Skip to content

Table of Contents

Configuring single sign-on (SSO) domains

Apporto offers a number of ways for users to authenticate into the system. Single sign-on (SSO) authentication is the most commonly used method for Apporto users. For information on how to log in to the system with SSO, see the article on accessing Apporto.

Use the information in this guide to learn how to:

Manage SSO domain configurations

SSO domain configurations can be viewed, created, and updated from the “SSO domains” tab of the Setup screen.

View configured SSO domains

To view any SSO domains that have already been configured, follow the steps below.

    1. Log in to the system using your credentials.
    2. Click setup or the icon in the navigation panel to view the Setup screen.
    3. Click on the “SSO domains” tab.
    4. The list of configured SSO domains will display. You may filter the list or adjust the displayed columns to locate records. See the article on working with lists for more information.

Create a new SSO domain configuration

The table below shows the values that make up an SSO domain configuration.

Field Datatype Required? Notes
User auth method Lookup value Yes
  • Authenticate only
  • Authenticate and create
Domain name String Yes This is a descriptive name for easy reference.
Email domain String Yes Include everything after the @ symbol.
Include subdomains Boolean No
SSO login URL String Yes SAML2 SSO login URL as provided by your Identity Provider (IdP)
SSO logout URL String No If SSO logout is desired, you can provide the SAML2 SSO logout URL as provided by your Identity Provider (IdP).
SSO active Boolean No This value will be set to TRUE (ON) by default. You may switch it off, if you want to configure the SSO connection without it immediately being in use.
Entity ID String Read-only This value is auto-generated by the system. You will need to provide the SP entity ID to your Identity Provider (IdP) when setting up the SSO integration.

The format will be https://yourorganization.apporto.com/passport-saml.
Single sign-on URL String Read-only This value is auto-generated by the system after the configuration is saved. You will need to provide this to your Identity Provider (IdP) as the reply URL (Assertion Consumer Service URL).
User’s unique identifier String Yes IDP attribute mapped to user UID
User’s first name String Yes IDP attribute mapped to user first name
User’s last name String Yes IDP attribute mapped to user last name
User’s email String Yes IDP attribute mapped to user email
User’s group(s) String No IDP attribute mapped to user group(s)
IDP attribute allowed access String No IDP attribute that is allowed access to Apporto
IDP value(s) allowed access String No IDP value(s) allowed access to Apporto

This is a comma-separated list.

The SSO domain profile also includes certificate files and linked groups. These items are covered later in this article.

SAML2 Assertions must be signed. The Identity Provider’s (IdP) signing certificate(s) must be added to the SSO configuration for the SSO integration to work.

To add a new menu item, follow the steps below.

  1. Click create new SSO domain to be directed to the Create SSO domain screen.
  2. Copy the service provider entity ID and SSO URL values to provide to your SAML2 Identity Provider (IdP) administrator. In return, the IdP administrator should provide the SSO login URL, SSO logout URL (optional), and the attribute names to use for the attribute mapping fields. Enter these values exactly as given by the IdP administrator. Ensure the desired user auth method is selected for your use case. Enter a domain name in the email domain field that will be used to trigger the SSO login flow for users attempting to login directly to the portal. Complete this section by ensuring the domain name contains a unique descriptive name to describe this SSO integration.
  3. Add at least 1 SSO certificate to the domain. See the section on adding SSO certificates for more information.
  4. Link at least 1 group to the domain. See the section on adding groups for more information.
  5. Click save to finish creating the SSO domain.
  6. The system will return you to the “SSO domains” tab with the new configuration showing in the list.

Update an SSO domain configuration

For an existing SSO domain record, you may update any values in the domain profile or mapping values sections by editing the contents. You may also add new certificates and link additional user groups. Commit all changes by clicking save. See the section above for a description of each field.

  1. Click edit on a domain configuration in the list to be directed to the Update SSO domain screen.
    update SSO domain screen
  2. Update any necessary values.
  3. Click save to commit the changes.
  4. The system will update the configuration and return you to the “SSO domains” tab.

Delete an SSO domain configuration

To remove an unnecessary SSO domain configuration, follow the steps below.

  1. Click delete on a domain configuration in the list to trigger the Delete domain pop-up.
    delete SSO domain pop-up
  2. Click confirm to verify that you want the configuration record removed, or you may click cancel to exit the process without deleting.
  3. After your selection, the pop-up will close and you will be returned to the “SSO domains” tab.

Manage SSO certificates

Signing certificates are used by the SSO IdP to sign assertions.

View the list of SSO certificates

To view the certificates for an SSO domain record, follow the steps below.

  1. From the SSO domain profile, click on the “certificates” tab (if it is not already selected by default).
  2. The list of certificates will display. You may filter the list or adjust the displayed columns to locate records. See the article on working with lists for more information.
    certificates tab for an SSO domain

Add a certificate to an SSO domain configuration

Follow the steps below to add a certificate.

  1. From the “certificates” tab, click the add certificate button to trigger the Add certificate pop-up.
    add certificate pop-up for an SSO domain
  2. Browse from your local file manager to select and upload a certificate file. Acceptable file types include .der, .pfx, .crt, .cert, .cer, and .pem extensions.
  3. Once the certificate has been read by the system, the certificate values will display in the pop-up.
    add certificate pop-up with detected values
  4. Click add to apply the certificate to the domain and return to the list of certificates.
  5. Repeat as needed for multiple certificates.

View an existing SSO certificate

To view the details of an existing SSO domain certificate, follow the steps below.

  1. From the “certificates” tab, click view for the certificate you want to examine. The View certificate pop-up screen will display. Some certificates will display more values than others, as shown below.
    view certificate pop-up with short list of detected details
    view certificate pop-up with long list of detected details
  2. The certificate details include some or all of the following:
    1. Subject information (only fields set on the certificate will be displayed)
      1. Country
      2. State/province
      3. Locality/city
      4. Identity management provider organization name
      5. Organizational unit name
      6. Common name
      7. Email address
    2. Issuer information (only fields set on the certificate will be displayed)
      1. Country
      2. State/province
      3. Locality/city
      4. Identity management provider organization name
      5. Organizational unit name
      6. Common name
      7. Email address
    3. Validity
      1. Start date/time
      2. Expiration date/time
      3. Current status
  3. Click on the close button or anywhere outside the pop-up window to return to the list of certificates.

Remove an SSO certificate

To remove an invalid certificate, follow the steps below.

  1. From the “certificates” tab, click remove for the certificate you want to remove.
  2. The certificate will no longer be visible in the list, and the system will prompt you to save changes.
  3. To commit the change, click save. To abort the change, refresh the screen without saving and the certificate will be visible in the list once again.

Manage linked groups

The SSO domain configuration can be assigned to one or more user groups.

View the list of linked groups

To view the list of groups that are linked to an SSO domain, follow the steps below.

  1. From the SSO domain profile, click on the “groups” tab.
  2. The list of linked groups will display. You may filter the list or adjust the displayed columns to locate records. See the article on working with lists for more information.
    linked groups list for an SSO domain

Add a group to an SSO domain configuration

Follow the steps below to link a group to an SSO domain.

  1. From the “groups” tab, click add group to trigger the Search for groups pop-up.
    search for groups pop-up with a group selected
  2. Select one or more groups that will use the SSO domain for authentication and click add groups. The selected group(s) will now show in the groups list for the domain.
    added group shows in groups list
  3. To commit the change, click save. To abort the change, refresh the screen without saving and the newly added group(s) will no longer be visible in the list.

Unlink a group from an SSO domain configuration

To detach a group from the SSO domain, follow the steps below.

  1. From the “groups” tab, click unlink for the group you want to remove.
  2. The group will no longer be visible in the list, and the system will prompt you to save changes.
  3. To commit the change, click save. To abort the change, refresh the screen without saving and the group will be visible in the list once again.