.aspx?<HomeRealmIdentifier>=<IdpRealmName>

      For example, to skip the identity provider prompt, you can pass the home realm as a parameter:

      https://{servername}/../Default.aspx?Realm=ADFS-IDP

  8. Configure the following options in the Identity Providers section:
    1. In the Decision Page Header field, enter the text that you want to appear as the heading at the top of the Decision Page.
    2. In the Dropdown Label field, enter the text that you want to appear on the Decision Page as the label for the drop-down that lists all identity providers.
    3. In the Identity Provider field, select an existing IDP. You can complete the following three fields to add an IDP. (See the Claim Names for the Federation table at the end of this procedure for Archer supported claim names.):
      • In the Realm field, enter the realm name for the new identity provider.

        • You can link to the following website to learn how to set up the claim provider and relying party in ADFS:

        https://technet.microsoft.com/en-us/library/adfs2-step-by-step-guides(v=ws.10).aspx

      • In the Identifier field, enter the appropriate claim provider identifier which is provided in ADFS for a given identity provider. For a complete list of the claims that Archer supports, see the table below.
      • In the Display Name field, enter the display name for the new identifier, which then displays in the drop-down list of the Decision Page.

      4. To add more providers, click Add, and then complete the same three fields for each provider.

  9. (Optional) In the On Login Error field, enter the URL for the page you have created. The user is redirected here if there is a login failure.
  10. (Optional) In the On User Not Found field, enter the URL for the page you have created. The user is redirected here if the username cannot be found in Archer.
  11. (Optional) In the On Provisioning Failure field, enter the URL for the page you have created. The user is redirected here if there is a provisioning failure. For example, if you have exceeded the maximum number of users for your instance.
  12. Select the Provisioning Settings for the selected IDP as appropriate.
  13. Enter the default First Name, Last Name, and User Role that Archer uses if no name and user roles were specified at the time of provisioning. You can, later, edit these values for the new user.
  14. On the toolbar, click Save.

Claim names for the Federation Option

Note: ADFS expects claims to be in URL format, for example http://schemas.xmlsoap.org/claims/Group.

The following table contains claims-mapping information. Items marked with an asterisk (*) are mandatory.

Archer Field Name

Archer Supported Claim Name/Namespace

User Identity Information

 

User Name*

UPN*

Domain

UserDomain

First Name

FirstName

Last Name

LastName

Middle Name

MiddleName

Title

Title

Contact Details

 

Email Address

EmailAddress

Phone Number

PhoneNumber

Company Name

CompanyName

Address

FullAddress

 

Street

 

City

 

State

 

Zipcode

Localization

 

Time Zone

TimeZoneId

Account Maintenance

 

Security Parameter ID

SecurityParameterId

Access Control Roles/Groups

 

Group

Group

Role

Role

Task 3: Set authentication for Single Sign-on

  1. Enable LDAP synchronization enabled in Microsoft Internet Information System (IIS).
  2. Specify and enable the instance for which you are configuring SSO.
  3. Configure SSO for the instance.
  4. Modify the web.config file for your authentication method.

Configuring SAML Single-Sign-on mode

  1. Allow manual bypass.
    • Enabled allows you to bypass SSO mode and log in using Archer credentials.
    • Disabled allows you to only use SSO through configured identity providers (IDPs).
  2. Provide the Instance Entity ID (required).
    • The identifier for this instance acts as a SAML service provider when issuing authentication requests.
    • Entity IDs must be unique across Archer instances using the same IDP and limited to 1024 characters in URL format.
  3. Provide a certificate thumbprint.
    • An x.509 certificate is required to allow signing SAML requests and encryption of SAML assertions. Archer signs requests when the IDP requires. The IDP uses the same certificate when encrypting assertions.
    • Provide a thumbprint for the x.509 certificate in the Windows Local Machine Certificate Store.
    • The IIS Application pool identity running the Archer application requires Private Key-Read permission.
    • If you use multiple web servers, import the same certificate to all Local Machine Certificate Stores.
  4. The service provider metadata exports Archer service provider metadata XML for use when configuring Archer as a client with your IDP. Metadata includes:
    • Instance Entity ID
    • Redirection URL to Archer assertion consumer service
    • Required Name ID preference
    • Public key of signing and encryption certificate
    • Preference for signed assertions from the IDP

      • Important: Save all pending changes before generating metadata. Regenerate the metadata after you revise the Instance Entity ID or base URL.

      Important: Regenerate the metadata after you revise the Instance Entity ID, base URL, or certificate thumbprint.

Identity Providers

  1. Complete the following fields to add an IDP or select an existing IDP from the list to edit. If adding a second or multiple IDPs, click the Add icon then complete the following (required):
    1. In the Display Name field, enter the display name for the new identifier. The identifier displays in the drop-down list on the Single Sign-on Decision Page. The display name is shown when the instance URL is provided without the IDP parameter.
    2. In the Realm field, enter the Realm name for the new IDP. The Realm field value, instance URL, and parameter name IDP can be used to skip the Single Sign-on Decision Page.

    Example:

    • Instance URL: https://archer.domain.com Realm: CorpIDP
    • Going to https://archer.domain.com/default.aspx?IDP=CorpIDP skips the Decision Page and immediately redirects you to CorpIDP for authentication.

  2. Import identity provider SAML metadata (required).
    1. Click import, and go to metadata .xml file.
    2. Click OK to finish the import.

    The IDP Metadata field shows value of EntityID contained in the entity descriptor from the metadata.

    Note: If Required Encrypted Assertions is enabled, Archer will not accept unencrypted assertions from the IDP. A valid certificate thumbprint must be specified to require encrypted assertions.

  3. Select the appropriate Provisioning Settings for the selected IDP (Optional):
    • Enable User Provisioning. If an account does not exist, a new account is created based on the username.
    • Enable User Update. Profile information including email address, street address, First Name, Last Name, updates each time that a user successfully authenticates through SSO.
    • Enable Group Update. Group membership is updated on each SSO.
    • Enable Role Update. Role assignment is updated on each SSO.
  4. Enter the default First Name, Last Name, and User Role (required). Archer uses these defaults if no name and user roles were specified at the time of provisioning. Later you can edit these values for the new user.
  5. Click Save to save all configuration settings in the Single Sign-On tab.

    Note: Any changes to the SSO section or IDP section are not saved until this step is completed.

Archer Supported Attribute Mapping for SAML

The following table contains Archer Supported Attribute Mapping information for SAML. Items marked with an asterisk (*) are mandatory.

Archer Field Name

Archer Supported Attribute Mapping

User Identity Information

 

User Name*

NameID*

User Domain

UserDomain

First Name

FirstName

Last Name

LastName

Middle Name

MiddleName

Title

Title

Contact Details

 

Address

FullAddress

 

Street

 

City

 

State

 

Zipcode

Company

Company

Default Email Address

EmailAddress

Phone 1

PhoneNumber

Localization

 

Time Zone

TimeZoneId

Account Maintenance

 

Security Parameter

SecurityParameterId

Access Roles/Groups

 

Groups

Group/Groups

Use Group for single-value attribute. Use Groups for multiple-value attributes.

Roles

Role/Roles

Use Role for single-value attribute. Use Roles for multiple-value attributes.

Note: To update the user address, use one of the following:

  • FullAddress attribute. The Address field in the User Profile updates with the values provided in this attribute.
  • Street, City, State, Zipcode attribute. The Address field updates with the values Street, City, State, Zipcode.

Note: See Supported Time Zone ID Values for a list of all Archer Supported Time Zone ID Values.