Configuring the Login page

When users navigate to your Apporto instance, they will see the Apporto Login page. Multiple authentication methods are available, and you can configure them from site settings.

Use the information in this guide to learn how to:

• Customize the Login page
• Enable two-factor authentication (2FA)
• Enable single sign-on (SSO) integration
  • Create an SSO domain
  • Update an SSO domain
    • View certificate details
    • Remove a certificate
    • Unlink a group

Customize the Login page

The table below shows the values that make up the Login page.

Field	Datatype	Required?	Notes
Login page title	String	Yes	Short message to display above the username/password prompt.
Background image	Image file	No	If no image is added, a default image will display. Accepted formats include JPEG and PNG. A ratio of 8:8 is recommended (e.g., 800 x 800 pixels). Otherwise, your image will automatically be cropped or resized.
Subtitle	String	No	Short title to show under the username/password prompt.
Description	String	No	Text that can be displayed below the subtitle
Link text	String	No	Used with the link URL to provide a text link
Link URL	Hyperlink	No	Optional link to show under the description.

Additional features in this section:

• Enable two-factor authentication – This allows you to add a secondary security feature to the login process for user accounts using local authentication.

Follow the steps below to customize the Login page.

1. Click setup or the icon in the navigation panel to view the Setup screen.
2. Click on the Login page tab in the lower part of the page.
   
   
3. Enter your desired values.
4. If you wish to add your own background image
   1. Click upload image to trigger the file manager.
   2. Select a file from your local storage. The ideal image has an aspect ratio of 8:8 (e.g., 800 x 800 pixels) and is a PNG or JPEG file.
   3. The system will display a preview of your image and prompt you to save the change.
      
      
   4. If you are not satisfied with the preview, click remove image to remove the current file and then click upload image again to import a new image. 
5. Click save changes to update the Login page with your new settings.

Enable two-factor authentication (2FA)

Two-factor authentication (2FA)–also known as multi-factor authentication (MFA)–is a login method that requires users to provide a combination of security measures. Checking the “enable two-factor authentication” setting for the Login page will require users to use an authenticator app to generate login credentials. See the MFA section of the article on accessing Apporto for more information.

Enable single sign-on (SSO) integration

Single sign-on (SSO) authentication is the most commonly used method for Apporto users. For information on how to log in to the system with SSO, see the article on accessing Apporto.

To access SSO settings, click on the “SSO domains” tab in the lower part of the Setup page.

Create an SSO domain

The table below shows the values that make up an SSO domain record.

Field	Datatype	Required?	Notes
User auth method	Lookup value	Yes	Authenticate only Authenticate and create
Domain name	String	Yes	This is a descriptive name for easy reference.
Email domain	String	Yes	Include everything after the @ symbol.
Include subdomains	Boolean	No
SSO login URL	String	Yes	SAML2 SSO login URL as provided by your Identity Provider (IdP)
SSO logout URL	String	No	If SSO logout is desired, you can provide the SAML2 SSO logout URL as provided by your Identity Provider (IdP).
Service provider entity ID	String	Read-only	This value is auto-generated by the system. You will need to provide the SP entity ID to your Identity Provider (IdP) when setting up the SSO integration. The format will be https://yourorganization.apporto.com/passport-saml.
Service provider (SP) URL	String	Read-only	This value is auto-generated by the system after the configuration is saved. You will need to provide this to your Identity Provider (IdP) as the reply URL (Assertion Consumer Service URL).
Unique user identifier attribute	String	Yes	The full SAML2 assertion attribute name of the attribute that defines the user’s unique user identifier
User first name attribute	String	Yes	The full SAML2 assertion attribute name of the attribute that defines the user’s first name
User last name attribute	String	Yes	The full SAML2 assertion attribute name of the attribute that defines the user’s last name
User email attribute	String	No	The full SAML2 assertion attribute name of the attribute that defines the user’s email address
SSO active	Boolean	No	This value will be set to TRUE (ON) by default. You may switch it off, if you want to configure the SSO connection without it immediately being in use.

SAML2 Assertions must be signed. The Identity Provider’s (IdP) signing certificate(s) must be added to the SSO configuration for the SSO integration to work.

Follow the steps below to add a domain for SSO authentication.

1. Click the create new SSO domain button to trigger the Create SSO domain form. The form has three main sections:
   1. SSO domain profile – SSO instance location information and mapping values
      1. Information about the location of your SSO instance
         
         
      2. Mapping values to interface Apporto with your SSO instance. The service provider entity ID and URL will be provided for you and can easily be copied to provide to your Identity Provider (IdP).
         
         
   2. Certificates – signing certificates used by the SSO Identity Provider (IdP) server to sign assertions
      
      
   3. Groups – assignment of the SSO domain to one or more user groups
      
      
2. Start the setup process by copying the service provider entity ID and URL to provide to your SAML2 Identity Provider (IdP) administrator. In return, the IdP administrator should provide the SSO login URL, SSO logout URL (optional), and the attribute names to use for the attribute mapping fields. Enter these values exactly as given by the IdP administrator. Ensure the desired user auth method is selected for your use case. Enter a domain name in the email domain field that will be used to trigger the SSO login flow for users attempting to login directly to the portal. Complete this section by ensuring the domain name contains a unique descriptive name to describe this SSO integration.
3. From the “Certificates” tab, click the add certificate button to trigger the pop-up.
   
   1. Upload a certificate file and click add to apply it to the domain.
      Each certificate file must be in the PEM format with a .pem file extension.
      
   2. Repeat as needed for multiple certificates.
4. Click on the “Groups” tab and click add group to select one or more groups that will use the SSO domain for authentication.
   
   
5. Click save to finish creating the SSO domain.

Update an SSO domain

For an existing SSO domain record, you may update any values in the domain profile or mapping values sections by editing the contents. You may also add new certificates and link additional user groups. Commit all changes by clicking save. See the section above for more information.

Additional features in this section:

• View certificate details
• Remove a certificate
• Unlink a group

View certificate details

To view the details of an existing SSO domain certificate, follow the steps below:

1. From the “certificates” tab, click view for the certificate you want to examine. The View certificate pop-up screen will display.
   
   
2. The certificate details include:
   1. Subject information (only fields set on the certificate will be displayed)
      1. Country
      2. State/province
      3. Locality/city
      4. Identity management provider organization name
      5. Organizational unit name
      6. Common name
      7. Email address
   2. Issuer information (only fields set on the certificate will be displayed)
      
      1. Country
      2. State/province
      3. Locality/city
      4. Identity management provider organization name
      5. Organizational unit name
      6. Common name
      7. Email address
   3. Validity
      1. Start date/time
      2. Expiration date/time
      3. Current status
3. Click on the close button or anywhere outside the pop-up window to return to the Update SSO domain screen.

Remove a certificate

To remove an invalid certificate, follow the steps below:

1. From the “certificates” tab, click remove for the certificate you want to remove.
2. The certificate will no longer be visible in the list, and the system will prompt you to save changes.
3. To commit the change, click save. To abort the change, refresh the screen without saving and the certificate will be visible in the list once again.

Unlink a group

To detach a group from the SSO domain, follow the steps below:

1. From the “groups” tab, click unlink for the group you want to remove.
2. The group will no longer be visible in the list, and the system will prompt you to save changes.
3. To commit the change, click save. To abort the change, refresh the screen without saving and the group will be visible in the list once again.