This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
manag_profiles [2015/10/02 18:59]
manag_profiles [2015/10/02 19:00] (current)
Line 1: Line 1:
 +====== Enabling SSO via SAML ======
 +== What is SAML? ==
 +We use Security Assertion Mark-up Language (SAML) to retrieve metadata that  configures single sign on (SSO) for end users. SAML is an XML standard that lets a user sign on once for related but separate Web services. Initial and one-time authentication with SSO activates an iPass device and provides OM network access. ​
 +Once SAML is configured, an end user can start from a freshly installed iPass device client, sign into the company SSO Identity Provider (IDP), and activate the client without having to re-authenticate. ​  
 +Currently, SSO is supported only for hosted customers. There is no support for RoamServer customers.
 +=== Overview ===
 +Several phases and steps are involved in setting up SSO:
 +   * Administrators must add iPass app from its identity providers app directory
 +   * Administrators must retrieve SAML metadata via the Okta, OneLogin, or Ping consoles
 +   * SAML metadata has to be sent to iPASS via email
 +   * iPass configures SSO for the customer
 +   * Administrator assigns users to iPass app via IDP’s admin console ​
 +After all the necessary steps are done, end users can use SSO to activate their device. Optionally, administrators can configure SCIM through the IDP admin console for cloud-based user management options.
 +=== Before You Start ===
 +You must make sure that ACA is enabled and has these configuration settings:
 +   * Favorite Profile available for the platform having Production Profile
 +   * Email Domain provisioned in Activation Setup
 +   * Self-Registration is allowed
 +===== Getting SAML Metadata =====
 +In order to configure SSO, iPass must have IDP metadata from your organization’s identity provider.
 +=== Getting SAML Metadata via Okta ===
 +To retrieve IDP metadata from Okta:
 +   - Go into the Okta admin console.
 +   - Click the iPass app. If the iPass app is not in your company app directory, click on the Applications Menu and add the iPass app from the Okta app network.
 +   - Click on the Sign On tab in the iPass app.
 +   - Click on the View Setup Instructions button.
 +//The Okta administrator console//
 +Copy and Paste content in “Provide the following IDP metadata to your SP Provider” box, and, along with the name of your IDP, send this information to iPass Support. ​
 +=== Getting SAML Metadata via OneLogin ===
 +To retrieve IDP metadata from OneLogin:
 +   - Go into the OneLogin admin console.
 +   - Select the iPass app. If you don't see the iPass app, you can add it through the OneLogin catalog.
 +   - From iPass, open the MORE ACTIONS drop-down menu and select SAML Metadata.
 +   - Save the IDP metadata in an XML file.
 +   - Attach the XML file to an email and, along with your Identity Provider information,​ send it to iPass support.
 +//The OneLogin administrator console//
 +=== Getting Metadata via Ping ===
 +   - Go into the Ping admin console.
 +   - If the iPass app is not a part of your Ping network, go to Applications and add the iPass app. If you don't see the iPass app, you can add it using the Application Catalog.
 +   - Click on the Download option next to SAML Metadata.
 +   - Save the IDP metadata in an XML file.
 +   - Attach the XML file to an email and, along with your Identity Provider information,​ send it to your iPass support member.
 +//The Ping administrator console//
 +==== Configuring Single Sign On ====
 +=== Turning SSO on Via the Open Mobile Portal ===
 +iPass Support configures SSO after receiving metadata. To configure SSO:
 +   - In the OM Portal, go to Hosted Setup and turn on ACA.
 +   - Select the SSO checkbox.
 +   - Go to Hosted Users -> Setup Company Preference
 +   - Configure Identity Provider with the IDP name 
 +   - Configure the IDP Metadata with the metadata you sent. 
 +   - Get your a  SCIM Bearer Token, if company requires SCIM support.
 +//Allow Hosted Authentication// ​
 +{{:​sso.jpg?​500 |}}
 +//Getting the Bearer Token from the OM Portal//
 +=== After SSO Setup: Assign Users to iPass! ===
 +Once iPass completes SSO configuration,​ administrators can assign users to iPass through the IDP admin console. That's it!
 +===== SCIM Setup =====
 +The optional cloud-based user management System for Cross-domain Identity Management (SCIM) is used to administer users. ​
 +Once SCIM is up and running, an admin can provision, update, and deprovision users to the iPass service directly and automatically through the IDP consoles. ​
 +=== SCIM Bearer Token ===
 +A SCIM Bearer Token is generated in the Hosted Users > Setup Company Preference section of the OM Portal. You will use the token to enable SCIM if you decide to implement SCIM.
 +=== SCIM Configuration for OneLogin ===
 +You must request and receive a SCIM Bearer Token from iPass Support.
 +{{:​bearertoken.jpg?​500 |}}
 +//Getting the Bearer Token//
 +  - From the OneLogin admin console, go to the Configuration tab and add the SCIM Bearer Token that you received from iPass support.
 +  - Select Connect to API. For SCIM Base URL, go to "​https://​openmobile.ipass.com/​moservices/​scim/​v1"​
 +  - Leave the "SCIM Json Template” empty. It will use the default SCIM JSON Template for iPass which is: 
 +{{:​oneloginscim.jpg?​500 |}}</​code>​
 +{{:​scimconnect.jpg?​500 |}}
 +//Using the Bearer Token on the Configuration tab//
 +=== Enabling Provisioning ===
 +   - Go to the Provisioning tab. 
 +   - Check “Enable provisioning for iPass”
 +   - If you leave the check boxes under “Require admin approval before this action is performed in iPass” checked, admin will need to approve the action performed. ​
 +   - Choose “Suspend” from the drop down list.
 +{{:​scimpro.jpg?​500 |}}
 +//Enabling provisioning//​
 +The SCIM standard was intended to simplify user management. Once you have enabled SSO and SCIM, you can better manage user identity from a standardized,​ cloud-based,​ cross-domain platform. ​

©2015 iPass Inc. All rights reserved. Terms of Use