< Back to User Guide Top

Configuring SAML

You can configure the Cleo Harmony application to support Security Assertion Markup Language (SAML) to implement Single Sign On (SSO) and Single Logout (SLO) for Cleo Portal users.

You provide information about the Service Provider (SP) and the Identify Provider (IDP), where the Cleo system acts as an SP. When the user attempts to sign in, the SP requests an identity assertion from the IDP and, based on that assertion, allows or denies the user access to the service requested. One IDP can provide SAML assertions to many SPs.

Note: Cleo Harmony requires signed assertions for authenticating users through SAML. Configure your IDP to send back signed assertions while using Cleo Harmony as Service Provider.

SAML configuration overview

Provide information about the Service Provider and the Identity Provider.

Important: Before you enable SAML for Cleo Portal users, make sure you have imported your IDP settings and your IDP has your SP settings.

  1. In the web UI, go to Administration > User Management > SAML. In the native UI, go to Options > SAML.
  2. On the Service Provider (SP) tab, provide information about your system and, optionally, export SP information to a file you can share with your IDP. See Configuring and exporting SAML service provider information and SAML service provider reference.

  3. On the Identity Provider (IDP) tab, import information about your IDP.

    See Importing SAML identity provider information and SAML identity provider reference.

    Once imported, you can view the raw IDP XML file. See Viewing an imported IDP file.

Configuring and exporting SAML service provider information

When you configure Service Provider information, you can export it to a file you can share with or import to your IDP.

  1. In the web UI, go to Administration > User Management > SAML. In the native UI, go to Options > SAML.
  2. Click the Service Provider (SP) tab.

  3. If necessary, enter information about your SP.

    Note: You should not enable SAML for Cleo Portal users until you have imported your IDP settings and your IDP has imported your SP settings.

    See SAML service provider reference.

  4. Save your updates.

    In the web UI, click Save.

    In the native UI, click OK.

  5. (Optional) Click Export.

    In the web UI, updates to the SP information are saved when you click Export.

Importing SAML identity provider information

You can import SAML configuration information from your IDP to your Cleo Harmony system.

  1. In the web UI, go to Administration > User Management > SAML. In the native UI, go to Options > SAML.
  2. Click the Identity Provider (IDP) tab.
  3. Click Import to display the Import IDP Settings dialog box.

  4. Specify or navigate to your IDP settings file, and then click Import.

    The imported IDP information populates the Identity Provider (IDP) tab. See SAML identity provider reference.

    In the web UI, updated IDP information is saved when you click Import.

    In the native UI, you must click OK to save the updated IDP information. In the native UI, clicking OK to save your IDP data also dismisses the Options dialog box.

    Once you have imported an IDP XML file, you can view the file's raw content. See Viewing an imported IDP file.

Viewing an imported IDP file

You can view the raw contents of an IDP file you imported into your Cleo Harmony system.

  1. In the web UI, go to Administration > User Management > SAML. In the native UI, go to Options > SAML.
  2. Click the Identity Provider (IDP) tab.

  3. Click View IDP file.

    The IDP file is displayed in your default XML editor.

SAML service provider reference

Provide information about the Service Provider (SP).

Field Description
Enable SAML for all Cleo Portal users

Select this check box to authenticate all Cleo Portal users through an identity provider (IDP) using the SAML protocol. When this is the only option selected, the SAML login page is displayed when users access Cleo Portal.

Important: Before enabling this option, make sure you have imported your IDP information and that your IDP has imported your service provider (SP) information.

This option also enables the following settings.
Enable SAML for Default/Native Users Select this check box to allow users created in Cleo Harmony to authenticate using SAML.
Allow non-SAML login for Cleo Portal users

Select this check box to allow Cleo Portal users to log in using local credentials.

Note: Selecting both Enable SAML for all Cleo Portal Users and Allow non-SAML login for Cleo Portal Users enables mixed mode authentication, where Cleo Portal users can log in with either SAML or local credentials. The Cleo Portal login page displays the Use Company Login check box. Clicking Log In with this check box enabled redirects the user to the SAML login page. Otherwise, users can log in using local login credentials.
Entity ID

Specifies the value used as the Issuer in the authentication request. This value must be unique and conform to the URI pattern.

The Entity ID publicly identifies your deployment across all interoperating systems. Changing this value can affect multiple systems and may take time to propagate. Avoid using a physical hostname, which can change with infrastructure updates. Instead, use a value that represents the service itself. One recommended option is the Assertion Consumer Service Endpoint, provided the domain is fully qualified.
Assertion Consumer Service Endpoint (HTTP‑POST)

The URL to which the IDP posts assertions to your Cleo Harmony system.

http://<domain>:<port>/<portal-resource>

The value for <portal-resource> must match the value configured for the Local Listener Web Browser Service.
Single Logout Service Endpoint (HTTP‑Redirect)

The URL from which the IDP sends logout requests to your Cleo Harmony system.

http://<domain>:<port>/signout

This field is populated automatically based on the Assertion Consumer Service Endpoint value and is read‑only.
Enable Single Logout Select this check box to enable single logout processing and populate the Single Logout Service Endpoint (HTTP‑Redirect) field.

 

Signing & Encryption

Provide information to support signing authentication requests and encrypting assertions.

Field Description
Sign Authentication Requests

Select this check box to enable signing of authentication (Authn) requests sent to the identity provider (IDP).

When enabled, additional fields are available for specifying the signing certificate, password, and algorithm.
Signing Certificate

Specifies the certificate alias, password, and algorithm used to sign authentication requests. You can select an existing certificate or browse for one.

Supported algorithms are SHA‑1 and SHA‑256.
Encryption Assertion
Encryption Certificate

Optional. Certificate alias and password the IDP will use for encryption. You can specify a certificate or browse for and select one.

Select Use same as Signing Certificate to use the signing certificate for encryption.
Password Password associated with the encryption certificate.
Sign Metadata Select this option to enable signing of service provider (SP) metadata XML files generated during export.
Metadata Signing Certificate

Specifies the certificate alias and password used to sign SP metadata XML files during export. You can select an existing certificate or browse for one.

Select Use same as Signing Certificate to reuse the signing certificate for metadata signing.

Organization and Contacts

Field Description
Organization
Name Name of the service provider (SP) organization.
Display Name Display name of the service provider (SP) organization.
Website Website URL of the service provider (SP) organization.
Contacts
Technical – Name and Email Name and email address of a technical contact at the service provider (SP).
Support – Name and Email Name and email address of a support contact at the service provider (SP).

SAML identity provider reference

Information from an Identity Provider (IDP) file you import.

Field Description
Entity ID The unique ID for the IDP imported from the IDP metadata file.
Single Sign On Service

The binding supported by Cleo Harmony for single sign-on. Only HTTP‑Redirect is supported.

Other values might be present in the metadata, but only HTTP‑Redirect is displayed.
Single Logout Service

The binding supported by the Cleo Harmony application for logout. Only HTTP‑Redirect is supported.

Other values might be present in the metadata, but only HTTP‑Redirect is displayed.
wantAuthnRequestsSigned Indicates that the IDP expects a signed authentication request.

Organization and Contacts

Field Description
Organization
Name Name of the IDP  organization.
Display Name Display name of the IDP  organization.
Website Website URL of the IDP  organization.
Contacts
Technical – Name and Email Name and email address of a technical contact at the IDP.
Support – Name and Email Name and email address of a support contact at the IDP.

See Importing SAML identity provider information for information about how to import IDP information.

Related articles

Comments

0 comments

Please sign in to leave a comment.