Managing single sign-on (SSO) providers
Introduced in 2022.1
Single sign-on, or just SSO, is an authentication process that improves security and saves time for your users. When SSO is set up, users sign in just one time—to their third-party identity provider (IdP), and then access all their apps, including Alloy Navigator Express apps, directly, without a second sign-in.
Many organizations use an identity provider, such as Microsoft, Google, or Okta, to take advantage of SSO. If you have an identity provider in your org, you can set up SSO in Alloy Navigator Express.
What is SSO in Alloy Navigator Express?
Alloy Navigator Express supports SSO via the OpenID Connect protocol (OIDC SSO). This means that you need an OpenID Connect identity provider (IdP) to handle the sign-in process and provide your users’ credentials to Alloy Navigator Express. Microsoft, ADFS, Okta, and other major identity providers support the OIDC protocol.
Alloy Navigator Express supports OpenID Connect SSO in the Web App, Self Service Portal, and mobile apps. For example, see the sign-in page of the Web App having the SSO via Microsoft enabled.
NOTE: With SSO enabled, users may still be able to sign in using their username (email) and password. To make this happen, the password authentication must be enabled in Alloy Navigator Express for both the web application and the user's account.
Prerequisites
If your organization uses an Identity Provider for SSO service, you can integrate that provider with Alloy Navigator Express. Alloy Navigator Express will serve the IdP as the Service Provider (SP).
These is what you will need to up SSO in Alloy Navigator Express:
-
You organization has an identity provider for SSO service (a SSO provider) that supports the OpenID Connect protocol.
-
Alloy Navigator Express users have valid email addresses, and must allow the IdP to know their email addresses. The email attribute is critical for establishing communication between your IdP and Alloy Navigator Express.
-
The site or sites where Alloy Navigator Express web applications (the Web App, Self Service Portal, and the API) are installed use the HTTPS protocols.
When all prerequisites are met, you can set up SSO in Alloy Navigator Express as described below. Configuration must be done on both the provider's site and in Alloy Navigator Express, so they can share configuration information and communicate with each other.
Setting up SSO in Alloy Navigator Express
To set up SSO in Alloy Navigator Express, you need to integrate your IdP that provides the SSO service (or "SSO provider") and Alloy Navigator Express. Here are the steps you should take, first on the IdP's site and then in Alloy Navigator Express:
Step 1: Register your Alloy Navigator Express app in your identity provider
First, you need to register Alloy Navigator Express apps in your identity provider (IdP) so the IdP can provide authentication and authorization services for Alloy Navigator Express apps and their users.
Each IdP requires its own steps to register (some providers call it "add") apps. For detailed instructions, see the documentation for your identity provider:
-
For Microsoft, see Register Alloy Navigator Express in Microsoft 365 (Office 365).
-
For Okta, see Register Alloy Navigator Express in Okta.
-
For ADFS, see Register Alloy Navigator Express in AD FS.
-
For Google, see Register Alloy Navigator Express in Google.
Typically, you will need this information for adding Alloy apps.
Parameter | Value |
---|---|
Sign-in method |
ODIC (or OpenID Connect) |
Application type or Platform |
Alloy Navigator Express web apps (the Web App and Self Service Portal):
Alloy Navigator Express mobile apps (Alloy Navigator, Alloy Inventory Scanner, and Alloy Self-Service):
|
Redirect URIs (or Sign-in Redirect URIs) A redirect URI is the location where the identity provider redirects a user's client and sends security tokens after authentication |
Alloy Navigator Express web apps (the Web App and Self Service Portal):
Alloy Navigator Express mobile apps (Alloy Navigator, Alloy Inventory Scanner, and Alloy Self-Service):
|
Step 2: Create a SSO Provider record in Alloy Navigator Express
To store IdP metadata in Alloy Navigator Express, add a SSO Provider record in Alloy Navigator Express using the Settings App.
Here is what you will need to configure your SSO provider in Alloy Navigator Express. All these data are available in your IdP.
- Client ID - an OpenID Connect client ID provided by your IdP;
- Client secret - a client secret for the Alloy Navigator Express app provided by your IdP;
- Authority - an OpenID Connect endpoint URL (HTTPS protocol must be used);
- Full Name Claim - the claim where your IdP stores user full names (we need that claim for creating Person records for self-registering Self Service Portal customers);
- User Name Claim - the claim where your IdP stores usernames (email addresses); those usernames must match usernames (email addresses) in Alloy Navigator Express accounts.
To add an SSO Provider record for Microsoft:
To add an SSO Provider record for Okta:
To add an SSO Provider record for AD FS:
To add an SSO Provider record for Google:
To add an SSO Provider record for a custom IdP:
-
In Settings, go to Accounts and Roles > SSO Providers and select New > Custom. The Custom dialog box opens.
-
In the Name field, enter a name for your SSO provider. Users will see that name in the sign-in dialog as Sign in with [Name].
-
In Authority field, review (or provide) the service endpoint URL path. Note that it must start with https://. Secured protocol must be used.
-
Provide the credentials of your Alloy Navigator Express from the IdP:
-
Client ID - the unique identifier that the Alloy Navigator Express app will use when requesting an access token from the IdP.
-
Client Secret - the secret string that the Alloy Navigator Express app will use to prove its identity when requesting an access token from the IdP.
-
-
Provide the Full Name Claim and the User Name Claim, so that the Alloy Navigator Express can obtain the user name.
-
Click OK to save your record.
Now you can configure your Alloy Navigator Express web and mobile applications.
Step 3: Configure the Alloy Navigator Express apps to use SSO
On-prem only
Once you've created the SSO Provider record, configure your Alloy Navigator Express applications (the Web App, Self Service Portal, and the mobile apps) to use the Standard Authentication method and decide whether their users sign in using their username and password.
FOR CLOUD CUSTOMERS: Please note that configuring web and mobile applications is only available for on-premises deployments. Contact our Support Team for assistance with this step.
Alloy web apps
Use the Web Configuration tool to configure the Web App and Self Service Portal to use SSO.
-
On the Authentication Method page, click Standard Authentication, and then select the desired SSO providers under Available Single Sign-On services.
If you want users to be able to sign in using the username and password of their Alloy Navigator Express account, select the Allow password authentication check box. You may also need to enable password authentication in the user's account.
For example, see how to enable SSO for the Web App in the screenshot below.
Mobile apps
Use the Web Configuration tool to configure Alloy native mobile apps (Alloy Navigator, Alloy Inventory Scanner, and Alloy Self-Service) to use SSO.
-
On the Authentication Method page, click Access Token Authentication, and then select the desired SSO providers under Available Single Sign-On services.
If you want users to be able to sign in using the username and password of their Alloy Navigator Express account, select the Allow password authentication check box. You may also need to enable password authentication in the corresponding user accounts.