We use Security Assertion Mark-up Language (SAML) to retrieve metadata that configures single sign on (SSO) for end users. SAML is an XML standard that lets a user sign on once for related but separate Web services. Initial and one-time authentication with SSO activates an iPass device and provides OM network access.
Once SAML is configured, an end user can start from a freshly installed iPass device client, sign into the company SSO Identity Provider (IDP), and activate the client without having to re-authenticate.
Currently, SSO is supported only for hosted customers. There is no support for RoamServer customers.
Several phases and steps are involved in setting up SSO:
After all the necessary steps are done, end users can use SSO to activate their device. Optionally, administrators can configure SCIM through the IDP admin console for cloud-based user management options.
You must make sure that ACA is enabled and has these configuration settings:
In order to configure SSO, iPass must have IDP metadata from your organization’s identity provider.
To retrieve IDP metadata from Okta:
The Okta administrator console
Copy and Paste content in “Provide the following IDP metadata to your SP Provider” box, and, along with the name of your IDP, send this information to iPass Support.
To retrieve IDP metadata from OneLogin:
The OneLogin administrator console
The Ping administrator console
iPass Support configures SSO after receiving metadata. To configure SSO:
Allow Hosted Authentication
Getting the Bearer Token from the OM Portal
Once iPass completes SSO configuration, administrators can assign users to iPass through the IDP admin console. That's it!
The optional cloud-based user management System for Cross-domain Identity Management (SCIM) is used to administer users.
Once SCIM is up and running, an admin can provision, update, and deprovision users to the iPass service directly and automatically through the IDP consoles.
A SCIM Bearer Token is generated in the Hosted Users > Setup Company Preference section of the OM Portal. You will use the token to enable SCIM if you decide to implement SCIM.
You must request and receive a SCIM Bearer Token from iPass Support.
Getting the Bearer Token
{"schemas":["urn:scim:schemas:core:1.0","urn:scim:schemas:extension:enterprise:1.0"], "userName":"{$user.email}","active":true,"name":{"givenName":"{$user.firstname}","familyName":"{$user.lastname}"},"emails":[{"value":"{$user.email}","primary":true,"type":"main"}]} {{:oneloginscim.jpg?500 |}}
Using the Bearer Token on the Configuration tab
Enabling provisioning
The SCIM standard was intended to simplify user management. Once you have enabled SSO and SCIM, you can better manage user identity from a standardized, cloud-based, cross-domain platform.