OrgChart Now Help Guide

Table of Contents

SSO Configuration

Audience

Audience: Administrators

Overview

Single-Sign-On (SS0) applications enable users to access all of their enterprise systems in one place. OrgChart supports SAML 2.0 Single Sign-On, which makes it compatible with most Identity Management Systems.

Administrators can integrate OrgChart Now with their Identity Management System directly in the OrgChart application.

This article covers the following topics:

OrgChart Metadata

OrgChart metadata is unique to each customer. To find your OrgChart metadata, follow these steps:

  1. Log in to OrgChart.

  2. Click on More > Accounts Settings, and then click on the Authorization tab in the left side menu.

    5_2_2_Authorization_Panel_with_arrow.png
  3. Click on the 5_2_RoundPlus_icon.png icon (to the right of the SSO Configuration heading). The SSO Configuration panel is displayed.

  4. Scroll to the bottom of the SSO Configuration panel, and then click on the SAML SP Metadata button.

    OCN_Metadata_Download.png
  5. An XML file of the metadata associated with your account is downloaded. When opened, the file will look similar to this:

    5_2_2_OCNMetadata_Example.png

    Note

    OrgChart's entityID is higlighted in the screenshot above. This value is often needed when configuring SAML in your IDP, and can be referred to in the following terms:

    • Identifier (Entity ID)

    • Service Provider Entity ID

    • Audience Restriction URL

    • Audience URL

IDP SAML Configuration

Within your IDP, you will have to configure your SAML options according to the schema provided below.

  • Single Sign on URL: https://{SERVER NAME}.orgchartnow.com/saml/sso_acs?entityID=YOURENTITYID

  • Recipient URL: https://{SERVER NAME}.orgchartnow.com/saml/sso_acs?entityID=YOURENTITYID

  • Destination URL: https://{SERVER NAME}.orgchartnow.com/saml/sso_acs?entityID=YOURENTITYID

  • Audience Restriction: https://{SERVER NAME}.orgchartnow.com/saml/sso_metadata?entityID=YOURENTITYID

  • Name ID Format: Email Address

Note

YOURENTITYID is the entity ID in your IDP-generated metadata.

Important

Not all IDPs use the same vocabulary, and some IDPs require additional internal setup. Please reference one of the use cases below to ensure that your IDP SAML configuration is correct:

Configuring SSO

  1. Log in to OrgChart.

  2. Select More > Account Settings, and then click on the Authorization tab in the left side menu.

    5_2_2_Authorization_Panel_with_arrow.png
  3. Click on the 5_2_RoundPlus_icon.png icon (to the right of the SSO Configuration heading). The SSO Configuration panel is displayed.

    SSOConigPanel_5_2_2.png
  4. Enter the SSO Entity ID associated with your IDP (Identity Provider).

  5. Select the metadata type in the Metadata Type dropdown menu. Metadata types include:

    • Remote - Metadata can be accessed using a URL.

    • Local - Metadata is not publicly accessible.

    Note

    If you are updating local metadata, ensure that your file name DOES NOT INCLUDE symbols (i.e. dashes, ampersands, etc.)

  6. Enter the URL associated with your remote metadata, or drag and drop your Local metadata into the SSO Configuration panel to upload it to OrgChart.

  7. Check the SSO Enabled checkbox to enable users to sign in to OrgChart through the IDP.

  8. Optionally, check the Auto Provision checkbox to create new users in OrgChart (if they do not already exist) when first accessing the application from the IDP.

  9. Optionally, check the Single Logout checkbox to enable SLO. When SLO is enabled, users who sign out of OrgChart will automatically be signed out of their IDP.

  10. Click Save.

Additional SSO Configuration Options

The following options are available in the SSO Configuration panel, but are not required for a fully functioning SSO integration:

SAML Attributes Handling

Automatically assign OrgChart Now Access Groups to users based on their IDP security group. Reference the SAML Attributes Handling section below for more information.

Auto-Provision

Check to automatically create a user in OrgChart (if one does not already exist) upon a user's initial sign-on via SSO.

Single Logout

Check to automatically sign users out of their IDP when they sign out of OrgChart.

The following option is available in the Account Settings: Authorization panel:

Direct Sign-In

Uncheck to disable users from logging in to the application via the OrgChart Now landing page.

Users who attempt login will automatically be forced through the SP initiated SSO process, and redirected to their IDP for authentication.

Note

Enabling or disabling Direct Sign-In is applied account-wide.

SAML Attributes Handling

OrgChart Now can interpret certain SAML attributes for the following uses:

Follow these steps to configure SAML Attributes Handling for IDP security group mapping:

  1. Log in to OrgChart.

  2. Select More > Account Settings, and then click on the Authorization tab in the left side menu.

    5_2_2_Authorization_Panel_with_arrow.png
  3. Click on the 5_2_RoundPlus_icon.png icon (to the right of the SSO Configuration heading). The SSO Configuration panel is displayed.

  4. Scroll down in the SSO Configuration panel, until you reach the SAML Attributes Handling section.

    SSO_SAML_Attribute_5_2_2.png
  5. Enter the SAML attribute group in the SAML Group Attribute text box.

  6. Click on the 5_2_RoundPlus_icon.png icon to the right of the SAML Attributes Handling header.

  7. Enter the SAML attributes for the IDP group you want to map to an OrgChart Access Group in the IDP Security Group text box.

  8. Click on the Application Security Group dropdown menu, and then select the OrgChart Access Group that corresponds to the associated IDP Security Group.

  9. Repeat steps 6 - 8 as necessary.

  10. Click Save.

    Note

    When SAML Attributes Handling is configured, OrgChart will always respect the security group assigned to a user in the IDP. So, if permissions are adjusted in your IDP, they will also be adjusted accordingly in OrgChart.

Verifying Your SSO Configuration

You can test your SSO configuration by copying and pasting the following URL into your web browser:

https://{SERVER NAME}.orgchartnow.com/saml/sso_endpoint?entityID=YOURENTITYID

Note

YOURENTITYID is the entity ID in your IDP-generated metadata.