Sign in
< Back to User Guide Top

Configuring SAML

You can configure the Cleo Harmony and Cleo VLTrader (if licensed) applications to support Security Assertion Markup Language (SAML) to implement Single Sign On (SSO) and Single Logout (SLO) for Cleo Portal users.

You provide information about the Service Provider (SP) and the Identify Provider (IDP), where the Cleo system acts as an SP. When the user attempts to sign in, the SP requests an identity assertion from the IDP and, based on that assertion, allows or denies the user access to the service requested. One IDP can provide SAML assertions to many SPs.
Note: Cleo Harmony and Cleo VLTrader requires signed assertions for authenticating users through SAML. Configure your IDP to send back signed assertions while using Cleo Harmony and Cleo VLTrader as Service Provider.

Configuring SAML

Provide information about the Service Provider and the Identity Provider.

Important: Before you enable SAML for Cleo Portal users, make sure you have imported your IDP settings and your IDP has your SP settings.
  1. In the web UI, go to Administration > User Management > SAML. In the native UI, go to Options > SAML.
  2. On the Service Provider (SP) tab, provide information about your system and, optionally, export SP information to a file you can share with your IDP. See Configuring and exporting SAML service provider information and SAML service provider reference.
  3. On the Identity Provider (IDP) tab, import information about your IDP.
    See Importing SAML identity provider information and SAML identity provider reference.
    Once imported, you can view the raw IDP XML file. See Viewing an imported IDP file.

Configuring and exporting SAML service provider information

When you configure Service Provider information, you can export it to a file you can share with or import to your IDP.

  1. In the web UI, go to Administration > User Management > SAML. In the native UI, go to Options > SAML.
  2. Click the Service Provider (SP) tab.
  3. If necessary, enter information about your SP.
    Note: You should not enable SAML for Cleo Portal users until you have imported your IDP settings and your IDP has imported your SP settings.
    See SAML service provider reference.
  4. Save your updates.
    In the web UI, click Save.
    In the native UI, click OK.
  5. (Optional) Click Export.
    In the web UI, updates to the SP information are saved when you click Export.

Importing SAML identity provider information

You can import SAML configuration information from your IDP to your Cleo Harmony or Cleo VLTrader system.

  1. In the web UI, go to Administration > User Management > SAML. In the native UI, go to Options > SAML.
  2. Click the Identity Provider (IDP) tab.
  3. Click Import to display the Import IDP Settings dialog box.
  4. Specify or navigate to your IDP settings file, and then click Import.
    The imported IDP information populates the Identity Provider (IDP) tab. See SAML identity provider reference.
    In the web UI, updated IDP information is saved when you click Import.
    In the native UI, you must click OK to save the updated IDP information. In the native UI, clicking OK to save your IDP data also dismisses the Options dialog box.
    Once you have imported an IDP XML file, you can view the file's raw content. See Viewing an imported IDP file.

Viewing an imported IDP file

You can view the raw contents of an IDP file you imported into your Cleo Harmony or Cleo VLTrader system.

  1. In the web UI, go to Administration > User Management > SAML. In the native UI, go to Options > SAML.
  2. Click the Identity Provider (IDP) tab.
  3. Click View IDP file.
    The IDP file is displayed in you default XML editor.

SAML service provider reference

Provide information about the Service Provider (SP).

Enable SAML for all Cleo Portal users
Select this check box to authenticate all Cleo Portal users via IDP using the SAML protocol. If you select only this option, your SAML login page is displayed when users invoke Cleo Portal.
Important: Before you select this check box, make sure you have imported your IDP information and your IDP has your SP information.
Selecting this check box also enables the following check boxes:
Enable SAML for Default/Native Users
Select this check box to allow users created in Cleo Harmony to log in using SAML.
Allow non-SAML login for Cleo Portal Users
Select this check box to allow Cleo Portal users to log in using their local credentials.
Note: Selecting both Enable SAML for all Cleo Portal Users and Allow non-SAML login for Cleo Portal Users enables mixed mode authentication, where Cleo Portal users can log in with either SAML or local credentials. The Cleo Portal login page displays the Use Company Login check box. Clicking Log In with this check box enabled redirects the user to the SAML login page. Otherwise, users can log in using local login credentials.
Entity ID
Specify the value to be used as the Issuer in the Authn request. This value must be unique and it should conform to the URI pattern.
This value is used to publicly identify your deployment throughout your configuration and all of the other deployments that it interoperates with. This means that updating this value could affect many different systems and could take a long time to propagate. It is recommended that you not use a physical hostname, as such a value could change if you update your physical configuration. Instead, consider using a value that describes the service itself, as such a value could remain intact even through changes in physical configuration. One recommendation is to use your Assertion Consumer Service Endpoint value, as long as the domain is fully qualified.
Assertion Consumer Service Endpoint (HTTP-POST)
The URL to which the IDP posts assertions to your Cleo Harmony system.
http://<domain>:<port>/<portal-resource>
The value you should use for <portal-resource> is the same one you configure for the Local Listener Web Browser Service. See Local Listener Web Browser Service.
Single Logout Service Endpoint (HTTP – Redirect)
The URL from which the IDP sends logout requests to your Cleo Harmony system.
http://<domain>:port</signout>
This field is populated automatically based on the value provided in the Assertion Consumer Service Endpoint field and is read-only.
Enable Single Logout
Select this check box to enable single logout processing and populate the Single Logout Service Endpoint (HTTP – Redirect)field.

Signing & Encryption

Provide information to support signing authentication requests and encrypting assertions.

Sign Authentication Requests
Select the check box to enable fields where you specify a certificate and password to cause Authn Requests sent to the IDP to be signed.
Signing Certificate
Password
Algorithm
Alias, password and algorithm for the certificate to use to sign authentication requests. You can specify a certificate or browse for and select one.
SHA-1 and SHA-256 algorithms are supported.
Encryption Assertion
Encryption Certificate
Password
Optional - Certificate alias and password the IDP will use for encryption. You can specify a certificate or browse for and select one.
Select Use same as Signing Certificate to use the signing certificate for encryption.
Sign MetaData
Enables the fields where you select a certificate to use to sign SP metadata XML files generated during export.
Metadata Signing Certificate
Password
Certificate alias and password to use for signing SP metadata XML files generated during export. You can specify a certificate or browse for and select one.
Select Use same as Signing Certificate to use the signing certificate to sign metadata.

Organization and Contacts

Name
Display Name
Website
Information about the SP organization.
Technical - Name and Email
Support - Name and Email
Information about people at the SP who are available to be contacted.

SAML identity provider reference

Information from an Identity Provider (IDP) file you import.

Entity ID
The unique ID for the IDP imported from the IDP metadata file.
Single Sign On Service
The binding supported by Harmony for single sign on. Only HTTP-Redirect is supported.
There might be other values in the metadata, but only HTTP-Redirect is displayed.
Single Logout Service
The binding supported by the Cleo Harmony application for log out. Only HTTP-Redirect is supported.
There might be other values in the metadata, but only HTTP-Redirect is displayed.
wantAuthnRequestsSigned
Indicates the IDP expects a signed Authorization Request.

Organization and Contacts

Organization
Name
Display Name
Website
Information about the IDP organization.
Contacts
Technical - Name and Email
Support - Name and Email
Information about people at the IDP who are available to be contacted.

See Importing SAML identity provider information for information about how to import IDP information.

 

Related articles

Comments

0 comments

Please sign in to leave a comment.