Implementing Single Sign On (SSO)
Introduction
Aptem supports the use of Single Sign On (SSO) using SAML. Single sign on using SAML can be enabled to allow the client’s Federated Identity provider (FIP) to be used to authenticate internal and/or external users of Aptem.
The Aptem SAML implementation only handles authentication, but not authorisation, i.e. customers will not be able to control roles/permissions of internal and external users in Aptem. Aptem does provide support for this using it's APIs. For further information on managing user accounts with APIs please contact support.
Getting started
The steps to implement this are predominantly related to the configuration of your Identity Provider. The information below provides the details required to do this as well as some reference articles for configuring common identity providers such as Azure AD. Once you are ready to configure your Identity Provider you will need a manifest URL which you can request via the Aptem technical support team.
Useful articles
Planning a single sign-on deployment
Configuration guides
Configuring SAML-based Single Sign-On in Azure AD
Configuration for Aptem
The manifest URL referred to above can be used to register the client's FIP. When configuring your Identity Provider connection you should ensure that the FIP uses one of the following attributes in the assert:
saml:Attribute[@Name='urn:oid:0.9.2342.19200300.100.1.1']
saml:Attribute[@Name='username']
saml:Attribute[@Name='User.email']
saml:Attribute[@Name='email']
You will also need to ensure that assertion encryption is not enabled.
Next Steps
Once you have configured this within your Identity Provider you will then need to send us the manifest file which we will then register within Aptem to establish the trust. The manifest must contain only one signing key.
After this, you can create a test user account to verify that the Single Sign On (SSO) is successfully configured. When SSO is enabled, this is what you see: