Creating a single sign-on service

To make single sign-on authentication available to your applications, create a single sign-on service.

You must have the following roles to perform this task:

  • manager
  • developer

Prepare the following information:

  • A unique name for the service. You can choose the default name or create your own.
  • A unique identifier for the service. This ID becomes the URL prefix. You are prompted for this ID if this is a new service and it does not have an ID. The ID can be up to 63 characters in length and must start with an alphanumeric character.

This task is the first step in configuring single sign-on authentication. The entire process involves the following steps:

  1. Creating the single sign-on service.
  2. Adding one or more identity sources to the service.

The service is then ready for use with applications.

To create the single sign-on service:

  1. Log in to ExchangeAware Management Portal.
  2. Click ADD A SERVICE.
  3. Click Single Sign On.
  4. In the App field, click Leave unbound to create only the service.
  5. In the Service field, a name is displayed. Use this name or replace it.
  6. Click Create.
  7. Type a unique ID for the service.
  8. Click Continue.

Continue with the steps for adding one or more identity sources to the service.

Adding a SAML Enterprise identity source

The SAML Enterprise identity source uses a local user registry and exchanges SAML tokens to complete the authentication.

Prepare the following information:

  • A URL from your identity provider that initiates the single sign-on process.
  • A SAML 2.0 identity provider metadata file. Obtain this file from the administrator of the user registry. You import this file as part of setting up your connection. In a subsequent step, you export a metadata file and provide that file to the user registry administrator.

For more information about using SAML single sign-on, see SAML overview.

You can download the appliance from the ExchangeAware Identity panel.

  1. Open an existing service or continue configuring the new service you are creating.
  2. On the Add New Identity Source page, click SAML Enterprise.
  3. Configure the connection to the identity source.
    1. Type a name for the identity source.
    2. Upload the SAML 2.0 identity provider metadata file. Obtain this file from the administrator of the user registry.
    3. Type the URL that initiates the single sign-on process.
    4. Download the SAML 2.0 service provider metadata file. Provide this file to the administrator of the user registry.
    5. Click Save to save the identity source configuration.
  4. The connection is enabled by default. If you do not want to make it available to your application developers, select Disabled.
  5. Click the identity source and then click small gear. Review the Auto Consent setting. When the Auto Consent setting is on, an application can retrieve the user’s identity information without asking the user for consent. Turn off this setting to prompt the user before retrieving identity information.
  6. Click Save to save the Auto Consent setting.
  7. To verify access to the identity source, click Verify. A link to the login page is provided. Click the link to try logging in.

Configure other connections for your service. When you configure all the connections, the service is ready to use. Create and configure applications and bind the applications to the service.

Adding a Cloud Directory identity source

The Cloud Directory identity source uses a user registry that is hosted in the Cloud. The Cloud Directory hosts password policies and user information.

Before users can access an application, they need to be added to the registry. Populate the registry with the information about the users. You can also configure the password policy that will be used when users log in to the application. You can configure:

Password Policy

 Enforces how users must create passwords. All passwords cannot contain the user name. If you change your password policy for the user registry, it affects all users.

  • No Security – No restrictions are placed on user passwords.
  • Basic Security – No restrictions are placed on user passwords.
  • Medium Security – Require a user password to have the following restrictions:
    • Consists of at least eight characters
    • Contains at least two special characters
  • High – Require a user password to have the following restrictions:
    • Consists of at least eight characters
    • Contains at least two special characters

Passwords expire after 180 days. When creating a new password, it must differ by at least four characters. The user account is locked after 10 unsuccessful attempts. If you change your password policy for the user registry, it affects all users.

User information

  • User name
  • Password
  • Given name
  • Surname
  • Email
  1. Open an existing service or continue configuring the new service you are creating.
  2. On the Add New Identity Source page, click Cloud Directory.
  3. Configure the connection to the identity source.
    1. Type a name for the identity source.
    2. Click Save.
    3. To add users to the directory, select Cloud Directory.
    4. Click small gear, complete the user fields, and click Save. To modify, delete, or disable a user, select the user, and click the icon that corresponds to the action you want to take.
    5. Click Save to save the identity source configuration.
  4. The connection is enabled by default. If you do not want to make it available to your application developers, select Disabled.
  5. Click . Review the Auto Consent setting. When the Auto Consent setting is on, an application can retrieve the user’s identity information without asking the user for consent. Turn off this setting to prompt the user before retrieving identity information.
  6. Click Save to save the Auto Consent setting.

Configure other connections for your service. When you configure all the connections, the service is ready to use. Create and configure applications and bind the applications to the service.

Adding a social identity source

You can use the identity sources from one or more social networks, such as Google, LinkedIn, or Facebook.

  1. Open an existing service or continue configuring the new service you are creating.
  2. On the Add New Identity Source page, click one of the social identity sources:
    • Facebook
    • Google
    • LinkedIn
  3. Configure the connection to the identity source.
    • Type a name for the identity source.
    • Click the link to the social network and complete its registration process. Be sure to copy the input tokens (such as the key and secret or ID and secret) that are provided to you during registration.
    • Paste the input tokens into the corresponding fields.
    • Click Save to save the identity source configuration.
  4. The identity source is enabled by default. If you do not want to make it available to your application developers, select Disabled.
  5. Click the identity source and then click . Review the Auto Consent setting. When the Auto Consent setting is on, an application can retrieve the user’s identity information without asking the user for consent. Turn off this setting to prompt the user before retrieving identity information.
  6. Click Save to save the Auto Consent setting.
  7. To verify access to the identity source, click Verify. A link to the login page is provided. Click the link to try logging in.

Configure other connections for your service. When you configure all the connections, the service is ready to use. Create and configure applications and bind the applications to the service.