Single Sign-On (SSO)
Single sign on is a feature that allows users to sign into SureviewCC via an SSO provider.
When the feature is enabled the user will automatically be redirected to the SSO providers login page whereby upon login they will be returned to the SureviewCC event-queue page without needing to use their Sureview login credentials.
Prerequisites
Ensure that the domain / server redirect URL has been added to the SSO Provider Configuration see examples below:
https://77.68.24.173/immixcc/
https://sureviews.mydomain.com/immixcc/
https://localhost/immixcc/
Prefs
For SSO to function correctly there are a few system level prefs that must be set, these can be found in the security section of the system settings.
SSO Endpoint
This is the base URL that will be used for user authentication. An example from Microsoft, the Auth endpoint for Microsoft login is:
https://login.microsoftonline.com/oauth2/v2.0/authorize
We only need the first part of this URL, the rest it configured automatically. So we would enter the following, without a trailing slash.
https://login.microsoftonline.com
SSO Client ID
This is the Client ID that will should be provided from the setup within the Single Sign on provider.
SSO Provider Type
This is the type of SSO provider that will be used to attempt to login.
Name | SSO Provider Type |
OpenIDConnect | 1 |
OktaSAML | 2 |
SSO Client Secret
Client Secret Key used to retieve authorization from the SSO provider.
SSO Enabled
This controls if single sign on is available on the login screen.
SSO Auto Redirect
When set to true a user will automatically be sent to the login screen of the single sign on provider when landing on the Sureview login screen.
The user can bypass this redirect by using the alternative loginNoRedirect page.
Example:
https://dev1.sureviewsystems.com/immixcc/#/loginNoRedirect
SSO Token Username Field
The name of the property to use when reading the username from the token response. This defaults to preferred_username as per the default token standards.
SSO Redirect URL
The URL the user gets sent to after successful login withe SSO provider.
SSO SAML Endpoint
The endpoint used by the Provider to post the Saml response.
SSO Logout Enabled
This controls if single sign out is enabled and will be called during the normal logout process.
Note: SSO Logout is currently only available for OpenIDConnect
SSO Logout Endpoint
If this value is set, it will override the value for the logout URL given by the SSO provider
Single Sign on - Create New Domain User
This flag allows a single sign on user, who does not exist on the system, to log on via SSO for the first time and the user (if validated via AD) will get created on the system. Permissions are obtained from the domain passed in.
IMPORTANT
The settings for Single Sign On Login are cached. The default cache time is set to 30 minutes, and can be changed in the CacheSettings section of the appsettings.json found in the API folder.
"CacheSettings": {
"DeviceCacheExpiryTimeMins": 30,
"PrefCacheExpiryTimeMins": 60,
"SingleSignOnCacheExpiryTimeMins": 30
}
If you need to cached settings to update before the cache period has expired, then an iisreset is required.
Trouble Shooting
In the event that a Single Sign On login failed, check the console window for an error message relating to the issue starting with Sign on Login Error.
A potentially dangerous Request.Path value was detected from the client (&).
When encoutering the above error, add the following to the web.config in the immixcc folder
<system.web>
<httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
<pages validateRequest="false" />
</system.web>
Comments
0 comments
Please sign in to leave a comment.