Prerequisites: - 2024.1 or later version of the client - To access SSO, you as a customer need to have either a "Subscription" or "Enterprise" type agreement. If you're unsure about which agreement you have, please contact sales@2c8.com. - An Identity Provider supporting SAML 2.0. The feature has only been tested with Microsoft Active Directory Federation Services and Microsoft Azure Entra ID, so we only offer a step-by-step guide for these. However, it likely works with other Identity Providers as well. - The user performing the configuration must have a user account in the portal with the type "Portal Administrator". Note! At the moment SSO does not work on Mac devices |
Initial setup in 2c8 Portal
1. In the portal, click "Customer details" and then "Edit" in the "SSO" section.
2. Then enter your domain. This value will need to be provided by users logging in with SSO during their initial login. If you have multiple domains within your organization, you'll need to choose one domain.
Once you've entered a domain, click on "Download metadata" under "Service Provider". You will need this later in the configuration.
Depending on which Identity Provider you use, continue with the next step for the one you use.
Microsoft Active Directory Federation Service
Azure Entra ID
3a. In the Azure portal, navigate to "Microsoft Entra ID", click "Enterprise Applications" and there "New application". Search for and select "Microsoft Entra SAML Toolkit".
Give the Enterprise app a suitable name of your choice.
Click "Create".
4a. In your newly created Enterprise app, navigate to "Single sign-on" and click "SAML".
5a. Click "Upload metadata file" and select the file you downloaded from portal in step 2.
6a. In the field "Sign on URL" enter "https://portal.2c8.com" and save.
7a. In the "SAML Certificates" click "Download" on the row "Federation Metadata XML". This file will be used in a later step.
8a. To allow users to access the newly created Enterprise app, you also need to grant them permission. Through "Users and groups," you can assign groups or individual users here. You can also choose to set "Assignment required" to "No" under the "Properties" tab. This will allow all users in your Entra ID directory to use the Enterprise app to log in.
Microsoft Active Directory
3b. On your AD FS server, start "AD FS Management". Click "Relying Party Trusts" and then "Add Relying Party Trust...". With "Claims aware" selected, click "Start"
4b. Select "Import data about the relying party from a file" and upload the file that you downloaded from the portal in step 2.
5b. Give the configuration a sutable name of your choice and blick "Next".
6b. At the step "Choose Access Control Policy" choose the option that suits you. If you want anyone in your organisation to be able to use the SSO configuration, pick "Permit everyone". Continue and finnish the wizard.
7b. Select your newly created Relying Party Trust in the list and click "Add rule" in the right pane. Give the rule a name of your choice, for example "nameid".
Now a mapping.
- Pick the LDAP attribute that contains the users email address and map that to "Name ID".
Save the rule.
8b. Download your AD FS metadata XML from https://yourdomain.com/federationmetadata/2007-06/federationmetadata.xml
Finnish the configuration in 2c8 Portal
9. In the portal continue where you left in step 2. Click "Upload metadata" under "IDENTITY PROVIDER XAML META DATA". Choose the file you exported from Entra ID / Active Directory.
Configuration is now completed and the users can login by clicking "Log in with SSO" and entering the domain that you chose in step 2.
Comments
0 comments
Article is closed for comments.