SSO Configuration
Audience
Audience: Administrators
Overview
Single-Sign-On (SS0) applications enable users to access all of their enterprise systems in one place. OrgChart supports SAML 2.0 Single Sign-On, which makes it compatible with most Identity Management Systems.
Administrators can integrate OrgChart Now with their Identity Management System directly in the OrgChart application.
This article covers the following topics:
OrgChart Metadata
OrgChart metadata is unique to each customer. To find your OrgChart metadata, follow these steps:
-
Log in to OrgChart.
-
Click on More > Accounts Settings, and then click on the Authorization tab in the left side menu.
-
Click on the
icon (to the right of the SSO Configuration heading). The SSO Configuration
panel is displayed. -
Scroll to the bottom of the SSO Configuration panel, and then click on the SAML SP Metadata button.
-
An XML file of the metadata associated with your account is downloaded. When opened, the file will look similar to this:
Note
OrgChart's entityID is higlighted in the screenshot above. This value is often needed when configuring SAML in your IDP, and can be referred to in the following terms:
-
Identifier (Entity ID)
-
Service Provider Entity ID
-
Audience Restriction URL
-
Audience URL
-
IDP SAML Configuration
Within your IDP, you will have to configure your SAML options according to the schema provided below.
-
Single Sign on URL: https://{SERVER NAME}.orgchartnow.com/saml/sso_acs?entityID=YOURENTITYID
-
Recipient URL: https://{SERVER NAME}.orgchartnow.com/saml/sso_acs?entityID=YOURENTITYID
-
Destination URL: https://{SERVER NAME}.orgchartnow.com/saml/sso_acs?entityID=YOURENTITYID
-
Audience Restriction: https://{SERVER NAME}.orgchartnow.com/saml/sso_metadata?entityID=YOURENTITYID
-
Name ID Format: Email Address
Note
YOURENTITYID is the entity ID in your IDP-generated metadata.
Important
Not all IDPs use the same vocabulary, and some IDPs require additional internal setup. Please reference one of the use cases below to ensure that your IDP SAML configuration is correct:
Configuring SSO
-
Log in to OrgChart.
-
Select More > Account Settings, and then click on the Authorization tab in the left side menu.
-
Click on the
icon (to the right of the SSO Configuration heading). The SSO Configuration
panel is displayed.
-
Enter the SSO Entity ID associated with your IDP (Identity Provider).
-
Select the metadata type in the Metadata Type dropdown menu. Metadata types include:
-
Remote - Metadata can be accessed using a URL.
-
Local - Metadata is not publicly accessible.
Note
If you are updating local metadata, ensure that your file name DOES NOT INCLUDE symbols (i.e. dashes, ampersands, etc.)
-
-
Enter the URL associated with your remote metadata, or drag and drop your Local metadata into the SSO Configuration panel to upload it to OrgChart.
-
Check the SSO Enabled checkbox to enable users to sign in to OrgChart through the IDP.
-
Optionally, check the Auto Provision checkbox to create new users in OrgChart (if they do not already exist) when first accessing the application from the IDP.
-
Optionally, check the Single Logout checkbox to enable SLO. When SLO is enabled, users who sign out of OrgChart will automatically be signed out of their IDP.
-
Click Save.
Additional SSO Configuration Options
The following options are available in the SSO Configuration panel, but are not required for a fully functioning SSO integration:
|
SAML Attributes Handling |
Automatically assign OrgChart Now Access Groups to users based on their IDP security group. Reference the SAML Attributes Handling section below for more information. |
|
Auto-Provision |
Check to automatically create a user in OrgChart (if one does not already exist) upon a user's initial sign-on via SSO. |
|
Single Logout |
Check to automatically sign users out of their IDP when they sign out of OrgChart. |
The following option is available in the Account Settings: Authorization panel:
|
Direct Sign-In |
Uncheck to disable users from logging in to the application via the OrgChart Now landing page. Users who attempt login will automatically be forced through the SP initiated SSO process, and redirected to their IDP for authentication. NoteEnabling or disabling Direct Sign-In is applied account-wide. |
SAML Attributes Handling
OrgChart Now can interpret certain SAML attributes for the following uses:
-
Populate the UserID field in the Account Settings: Manage Users panel.
-
Populate the Email field in the Account Settings: Manage Users panel.
-
Map security groups from your IDP to the appropriate OrgChart Access Group .
Follow these steps to configure SAML Attributes Handling for IDP security group mapping:
-
Log in to OrgChart.
-
Select More > Account Settings, and then click on the Authorization tab in the left side menu.
-
Click on the
icon (to the right of the SSO Configuration heading). The SSO Configuration
panel is displayed. -
Scroll down in the SSO Configuration panel, until you reach the SAML Attributes Handling section.
-
Enter the SAML attribute group in the SAML Group Attribute text box.
-
Click on the
icon to the right of the SAML Attributes Handling header. -
Enter the SAML attributes for the IDP group you want to map to an OrgChart Access Group in the IDP Security Group text box.
-
Click on the Application Security Group dropdown menu, and then select the OrgChart Access Group that corresponds to the associated IDP Security Group.
-
Click Save.
Note
When SAML Attributes Handling is configured, OrgChart will always respect the security group assigned to a user in the IDP. So, if permissions are adjusted in your IDP, they will also be adjusted accordingly in OrgChart.
Verifying Your SSO Configuration
You can test your SSO configuration by copying and pasting the following URL into your web browser:
https://{SERVER NAME}.orgchartnow.com/saml/sso_endpoint?entityID=YOURENTITYID
Note
YOURENTITYID is the entity ID in your IDP-generated metadata.