Differences

This shows you the differences between two versions of the page.

Link to this comparison view

manag_profiles [2015/10/02 18:59]
jleger
manag_profiles [2015/10/02 19:00] (current)
jleger
Line 1: Line 1:
 +====== Enabling SSO via SAML ======
 +== What is SAML? ==
 +We use Security Assertion Mark-up Language (SAML) to retrieve metadata that  configures single sign on (SSO) for end users. SAML is an XML standard that lets a user sign on once for related but separate Web services. Initial and one-time authentication with SSO activates an iPass device and provides OM network access. 
  
 +Once SAML is configured, an end user can start from a freshly installed iPass device client, sign into the company SSO Identity Provider (IDP), and activate the client without having to re-authenticate.   
 +
 +Currently, SSO is supported only for hosted customers. There is no support for RoamServer customers.
 +
 +
 +=== Overview ===
 +Several phases and steps are involved in setting up SSO:
 +   * Administrators must add iPass app from its identity providers app directory
 +   * Administrators must retrieve SAML metadata via the Okta, OneLogin, or Ping consoles
 +   * SAML metadata has to be sent to iPASS via email
 +   * iPass configures SSO for the customer
 +   * Administrator assigns users to iPass app via IDP’s admin console 
 +
 +After all the necessary steps are done, end users can use SSO to activate their device. Optionally, administrators can configure SCIM through the IDP admin console for cloud-based user management options.
 +
 +=== Before You Start ===
 +You must make sure that ACA is enabled and has these configuration settings:
 +   * Favorite Profile available for the platform having Production Profile
 +   * Email Domain provisioned in Activation Setup
 +   * Self-Registration is allowed
 +
 +===== Getting SAML Metadata =====
 +In order to configure SSO, iPass must have IDP metadata from your organization’s identity provider.
 +
 +=== Getting SAML Metadata via Okta ===
 +To retrieve IDP metadata from Okta:
 +   - Go into the Okta admin console.
 +   - Click the iPass app. If the iPass app is not in your company app directory, click on the Applications Menu and add the iPass app from the Okta app network.
 +   - Click on the Sign On tab in the iPass app.
 +   - Click on the View Setup Instructions button.
 +
 +{{:ompokta.jpg|}}
 +
 +//The Okta administrator console//
 +
 +{{:oktameta.jpg|}}
 +
 +Copy and Paste content in “Provide the following IDP metadata to your SP Provider” box, and, along with the name of your IDP, send this information to iPass Support. 
 +
 +
 +=== Getting SAML Metadata via OneLogin ===
 +To retrieve IDP metadata from OneLogin:
 +   - Go into the OneLogin admin console.
 +   - Select the iPass app. If you don't see the iPass app, you can add it through the OneLogin catalog.
 +   - From iPass, open the MORE ACTIONS drop-down menu and select SAML Metadata.
 +   - Save the IDP metadata in an XML file.
 +   - Attach the XML file to an email and, along with your Identity Provider information, send it to iPass support.
 +{{:omploginsaml.png|}}
 +
 +//The OneLogin administrator console//
 +
 +=== Getting Metadata via Ping ===
 +   - Go into the Ping admin console.
 +   - If the iPass app is not a part of your Ping network, go to Applications and add the iPass app. If you don't see the iPass app, you can add it using the Application Catalog.
 +   - Click on the Download option next to SAML Metadata.
 +   - Save the IDP metadata in an XML file.
 +   - Attach the XML file to an email and, along with your Identity Provider information, send it to your iPass support member.
 +{{:pingsaml.jpg|}}
 +
 +//The Ping administrator console//
 +
 +==== Configuring Single Sign On ====
 +=== Turning SSO on Via the Open Mobile Portal ===
 +iPass Support configures SSO after receiving metadata. To configure SSO:
 +   - In the OM Portal, go to Hosted Setup and turn on ACA.
 +   - Select the SSO checkbox.
 +   - Go to Hosted Users -> Setup Company Preference
 +   - Configure Identity Provider with the IDP name 
 +   - Configure the IDP Metadata with the metadata you sent. 
 +   - Get your a  SCIM Bearer Token, if company requires SCIM support.
 +
 +
 +{{:allowhostedsetup.jpg|}}
 +
 +//Allow Hosted Authentication// 
 +
 +{{:sso.jpg?500 |}}
 +
 +//Getting the Bearer Token from the OM Portal//
 +
 +=== After SSO Setup: Assign Users to iPass! ===
 +Once iPass completes SSO configuration, administrators can assign users to iPass through the IDP admin console. That's it!
 +===== SCIM Setup =====
 +The optional cloud-based user management System for Cross-domain Identity Management (SCIM) is used to administer users. 
 +
 +Once SCIM is up and running, an admin can provision, update, and deprovision users to the iPass service directly and automatically through the IDP consoles. 
 +=== SCIM Bearer Token ===
 +A SCIM Bearer Token is generated in the Hosted Users > Setup Company Preference section of the OM Portal. You will use the token to enable SCIM if you decide to implement SCIM.
 +=== SCIM Configuration for OneLogin ===
 +You must request and receive a SCIM Bearer Token from iPass Support.
 +
 +{{:bearertoken.jpg?500 |}}
 +
 +//Getting the Bearer Token//
 +
 +  - From the OneLogin admin console, go to the Configuration tab and add the SCIM Bearer Token that you received from iPass support.
 +  - Select Connect to API. For SCIM Base URL, go to "https://openmobile.ipass.com/moservices/scim/v1"
 +  - Leave the "SCIM Json Template” empty. It will use the default SCIM JSON Template for iPass which is: 
 +
 +<code>{"schemas":["urn:scim:schemas:core:1.0","urn:scim:schemas:extension:enterprise:1.0"],
 +"userName":"{$user.email}","active":true,"name":{"givenName":"{$user.firstname}","familyName":"{$user.lastname}"},"emails":[{"value":"{$user.email}","primary":true,"type":"main"}]}
 +{{:oneloginscim.jpg?500 |}}</code>
 +
 +
 +
 +{{:scimconnect.jpg?500 |}}
 +
 +//Using the Bearer Token on the Configuration tab//
 +
 +=== Enabling Provisioning ===
 +   - Go to the Provisioning tab. 
 +   - Check “Enable provisioning for iPass”
 +   - If you leave the check boxes under “Require admin approval before this action is performed in iPass” checked, admin will need to approve the action performed. 
 +   - Choose “Suspend” from the drop down list.
 +{{:scimpro.jpg?500 |}}
 +
 +//Enabling provisioning//
 +
 +The SCIM standard was intended to simplify user management. Once you have enabled SSO and SCIM, you can better manage user identity from a standardized, cloud-based, cross-domain platform. 
 

©2015 iPass Inc. All rights reserved. Terms of Use