v7.0

Configure Single Sign-on

Single Sign-on (SSO) is an authentication scheme that allows a user to log in to the Wyn Enterprise application with a single identity to several related, yet independent software systems. SSO allows users to log in to the Wyn application once and access the services without re-entering the authentication factors. In this article, you will find information on the common SSO Configuration Settings and the instructions to configure SSO in Wyn Enterprise identity service for the following external identity providers supported in Wyn Enterprise:

SSO Configuration Settings

To configure SSO, open the Wyn.conf file which is generally located at the following location in your local machine, C:\ProgramFiles\WynEnterprise\Monitor\conf. The following configuration settings show the general layout of an SSO node:

<Server>
  <Authentication>
    <SSO>
      <AuthenticationProtocol>{Protocol}</AuthenticationProtocol>
      <Scheme>{IdP}</Scheme>
      <Disabled>true|false</Disabled>
      <AllowIncognizantUser>true|false</AllowIncognizantUser>
      <Authority>{}</Authority>
      <ClientId>{your_client_id}</ClientId>
      <ClientSecret>{your_client_secret}</ClientSecret>
      <ResponseCode>{your_code}</ResponseCode>
      <Callback>{your_IdP_callbackURL}</Callback>
      <Scopes>
        <sys:string>{authentication_provider_scopes}</sys:string>
        ...
      </Scopes>
  </Authentication>
    </SSO>
</Server>

The following table describes each configuration setting:

Setting	Description	Values
Authentication Protocol	Authentication Protocol parameter is used to specify the protocol used to authenticate users for SSO.	CAS, OIDC, OAUTH, etc.
Scheme	Scheme parameter is an identifier of the authentication provider.	CAS, MicrosoftAzureAD, AWSCognitor, MyTestingIdentityProvider, etc.
Disabled	Disabled parameter is used to disable the SSO function.	True or False. The Default value is False.
AllowIncognizantUser	AllowIncognizantUser parameter is used to allow users not existing in the Wyn Enterprise application to log in to the application.	True or False
Authority	Authority parameter is the service endpoint URL used to request tokens from the authentication service provider.	Domain URL of your authentication service provider.
ClientId	ClientId parameter specifies the public identifier for the user required for OAuth flows.	For Amazon Incognito, values are available in your user pool. For OKTA, values are available in your OKTA app settings.
ClientSecret	ClientSecret parameter specifies a secret code used by the user to exchange an authorization code for a token. ClientSecret should be kept confidential.	For Amazon Incognito, values are available in your user pool. For OKTA, values are available in your OKTA app settings.
ResponseCode	ResponseCode parameter defines an authorization request parameter from the authorization endpoint. For example, the CAS Authentication Server uses Code as the ResponseCode value.	For CAS Authentication Server, the value is CAS.
Callback	Callback parameter specifies a base URL where the IDP response is sent upon user authentication. Callback parameter is used in the SSO configuration settings with Amazon Cognito Service.	Redirect URI specified in the AWS app settings or the default value is /signin-oidc.
Scopes	Scope parameter is used to customize data requests to a third-party application.	For OKTA: openid, profile, and email. For AWS: openid, profile, email, and phone.

Additional SSO Configuration Settings

The following configuration settings are common to all the Authentication Service Providers listed above,

Cookie Management: Cookie options are used to identify user preferences and to track user behavior. Cookies are needed to maintain the login state of the users to allow them to access secured pages without using the credentials again. Wyn Enterprises uses HTTP cookies such as secure, same site, domain, path, etc. to manage and handle SSO configuration settings. To enable the cookies across user domains, set the Cookie: SameSite to None and Cookie: Secure to True.
```
<Server>
...
   <Cookie>
       <ShareCookie>false</ShareCookie>
       <SameSite>None</SameSite>
       <Secure>true</Secure>
   </Cookie>
...
</Server>
```
Incognizant Mode: To allow users that do not exist in the Wyn Enterprise application to log in to the application, set the AllowIncognizantUser to True. And, to prevent login of the user not existing in the Wyn Enterprise application, import the allowed users to the Wyn application and ensure that the Provider value of the imported users is the same as the value of the Scheme.
```
<Server>
...
   <Authentication>
     <SSO>
      ...
      <AllowIncognizantUser> True </AllowIncognizantUser>
      ...
     </SSO>
   </Authentication>
...
</Server>
```

Claim Mapping: Claims are used to determine the information such as name, phone number, email, roles, etc. about the authenticated users. A claim mapping item in the <Claimmapping> setting under <SSO> node of the Wyn.conf file consists of a Key and a Value where the Key represents the user context in Wyn Enterprise, and Value represents the user context from the authentication provider. To add claims, set the Key and Value fields to the claim name as shown in the below sample configuration settings.

<Server>
...
    <ClaimMappings>
        <sys:Item>
          <Key>given_name</Key>
          <Value>id</Value>
        </sys:Item>
        <sys:Item>
          <Key>phone_number</Key>
          <Value>profile</Value>
        </sys:Item> 
        <sys:Item>
          <Key>sub</Key>
          <Value>id</Value>
        </sys:Item>
     </ClaimMappings>
 ...
 </Server>

Authentication Providers supported by Wyn Enterprise

The following table lists the configuration settings for each authentication service provider supported by Wyn Enterprise with default values of the configuration settings:

Config. Setting	CAS Server	Microsoft Azure AD	Google Cloud Service	Amazon Cognito Service	OKTA
Authentication	CAS	OIDC	OAuth	OIDC	OIDC
Scheme	CAS	Microsoft	Google	AWS	OKTA
Disabled	False	False	False	N/A	N/A
Authority	-	See the Common Authority URLs for a more details.		Pool ARN	Domain URL of your OKTA organization. For example, `https://dev-03535523-admin.okta.com`
ClientID	-	Unique Application ID assigned in the Azure AD account	Your Client ID from the Google Cloud Service account. See the help topic on Creating Client IDs for more information.	Pool ID	Your Client Id from Okta organization.
ClientSecret	-	Your Client Sercet from the Azure AD account.	Your Client Sercet from the Google Cloud Service account.	Your Client Secret from AWS user pool.	Your Client Secret from Okta organization.
Scope	-	openid, email, profile, offline_access, .default	-	openid, profile, email, phone	openid, profile, email
ResponseCode	N/A	N/A	N/A	N/A	Code
CallBack	N/A	N/A	N/A	Callback URI specified in the application client setting. Otherwise, the value is: /signin-oidc	Default value is: /signin-oidc. Otherwise, the value should match the Redirect URI specified in the OKTA application.
Claim Mapping	profile, email, address, phone, custom	Checkout the complete list of claim mapping items here	-	address, birthdate, email, family_name, gender, given_name, locale, middle_name, name, nickname, phone_number, picture, preffered_username, profile, sub, updated_at, website, zoneinfo	id, profile, status, transitioningtostatus, created, activated, statuschanged, lastlogin, lastupdated, passwordchanged, type, realm, realmid, password, credentials, _links, _embedded, class, classloader, custom_name
Incognizant User	Supported	Supported	Supported	Supported	Not Supported
SLO	Supported	Supported	Not Supported	Not Supported	Not Supported

See the blog post on Single Sign-on for general information related to the feature in Wyn Enterprise.