Online Help | Web App

Managing single sign-on (SSO) providers

Introduced in 2022.1

Single sign-on, or just SSO, is an authentication process that improves security and saves time for your users. When SSO is set up, users sign in just one time—to their third-party identity provider (IdP), and then access all their apps, including Alloy Navigator Express apps, directly, without a second sign-in.

Many organizations use an identity provider, such as Microsoft, Google, or Okta, to take advantage of SSO. If you have an identity provider in your org, you can set up SSO in Alloy Navigator Express.

What is SSO in Alloy Navigator Express?

Alloy Navigator Express supports SSO via the OpenID Connect protocol (OIDC SSO). This means that you need an OpenID Connect identity provider (IdP) to handle the sign-in process and provide your users’ credentials to Alloy Navigator Express. Microsoft, ADFS, Okta, and other major identity providers support the OIDC protocol.

Alloy Navigator Express supports OpenID Connect SSO in the Web App, Self Service Portal, and mobile apps. For example, see the sign-in page of the Web App having the SSO via Microsoft enabled.

NOTE: With SSO enabled, users may still be able to sign in using their username (email) and password. To make this happen, the password authentication must be enabled in Alloy Navigator Express for both the web application and the user's account.

Prerequisites

If your organization uses an Identity Provider for SSO service, you can integrate that provider with Alloy Navigator Express. Alloy Navigator Express will serve the IdP as the Service Provider (SP).

These is what you will need to up SSO in Alloy Navigator Express:

  1. You organization has an identity provider for SSO service (a SSO provider) that supports the OpenID Connect protocol.

  2. Alloy Navigator Express users have valid email addresses, and must allow the IdP to know their email addresses. The email attribute is critical for establishing communication between your IdP and Alloy Navigator Express.

  3. The site or sites where Alloy Navigator Express web applications (the Web App, Self Service Portal, and the API) are installed use the HTTPS protocols.

When all prerequisites are met, you can set up SSO in Alloy Navigator Express as described below. Configuration must be done on both the provider's site and in Alloy Navigator Express, so they can share configuration information and communicate with each other.

Setting up SSO in Alloy Navigator Express

To set up SSO in Alloy Navigator Express, you need to integrate your IdP that provides the SSO service (or "SSO provider") and Alloy Navigator Express. Here are the steps you should take, first on the IdP's site and then in Alloy Navigator Express:

Step 1: Register your Alloy Navigator Express app in your identity provider

First, you need to register Alloy Navigator Express apps in your identity provider (IdP) so the IdP can provide authentication and authorization services for Alloy Navigator Express apps and their users.

Each IdP requires its own steps to register (some providers call it "add") apps. For detailed instructions, see the documentation for your identity provider:

Typically, you will need this information for adding Alloy apps.

Parameter Value

Sign-in method

ODIC (or OpenID Connect)
Application type or Platform

Alloy Navigator Express web apps (the Web App and Self Service Portal):

  • Web Application or Web

Alloy Navigator Express mobile apps (Alloy Navigator, Alloy Inventory Scanner, and Alloy Self-Service):

  • Mobile and desktop applications or Native Application or Mobile application.

Redirect URIs (or Sign-in Redirect URIs)

A redirect URI is the location where the identity provider redirects a user's client and sends security tokens after authentication

Alloy Navigator Express web apps (the Web App and Self Service Portal):

  • [Web App URL]/signin-oidc

  • [SSP URL]/signin-oidc

    IMPORTANT: The Web App and SSP URLs must use HTTPS, not HTTP.

    TIP: You can access the redirect URI for your web aoo The Web App and SSP URLs must use HTTPS, not HTTP.

Alloy Navigator Express mobile apps (Alloy Navigator, Alloy Inventory Scanner, and Alloy Self-Service):

  • http://localhost:4000

Step 2: Create a SSO Provider record in Alloy Navigator Express

To store IdP metadata in Alloy Navigator Express, add a SSO Provider record in Alloy Navigator Express using the Settings App.

Here is what you will need to configure your SSO provider in Alloy Navigator Express. All these data are available in your IdP.

  • Client ID - an OpenID Connect client ID provided by your IdP;
  • Client secret - a client secret for the Alloy Navigator Express app provided by your IdP;
  • Authority - an OpenID Connect endpoint URL (HTTPS protocol must be used);
  • Full Name Claim - the claim where your IdP stores user full names (we need that claim for creating Person records for self-registering Self Service Portal customers);
  • User Name Claim - the claim where your IdP stores usernames (email addresses); those usernames must match usernames (email addresses) in Alloy Navigator Express accounts.

To add an SSO Provider record for Microsoft:

To add an SSO Provider record for Okta:

To add an SSO Provider record for AD FS:

To add an SSO Provider record for Google:

To add an SSO Provider record for a custom IdP:

  1. In Settings, go to Accounts and Roles > SSO Providers and select New > Custom. The Custom dialog box opens.

  2. In the Name field, enter a name for your SSO provider. Users will see that name in the sign-in dialog as Sign in with [Name].

  3. In Authority field, review (or provide) the service endpoint URL path. Note that it must start with https://. Secured protocol must be used.

  4. Provide the credentials of your Alloy Navigator Express from the IdP:

    • Client ID - the unique identifier that the Alloy Navigator Express app will use when requesting an access token from the IdP.

    • Client Secret - the secret string that the Alloy Navigator Express app will use to prove its identity when requesting an access token from the IdP.

  5. Provide the Full Name Claim and the User Name Claim, so that the Alloy Navigator Express can obtain the user name.

  6. Click OK to save your record.

Now you can configure your Alloy Navigator Express web and mobile applications.

Step 3: Configure the Alloy Navigator Express apps to use SSO

On-prem only

Once you've created the SSO Provider record, configure your Alloy Navigator Express applications (the Web App, Self Service Portal, and the mobile apps) to use the Standard Authentication method and decide whether their users sign in using their username and password.

FOR CLOUD CUSTOMERS: Please note that configuring web and mobile applications is only available for on-premises deployments. Contact our Support Team for assistance with this step.

Alloy web apps

Use the Web Configuration tool to configure the Web App and Self Service Portal to use SSO.

  • On the Authentication Method page, click Standard Authentication, and then select the desired SSO providers under Available Single Sign-On services.

    If you want users to be able to sign in using the username and password of their Alloy Navigator Express account, select the Allow password authentication check box. You may also need to enable password authentication in the user's account.

For example, see how to enable SSO for the Web App in the screenshot below.

Mobile apps

Use the Web Configuration tool to configure Alloy native mobile apps (Alloy Navigator, Alloy Inventory Scanner, and Alloy Self-Service) to use SSO.

  • On the Authentication Method page, click Access Token Authentication, and then select the desired SSO providers under Available Single Sign-On services.

    If you want users to be able to sign in using the username and password of their Alloy Navigator Express account, select the Allow password authentication check box. You may also need to enable password authentication in the corresponding user accounts.