Define Single Sign-On Identity Providers

storm provides a single sign-on service that allows users to sign on to their storm account automatically when they log in to a third-party product, without having to provide their storm username and password. Typical examples of single sign-on would be:

You must set up a separate identity provider for each third-party system, and then add details of each user that will use that system for single sign-on to storm. The identity provider performs the initial authentication when a user logs on, and passes the user's login details to storm's single sign-on service provider.

Set Up the Identity Provider

  1. To set up the identity providers used by the storm application, select the System Admin > Identity Providers menu option.

  1. In the window that is displayed, click the Add Identity Provider button.

A window is displayed.

  1. Fill in the fields as described in the following table.

Field

Description

Name

Enter a value that will help you identify the third-party product for which this identity provider has been set up.

Allow use by suborganisations

Select this check box if you wish to share the identify provider with sub-organisations.

ACS binding

The SAML protocol binding for the assertion consumer service endpoint to which authenticated user login credentials are transmitted. This is configured by Content Guru.

Use NameID as SAML attribute name

The name of the attribute in the SAML response that the name provided in the user's credentials must match

NameID format

Select the format in which the name must be provided to the service provider. If you do not want to enforce a single format, select 'Unspecified'.

Entity ID

The identity provider's URL.

SSO binding

The binding to use for single sign-on. This is configured by Content Guru.

Authentication Context

Select the authentication method to be used. If you do not want to enforce a single method, select 'Unspecified'.

SSO URL

The URL to be used for binding with the single sign-on service.

X.509 certificate

Upload the certificate to be used by the identity provider.

Allow identity provider initiated SSO

Select this check box to enable single sign-on for this identity provider and third-party product.

  1. Click Save to close the window and save the identity provider.

Identify the Users

Once you have set up an identity provider, it is included in the window displayed when you select the System Admin > Identity Providers menu option.

The metadata URL is the unique identifier for the identity provider, and is generated automatically by the system.

You can identify the users that will log in to this third-party product using single sign-on either individually, or via a bulk update using a CSV file.

Identifying Users Individually

  1. Click the  button.

  1. Use the User field to select a storm user.
  2. Enter that user's login name in the third-party product into the SAML attribute value field.
  3. Click the  button.

  1. Complete the line that appears with the next user's details.
  2. Repeat the process for each user, then click Save.

Bulk Updates

Bulk updates can be made to the information held against an identity provider to:

Create a New List
  1. Create a CSV file with the structure illustrated below.

The columns must be in the order shown, and the file must include the header row, with the column titles shown. It must not have more than 400 lines.

  1. In the Identity Providers screen, click the  button against the relevant identity provider.

  1. Click Choose file and browse to, and then open, the CSV file.
  2. Click OK to close the warning message and proceed to import the file.

Note: the Clear All button removes all SAML mappings for the selected identity provider.

Update an Existing List
  1. In the Identity Providers screen, click the  button against the relevant identity provider.
  2. In the screen that appears, click the Export button. The system exports a CSV file containing the current values for the identity provider in your download folder.
  3. Update this CSV file.
  4. If you wish to replace the existing file completely, click the Clear All button.
  5. Click Choose file and browse to, and then open, the amended CSV file.
  6. Click OK to close the warning message and proceed to import the file.
Disable Single Sign-On

You may need to disable single sign-on for a third-party product in emergencies (for example, if the third-party product is unavailable) to allow users to sign on to storm directly temporarily.

  1. In the Identity Providers screen, click the  button against the relevant identity provider.
  2. In the screen that appears, click the Clear All button. The system exports a CSV file containing the current values for the identity provider in your download folder.
  3. Store this CSV file in a safe location.

Once the emergency situation has ended, you can re-import the saved CSV file to reactivate single sign-on functionality.

  1. In the Identity Providers screen, click the  button against the relevant identity provider.
  2. Select Choose file and browse to, and then open, the CSV file. This automatically uploads the CSV file - you do not need to click Save.