Skip to Content
DocsConfigurationSingle Sign-On (SSO)

Single Sign-On (SSO)

InfoLink supports SAML Single Sign-On (SSO). Here are instructions how to configure it with Azure Active Directory (Azure AD) as an example. Similar steps should work with other SAML identify providers.

Create an application in Azure AD

Create a new enterprise application in Azure Active Directory as described below. You can find more info at https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/add-application-portal .

  1. Log in to the Microsoft Azure portal.
  2. Search and open Azure Active Directory on the navigation panel.
  3. Go to Enterprise Applications.
  4. Click New application.
  5. Select Non-gallery application or find Create your own application button, then enter a name for the new application, Integrate any other application you don’t find in the gallery (Non-gallery) is selected, and click Add to save it.

Configure Azure AD application

  1. Azure portal -> Azure Active Directory -> Enterprise Applications -> All applications view, select the application created earlier for InfoLink.
  2. Select Single sign-on and click SAML.
  3. In the Basic SAML Configuration section, enter:
    1. Identifier (Entity ID): http://<host:port>/<path-to-infolink>/ui/index.jsp
    2. Reply URL (Assertion Consumer Service URL): http://<host:port>/<path-to-infolink>/ui/ssoACS.jsp
  4. In the SAML Signing Certificate section download Certificate (Base64). You will need it later.
  5. From the Set up InfoLink-Enterprise section notice Login URL, Azure AD Identifier, Logout URL. You will need them later.
  1. On the Home page go to the Settings tab and scroll to the Single Sign-On (SSO) using SAML section.
  2. Click Edit.
  3. Enable the Enabled switch.
  4. Fill in the Service Provider section:
    1. Identifier (Entity ID) must be the same as in the Azure AD application created above: http://<host:port>/<path-to-infolink>/ui/index.jsp
    2. ACS (reply) URL must be the same as in the Azure AD application created above: http://<host:port>/<path-to-infolink>/ui/ssoACS.jsp
  5. Fill in the Identify Provider section
    1. Login URL is Login URL from the Azure AD application.
    2. Identifier (Entity ID) is Azure AD Identifier from the Azure AD application.
    3. Logout URL is Logout URL from the Azure AD application.
    4. Signing Certificate is everything between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines (with the lines excluded) of the Certificate (Base64) you downloaded from the Azure AD application.
  6. In the User Mapping section, define how to map the Identity Provider users to InfoLink users:
    1. Set SAML Attribute Name for Username to a SAML attribute that you want to use for mapping to the InfoLink username (e.g. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress)
    2. User Provisioning can be set to:
    3. On: On signing in, InfoLink user is created automatically:
      1. The name of the created user is the value of SAML Attribute Name for Username.
      2. You can grant roles to the created user by specifying SAML Attribute Name for Role Mapping (e.g. http://schemas.microsoft.com/ws/2008/06/identity/claims/groups) and specifying a mapping in JSON format as shown below where from is the value of SAML Attribute Name for Role Mapping and to is an InfoLink role name or admin: 
        [
{
"from":"64af8b3a-984a-4b5d-89c1-0075a0fa8746", "to": "Role1"
},
{
"from":"6d21b91d-3f7f-4ab7-bbc7-28880012761b", "to": "Role2"
}
]
      3. You can set properties (userPropertyName such as timeZone, editorMode, uiLang) of the created user by mapping them from a SAML attribute (samlAttributeName) as shown in the following example. If a property cannot be mapping using the mapping, defaultUserPropertyValue is set to the property. 
        [
{
   "userPropertyName": "timeZone",
   "samlAttributeName": "country",
   "mapping": [
      {"from": "US", "to": "US/Pacific"},
      {"from": "Brazil", "to": "Brazil/Western"}
   ],
   "defaultUserPropertyValue": "UTC"
},
{
   "userPropertyName": "editorMode",
   "defaultUserPropertyValue": "VIM"
}
]
    4. Off: On signing in, the Identity Provider user is mapped to an existing InfoLink user. The mapping is specified in JSON format in User Mapping as shown in the following example: 
      [
{
"from":"maxim@paloaltodatabases.com", "to": "admin"
}
]
  7. Click the Save button.
  8. On the Home page in the top-right conner, click Log out. You will be redirected to the sign in page.
  9. On the Sign In page, click the Sign In with SSO button. You should be redirected to the Microsoft website to sign in and then to the InfoLink home page.

NOTE: Often you want to set SAML Attribute Name for Role Mapping to the attribute returning a list of all groups the user is member of. Such attribute is not included to the SAML response by default. To add it, got to Azure portal -> Azure Active Directory -> Enterprise Applications -> All applications view -> select the application created for InfoLink -> select Single sign-on -> in the Attributes & Claims section click Edit -> click Add a group claim -> select groups you want to return in the claim (e.g. All) -> click Save.

NOTE: For SSO to work, he user must be granted access to the application in Azure AD. The user must belong to a group that is assigned to the application, or be assigned directly. Note that nested groups are not supported, and the group must be directly assigned to the application. See Assign a user account to an enterprise application .

NOTE: If you get ERROR: Internal Error: RelayState is empty in the ACS URL call, you probably test the login from Azure and Azure does not pass relay state required by InfoLink. Try to sign in from InfoLink.

Last updated on
Metadata encryptionOverview