Editing the Authentication Method
Users with the SP administrator role can use the Authentication page to modify the authentication method for service provider and tenant users.
To modify the authentication method:
- Select Administration > Authentication.
The Authentication page appears.
- Select the user type (SP User or Tenant User) for which
you want to change the authentication method, click the edit icon.
The Authentication Type page appears.
- Select any one of the following authentication methods
that you want to configure for the user.
Authentication with SSO Server
Authentication and Authorization with SSO Server
For more information about authentication methods, see Authentication Methods Overview.
- If you select the Authentication with SSO Server or Authentication and Authorization with SSO Server method,
then you must enter the configuration described in Table 1.
Table 1: Fields on the Authentication Type Page
Select the SSO server name from the list.
SSO Initiated By
Select the SSO initiation method.
Service Provider (CSO)—Select this method if SSO authentication is initiated by CSO. For example, when the user tries to use CSO application without authentication, the user is redirected to the SSO Server. After authentication with the SSO Server, the user is directed to CSO.
Identity Provider (SSO Server)—Select this method to authenticate users by using the identity provider. When you login to the identity provider, it provides a list of applications that are integrated with the identity provider and you can access any of the applications. For example, if you click on the CSO application, you are directed to CSO and you can access the CSO application.
If you select the Service Provider (CSO) method, then the following field is displayed:
Enter a list of username patterns separated by a comma, space, or semicolon. For example, *@aaa-example.com; *@xyz-example.com.
Note: If the username matches the username pattern, the user is redirected to the SSO server to complete the authentication process. If the username does not match with any of the username patterns, then the local authentication is assumed.
When you select Identity Provider (SSO Server) method, the following fields are displayed:
Direct CSO Login Message
Enter the message to display when a user tries to directly access CSO without being authenticated by the SSO server.
Enter the message to be displayed when the user logs out from CSO.
Select the identifier to correlate the tenant Security Assertion Markup Language (SAML) attribute with the tenant. Whenever the tenant is onboarded into the system, the tenant is uniquely identified by any one of the following identifiers:
Use Tenant Name—Select this option to identify the tenants by using the tenant name.
Use OSS Tenant ID—Select this option to identify the tenants by using the tenant ID.
Permitted Roles and Mapping
Roles used in the SSO server (external system) are different from the roles used in CSO. Therefore, you must map the roles defined in CSO with the roles defined in the external SSO server (Identity Provider).
To map the roles:
Click add icon (+).
A new row appears under the header in the table. If you want to delete the row, click the delete icon (X).
Select the role from the Role in CSO column, and then enter one or more matching roles (separated by commas) in the Mapped External Role column.
Click OK to save the changes. If you want to cancel,
The user role in CSO is matched with the role in the SSO server.
You can also modify the permitted role and delete one or more permitted roles.
If you select the Local Authentication type, the SSO Server, SSO Initiated By, and Username Pattern fields are not displayed.
- Click Save to save the changes. If you want to discard the changes, click Cancel instead.