Enable SAML SSO

Some of the benefits of Security Assertion Markup Language (SAML) SSO are secure authentication, centralized access control, and minimal password maintenance. SAML SSO can be enabled for the ColorTokens Spectrum portal user accounts managed from identity providers (IdPs) such as Azure AD, Active Directory Federation Services (ADFSor OneLogin.

SAML SSO on Spectrum

SAML SSO is an organization-wide setting in the Spectrum portal and mapped to an Azure, ADFS or OneLogin tenant. The User experience to log in to the Spectrum portal varies when you enable and disable SAML SSO.

Prerequisites

  • You must be an  Org Admin for the organization in the Spectrum portal to enable SAML SSO.

  • You must have the privileges of the Application Administrator role in Azure AD or an equivalent role on OneLogin to extract the federation metadata and integrate with Azure AD or OneLogin.

  • You must have the following to deploy ADFS on your setup:

    • an on-premise Active Directory domain 
    • Windows Server 2012 R2 (qualified with Spectrum) or later 
    • at least one server in the organization's domain that serves as ADFS server, which can be the same as the domain controller
  • You must open the https port on the corporate firewall for an on-prem hosted ADFS.
  • You must disable MFA in the Spectrum portal to enable the SAML SSO. However, the MFA solution offered in IdP can also be enabled along with the SAML SSO to allow IdP govern MFA (qualified with MS Azure).
  • All the users you want to add to the organization and its app instances must be a part of the Spectrum instance through which you enable SAML SSO. Also, the users must be added as users or groups of users of the:
    • Non-gallery application in the Azure portal to enable SAML SSO for the organization
    • OneLogin application

Enable SAML SSO with Active Directory Federation Services (ADFS)

Enabling SAML SSO requires that you have access to the Spectrum portal.

  1. Do the following on the Spectrum portal:

    1. Log in as an Org admin and click the  profile icon (on the top-right corner of the banner).

    2. Click  My Account.

    3. In the SAML SSO area, disable MFA if it is already enabled and click Configure Now.

    4. In the fly panel, click  Export ColorTokens Metadata to download the ColorTokens metadata XML.

  1. Do the following to add relying party trust and establish the connection between the ADFS server and the application:

    1. Click on ADFS Management, select Relying Party Trust and click on Add Relying Party Trust.

    2. Click  Start.

    3. Select the Import data about the relying party from a file option and upload the metadata XML that you downloaded from the Spectrum portal.
    4. Enter the Display name and click Next.

    5. Select Configure multi-factor authentication settings for this relying party trust if you require MFA and click Next. You may choose the default option if you do not require MFA.

    6. Select Permit all users to access this relying party option, click Next and click Finish to add the relying party trust.

    7. Select Send LDAP Attributes as Claims in the Claim rule template drop down menu and click Next.

    8. Enter the claim rule name, select Active Directory from the Attribute store drop down menu, map LDAP addresses and click Finish.

      Manually enter the email address in lower case in the Outgoing ClaimType field. The  E-Mail-Address attribute must be mapped to the claim type Name ID in the ADFS claim rule for particular relying party trust. The E-mail address that is picked up for the Name ID claim should be configured for the user in the <user> Properties > General > E-mail field on the AD/LDAP.
    The ADFS server and the resource where CT Endpoint is installed should be in the same time zone and clocks should be synchronized.

  1. Do the following to download the Federation Metadata XML:

    1. Update the customer domain details in the URL https://<customerdomain.local>/FederationMetadata/2007-06/FederationMetadata.xml and use the same URL in a Firefox browser to save the Federation Metadata XML. 

      In the URL, provide the full computer name in place of customerdomain. Full computer name includes the computer name and the domain name. 
      For example,  https://win2012-adfs.colortokens.net/FederationMetadata/2007-06/FederationMetadata.xml.

  1. Do the following on the Spectrum portal:

    1. In the  Upload the Federation Metadata XML from Identity provider here text box, upload the federation XML.

    2. Click  Done.

    3. Click  Validate and Enable SAML.

      4. Upon successful validation, you will see that SAML is  On.

Enable SAML SSO with Azure AD

The steps listed here are for SSO with Azure AD. Enabling SAML SSO requires that you have access to the Spectrum portal and the Azure portal.

  1. Do the following on the Spectrum portal:

    1. Click the profile icon (on the top-right corner of the banner).

    2. Click My Account.

    3. In the SAML SSO area, click Configure Now.

    4. In the fly panel, click Export ColorTokens Metadata.

  1. Do the following on the Azure portal:

    1. Create a Non-gallery application.

    2. On the Users and groups page of the application, add Azure AD users who must be added as Spectrum portal users (Instance Admins, Asset Managers, Policy Managers, and User Managers) for the instance.

    3. Click Upload metadata file and upload the ColorTokens metadata file

    4. Download the Federation Metadata XML from Azure AD.

  1. Do the following on the Spectrum portal:

    1. In the Upload the Federation Metadata XML from Azure here text box, upload the federation XML from Azure AD.

    2. Click Done.

    3. Click Validate and Enable SAML.

      Upon successful validation, you will see that SAML is On.

Enable identity provider - initiated login

You need to configure two parameters to enable both service provider and identity provider - initiated login.

Let us walk through the flow with OneLogin as an example identity provider.

  1. Do the following on OneLogin portal:

    1. Login to OneLogin as an admin.

    2. Select the application from the Applications tab and click Configuration.

    3. Enter the Audience (EntityID), Recipient, ACS (Consumer) URL Validator, and ACS (Consumer) URL. 

    4. Select OneLogin from the SAML initiator field dropdown menu.

    5. Select Parameters and click + to add a new field in the SAML Custom Connector (Advanced) Field pane.

    6. Enter the string emailaddress, select the Include in SAML assertion checkbox and save your field.

    7. Select value as email and save your custom parameter. 

After configuring the SAML custom connector, login to OneLogin authentication page, and click on the ColorTokens application.

The user should be part of IdP and have access to the application. For example, the user should have access to the Spectrum portal and be a part of OneLogin.

Disable SAML SSO

Disabling SAML SSO for the instance disables SAML-based authentication and the associated MFA features you may have set in the IdP. 

We highly recommend that you do not disable SAML SSO for Spectrum user accounts unless you were originally using it for testing purposes. 

  • Turn Off SAML SSO (turns Grey).

User experience

  • SAML SSO not enabled - users must use the login credentials they created when they activated their Spectrum portal account.

  • SAML SSO enabled - if users are already logged in to their Microsoft account, they can access the portal without additional authentication.

  • SAML SSO disabled - users receive an email to enable their user accounts for password-based authentication. The users must activate their accounts by clicking the link in the email. This is required to ensure that the users can log in to the portal.

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.