Online Help | Web App

Managing single sign-on (SSO) providers

Introduced in 2022.1

Single sign-on, or just SSO, is an authentication process that improves security and saves time for your users. When SSO is set up, users sign in just one time—to their third-party identity provider (IdP), and then access all their apps, including Alloy Navigator apps, directly, without a second sign-in.

Many organizations use an identity provider, such as Microsoft, Google, or Okta, to take advantage of SSO. If you have an identity provider in your org, you can set up SSO in Alloy Navigator.

What is SSO in Alloy Navigator?

Alloy Navigator supports SSO via the OpenID Connect protocol (OIDC SSO). This means that you need an OpenID Connect identity provider (IdP) to handle the sign-in process and provide your users’ credentials to Alloy Navigator. Microsoft, ADFS, Okta, and other major identity providers support the OIDC protocol.

Alloy Navigator supports OpenID Connect SSO in the Web App, Self Service Portal, and mobile apps. For example, see the sign-in page of the Web App having the SSO via Microsoft enabled.

NOTE: With SSO enabled, users may still be able to sign in using their username (email) and password. To make this happen, the password authentication must be enabled in Alloy Navigator for both the web application and the user's account.

Prerequisites

If your organization uses an Identity Provider for SSO service, you can integrate that provider with Alloy Navigator. Alloy Navigator will serve the IdP as the Service Provider (SP).

These is what you will need to up SSO in Alloy Navigator:

  1. You organization has an identity provider for SSO service (a SSO provider) that supports the OpenID Connect protocol.

  2. Alloy Navigator users have valid email addresses, and must allow the IdP to know their email addresses. The email attribute is critical for establishing communication between your IdP and Alloy Navigator.

  3. The site or sites where Alloy Navigator web applications (the Web App, Self Service Portal, and the API) are installed use the HTTPS protocols.

When all prerequisites are met, you can set up SSO in Alloy Navigator as described below. Configuration must be done on both the provider's site and in Alloy Navigator, so they can share configuration information and communicate with each other.

Setting up SSO in Alloy Navigator

To set up SSO in Alloy Navigator, you need to integrate your IdP that provides the SSO service (or "SSO provider") and Alloy Navigator. Here are the steps you should take, first on the IdP's site and then in Alloy Navigator:

Step 1: Register your Alloy Navigator app in your identity provider

First, you need to register Alloy Navigator apps in your identity provider (IdP) so the IdP can provide authentication and authorization services for Alloy Navigator apps and their users.

Each IdP requires its own steps to register (some providers call it "add") apps. For detailed instructions, see the documentation for your identity provider:

Typically, you will need this information for adding Alloy apps.

Parameter Value

Sign-in method

ODIC (or OpenID Connect)
Application type or Platform

Alloy Navigator web apps (the Web App and Self Service Portal):

  • Web Application or Web

Alloy Navigator mobile apps (Alloy Navigator, Alloy Inventory Scanner, and Alloy Self-Service):

  • Mobile and desktop applications or Native Application or Mobile application.

Redirect URIs (or Sign-in Redirect URIs)

A redirect URI is the location where the identity provider redirects a user's client and sends security tokens after authentication

Alloy Navigator web apps (the Web App and Self Service Portal):

  • [Web App URL]/signin-oidc

  • [SSP URL]/signin-oidc

    IMPORTANT: The Web App and SSP URLs must use HTTPS, not HTTP.

    TIP: You can access the redirect URI for your web aoo The Web App and SSP URLs must use HTTPS, not HTTP.

Alloy Navigator mobile apps (Alloy Navigator, Alloy Inventory Scanner, and Alloy Self-Service):

  • http://localhost:4000

Step 2: Create a SSO Provider record in Alloy Navigator

To store IdP metadata in Alloy Navigator, add a SSO Provider record in Alloy Navigator using the Settings App.

Here is what you will need to configure your SSO provider in Alloy Navigator. All these data are available in your IdP.

  • Client ID - an OpenID Connect client ID provided by your IdP;
  • Client secret - a client secret for the Alloy Navigator app provided by your IdP;
  • Authority - an OpenID Connect endpoint URL (HTTPS protocol must be used);
  • Full Name Claim - the claim where your IdP stores user full names (we need that claim for creating Person records for self-registering Self Service Portal customers);
  • User Name Claim - the claim where your IdP stores usernames (email addresses); those usernames must match usernames (email addresses) in Alloy Navigator accounts.

To add an SSO Provider record for Microsoft:

To add an SSO Provider record for Okta:

To add an SSO Provider record for AD FS:

To add an SSO Provider record for Google:

To add an SSO Provider record for a custom IdP:

  1. In Settings, go to Users & Security > Accounts and Roles > SSO Providers and select New > Custom. The Custom dialog box opens.

  2. In the Name field, enter a name for your SSO provider. Users will see that name in the sign-in dialog as Sign in with [Name].

  3. In Authority field, review (or provide) the service endpoint URL path. Note that it must start with https://. Secured protocol must be used.

  4. Provide the credentials of your Alloy Navigator from the IdP:

    • Client ID - the unique identifier that the Alloy Navigator app will use when requesting an access token from the IdP.

    • Client Secret - the secret string that the Alloy Navigator app will use to prove its identity when requesting an access token from the IdP.

  5. Provide the Full Name Claim and the User Name Claim, so that the Alloy Navigator can obtain the user name.

  6. Click OK to save your record.

Now you can configure your Alloy Navigator web and mobile applications.

Step 3: Configure the Alloy Navigator apps to use SSO

On-prem only

Once you've created the SSO Provider record, configure your Alloy Navigator applications (the Web App, Self Service Portal, and the mobile apps) to use the Standard Authentication method and decide whether their users sign in using their username and password.

FOR CLOUD CUSTOMERS: Please note that configuring web and mobile applications is only available for on-premises deployments. Contact our Support Team for assistance with this step.

Alloy web apps

Use the Web Configuration tool to configure the Web App and Self Service Portal to use SSO.

  • On the Authentication Method page, click Standard Authentication, and then select the desired SSO providers under Available Single Sign-On services.

    If you want users to be able to sign in using the username and password of their Alloy Navigator account, select the Allow password authentication check box. You may also need to enable password authentication in the user's account.

For example, see how to enable SSO for the Web App in the screenshot below.

Mobile apps

Use the Web Configuration tool to configure Alloy native mobile apps (Alloy Navigator, Alloy Inventory Scanner, and Alloy Self-Service) to use SSO.

  • On the Authentication Method page, click Access Token Authentication, and then select the desired SSO providers under Available Single Sign-On services.

    If you want users to be able to sign in using the username and password of their Alloy Navigator account, select the Allow password authentication check box. You may also need to enable password authentication in the corresponding user accounts.