Ordway Single Sign On (SSO)

Single sign-on (SSO) is an authentication method that enables users to access multiple applications with one login and one set of credentials. For example, after users log in to your instance of Ordway, they can automatically access all applications. You can set up your Ordway instance to trust a third-party identity provider to authenticate users.

When you set up SSO, you configure one system to trust another to authenticate users, eliminating the need for users to log in to each system separately. The system that authenticates users is called an identity provider. The system that trusts the identity provider for authentication is called the service provider.

For example, you can configure Google as an identity provider to authenticate users accessing your Ordway instance. So users log in to your instance using their Google credentials. In this example, Ordway acts as the service provider, trusting Google to accurately authenticate users.

Ordway supports SSO with SAML To set up a SAML SSO implementation where Ordway is the service provider, refer to the following sections describing the set up steps for different Identity Providers. Ordway has control to enable SSO at the instance and user levels. Enabling SSO at instance level and set up needs to be completed before the user level SSO flag is enabled. Contact Ordway Support to enable SSO in the instance.

 

The first step in the enablement of SSO is setting up Ordway as a service provider in your Identity Provider (IDP). The example setup for some common providers are described in the following sections. After you configure SSO, enable Single Logout so users can log out of a service provider and identity provider at the same time. 

After User is enabled for SSO, when the login page is accessed, the user is required to login using SSO only. Their regular Ordway user id/ Password login will no longer work. Clicking on the Login with SSO button navigates to provide the user id established in the SSO Identity provider. Clicking the Login button will take the user to the SSO login process and upon completion, the user is transferred into the Ordway home page.

The following sections provide examples of the setup in different SSO identity providers.

1. Steps to Set up SSO with Google as Identity Provider
2. Steps to Set up SSO with Last Pass as Identity Provider
3. Steps to Set up SSO with Auth0 as Identity Provider
4. Steps to Set up SSO with Okta as Identity Provider 

Steps to Set up SSO with Google as Identity Provider 

1. First, complete the Google SAML (IDP) setup.
   1. Go to Google Admin Console and Navigate to Apps -> Web and Mobile Apps

 

2. Click on Add app -> Add Custom SAML app.

 

3. Enter details like App name and click continue.

2. Copy the SHA256 Fingerprint to apply it to the IDP Fingerprint of SSO Setup configuration in the Ordway application.
   Copy the SSO URL which will be used to make the Target URL / SSO Login URL in Step 8.

 

3. Enter the ACS URL and Entity ID which will be the Callback URL and  Entity ID from the SSO setup in the Ordway application.
   Also select EMAIL in NameID format.

 

4. Select Primary email  in Basic preference and enter EmailAddress in App attributes.

 

5. The SAML application is created but it will be OFF for everyone by default. Click on view details in user access.

 

6. Click the ON for everyone Radio button.

7. When you go to your SAML application you will see an ID in the address bar as shown in the screenshot below. Copy this ID(known as spid - service provider id).

8. The Target URL / SSO Login URL in the Ordway SSO Setup page is created by combining the idpid from Step 2 and the spid from the step 7.

e.g.: the SSO URL from Step 4 here is - https://accounts.google.com/o/saml2/idp?idpid=C02h4b09h
And spid is - 176532576900

Therefore, the Target URL / SSO Login URL will be - 

https://accounts.google.com/o/saml2/initsso?idpid=C02h4b09h&spid=176532576900&forceauthn=false

Copy this and paste it into the Target URL/SSO Login URL of SSO Setup in the Ordway SSO Setup page in the next steps.

9. Enable SSO in Ordway via Menu > Setup > General Settings > Enable SSO toggle and Save. 
10. Navigate to Menu > Setup > Security > SSO and populate the SSO fields from step 8:
    Note: Logout from IDP is dependent on support of this feature on the IDP.
    
    

 

Steps to Set up SSO with LastPass as Identity Provider 

1. Navigate to https://www.lastpass.com/ and create a business account(Free trial - 14 days)
2. After creating an account, Click on Applications and Navigate to SSO apps
   
3. Click on Add App, and in the side panel you will see an option to generate SAML key
4. Click on “click here” button and wait for 20-30 mins for Apps to appear on the panel
   
5. Choose Custom Service from the list of apps.
   
   
   
6. Fill in the Service Provider configuration as below:
   1. Service Provider entity ID is OrdwayLabs Inc.
   2.  Assertion Consumer Service “ACS URL” is the callback URL, you can add the param sso_provider (from provider input in sso setup page) here like - {{url}}/auth/saml/callback?sso_provider=<provider>

<provider> is the Provider field on the Ordway SSO setup page

Eg: http://dev.ordwaylabs.com/auth/saml/callback?sso_provider=

1. 3. The Single Sign-On (SSO) URL is used when logging into the Ordway application and passing that information to LastPass for authentication. Since LastPass handles this, the SSO URL is not required in our application.
   4. The Identity Provider Entity ID is associated with the configuration of the SSO URL. Therefore, this is also not needed in our application.
   5. The Launch URL is treated as the sso_target URL, where authentication occurs at the IdP.
      

7. Enter the value of NameID format and custom attribute for the email.
   1. The Name ID format is given emailAddress and Name ID to Email Address, as it is used for default settings.
   2. The default NameID format is set to "emailAddress," and the NameID is mapped to "Email Address." This configuration is used as the default setting. However, some Identity Providers (IdPs) may use a different default name for the email address. To ensure consistency within the Ordway application and prevent compatibility issues with other IdPs, we are adding a custom attribute named "EmailAddress" for the email address.
      
8. Select the key and click the checkbox for authentication, the key here is SHA1 as it contains 40 characters (not considering colon).
   
9. Save the configuration.
10. The values in the Ordway application from LastPass configs will look like:
    
11. Navigate to the Users tab from above and Add the user via invite email:
    1. After adding the user, Navigate to your email, copy the activation code, click activate LastPass, and set the password for LastPass.
       

 

Steps to Set up SSO with Auth0 as Identity Provider 

1. Login into Auth0 console and create the Ordway SSO provider by Navigating to Applications -> SSO integrations. Steps for these can be found in the Auth0 documentation.

• • Navigate to Applications -> SSO integrations -> <<ordway SP>>
  • Click on ‘Tutorial’ tab.
  • Copy the Login URL, Fingerprint, and type of algorithm(here, “SHA1”) that will serve as the target URL, fingerprint, and fingerprint algorithm respectively.

2. Login into Ordway and navigate to Menu > Setup > Security >SSO Setup.

• • Fill in the values of IdP on the SSO portal.
    

3. Enable the “Enable SSO” on the individual User Settings page. When SSO is disabled, an error will be presented while attempting to ‘Login with SSO’.

 

Steps to Set up SSO with Okta as Identity Provider 

1. Login into Okta console and create the Ordway SSO provider by Navigating to Applications. Steps for these can be found in the Auth0 documentation.

1. Go to Applications > Applications in the Admin Console.
2. Click Create App Integration.

4. Select SAML 2.0 in the Sign-in method section.
5. Click Next.
6. On the General Settings tab, enter a name for your integration and optionally upload a logo. You can also choose to hide the integration from your end user's Okta dashboard or mobile app. Click Next.

7. On the Configure SAML tab, use the SAML information that you gathered when you built your integration. (mentioned below in Ordway Section)
8. In the Okta screen enter the following information
   • In the Single sign on URL field, enter the Assertion Consumer Service (ACS) URL.
   • Enter the Audience URI into the Audience URI (SP Entity ID) field.
     
     
   • enter the following test URL into the Single sign on URL and Audience URI (SP Entity ID) fields: http://example.com/saml/sso/example-okta-com
   • Choose the Name ID format and Application username that must be sent to your application in the SAML response (for example, EmailAddress) 
   • In the Attribute Statements (optional) section, enter the SAML attributes to be shared with your application. Some Identity Providers (IdPs) may use a different default name for the email address. To ensure consistency within the Ordway application and prevent compatibility issues with other IdPs, we are adding a custom attribute named "EmailAddress" for the email address.
   • Copy the Login URL, Fingerprint, and type of algorithm(here, “SHA1”) that will serve as the target URL, fingerprint, and fingerprint algorithm respectively when entering into Ordway SSO setup
   • If Okta doesn't provide the fingerprint you can download your x.509 certificate and run it through openssl in my macOS terminal to calculate/show the fingerprint. The command:

 "openssl x509 -in <name of cert>.crt -noout -fingerprint -sha256"

 

2. Login into Ordway and navigate to Menu > Setup > Security >SSO Setup.

• Fill in the values of IdP on the SSO portal.
  

3. Enable the “Enable SSO” on the individual User Settings page. When SSO is disabled, an error will be presented while attempting to ‘Login with SSO’.