Enabling SSO via SAML

What is SAML?

We use Security Assertion Mark-up Language (SAML) to retrieve metadata that configures single sign on (SSO) for end users. SAML is an XML standard that lets a user sign on once for related but separate Web services. Initial and one-time authentication with SSO activates an iPass device and provides OM network access.

Once SAML is configured, an end user can start from a freshly installed iPass device client, sign into the company SSO Identity Provider (IDP), and activate the client without having to re-authenticate.

Currently, SSO is supported only for hosted customers. There is no support for RoamServer customers.

Overview

Several phases and steps are involved in setting up SSO:

  • Administrators must add iPass app from its identity providers app directory
  • Administrators must retrieve SAML metadata via the Okta, OneLogin, or Ping consoles
  • SAML metadata has to be sent to iPASS via email
  • iPass configures SSO for the customer
  • Administrator assigns users to iPass app via IDP’s admin console

After all the necessary steps are done, end users can use SSO to activate their device. Optionally, administrators can configure SCIM through the IDP admin console for cloud-based user management options.

Before You Start

You must make sure that ACA is enabled and has these configuration settings:

  • Favorite Profile available for the platform having Production Profile
  • Email Domain provisioned in Activation Setup
  • Self-Registration is allowed

Getting SAML Metadata

In order to configure SSO, iPass must have IDP metadata from your organization’s identity provider.

Getting SAML Metadata via Okta

To retrieve IDP metadata from Okta:

  1. Go into the Okta admin console.
  2. Click the iPass app. If the iPass app is not in your company app directory, click on the Applications Menu and add the iPass app from the Okta app network.
  3. Click on the Sign On tab in the iPass app.
  4. Click on the View Setup Instructions button.

The Okta administrator console

Copy and Paste content in “Provide the following IDP metadata to your SP Provider” box, and, along with the name of your IDP, send this information to iPass Support.

Getting SAML Metadata via OneLogin

To retrieve IDP metadata from OneLogin:

  1. Go into the OneLogin admin console.
  2. Select the iPass app. If you don't see the iPass app, you can add it through the OneLogin catalog.
  3. From iPass, open the MORE ACTIONS drop-down menu and select SAML Metadata.
  4. Save the IDP metadata in an XML file.
  5. Attach the XML file to an email and, along with your Identity Provider information, send it to iPass support.

The OneLogin administrator console

Getting Metadata via Ping

  1. Go into the Ping admin console.
  2. If the iPass app is not a part of your Ping network, go to Applications and add the iPass app. If you don't see the iPass app, you can add it using the Application Catalog.
  3. Click on the Download option next to SAML Metadata.
  4. Save the IDP metadata in an XML file.
  5. Attach the XML file to an email and, along with your Identity Provider information, send it to your iPass support member.

The Ping administrator console

Configuring Single Sign On

Turning SSO on Via the Open Mobile Portal

iPass Support configures SSO after receiving metadata. To configure SSO:

  1. In the OM Portal, go to Hosted Setup and turn on ACA.
  2. Select the SSO checkbox.
  3. Go to Hosted Users → Setup Company Preference
  4. Configure Identity Provider with the IDP name
  5. Configure the IDP Metadata with the metadata you sent.
  6. Get your a SCIM Bearer Token, if company requires SCIM support.

Allow Hosted Authentication

Getting the Bearer Token from the OM Portal

After SSO Setup: Assign Users to iPass!

Once iPass completes SSO configuration, administrators can assign users to iPass through the IDP admin console. That's it!

SCIM Setup

The optional cloud-based user management System for Cross-domain Identity Management (SCIM) is used to administer users.

Once SCIM is up and running, an admin can provision, update, and deprovision users to the iPass service directly and automatically through the IDP consoles.

SCIM Bearer Token

A SCIM Bearer Token is generated in the Hosted Users > Setup Company Preference section of the OM Portal. You will use the token to enable SCIM if you decide to implement SCIM.

SCIM Configuration for OneLogin

You must request and receive a SCIM Bearer Token from iPass Support.

Getting the Bearer Token

  1. From the OneLogin admin console, go to the Configuration tab and add the SCIM Bearer Token that you received from iPass support.
  2. Select Connect to API. For SCIM Base URL, go to “https://openmobile.ipass.com/moservices/scim/v1
  3. Leave the “SCIM Json Template” empty. It will use the default SCIM JSON Template for iPass which is:
{"schemas":["urn:scim:schemas:core:1.0","urn:scim:schemas:extension:enterprise:1.0"],
"userName":"{$user.email}","active":true,"name":{"givenName":"{$user.firstname}","familyName":"{$user.lastname}"},"emails":[{"value":"{$user.email}","primary":true,"type":"main"}]}
{{:oneloginscim.jpg?500 |}}

Using the Bearer Token on the Configuration tab

Enabling Provisioning

  1. Go to the Provisioning tab.
  2. Check “Enable provisioning for iPass”
  3. If you leave the check boxes under “Require admin approval before this action is performed in iPass” checked, admin will need to approve the action performed.
  4. Choose “Suspend” from the drop down list.

Enabling provisioning

The SCIM standard was intended to simplify user management. Once you have enabled SSO and SCIM, you can better manage user identity from a standardized, cloud-based, cross-domain platform.

 

©2015 iPass Inc. All rights reserved. Terms of Use