SAML Connector has been developed to allow companies using any SAML 2.0 compliant system as central Identity Repository to avoid identity management duplication in THRON and to enable SAML 2.0 standard both for users’ provisioning and Platform sign on.
Thanks to the integration with this security standard, both authentication to Platform and identity data management will be entirely managed outside THRON and on your IdP. Each THRON user will be created upon its first access to the Platform, which will happen via corporate authentication without having to provide any username and password to THRON. You will be able to decide which group new users will have to belong to, and then you will be able to grant them proper roles and eventually move them to other groups.
For a proper functioning the SAML connector needs:
- An IdP installed by the customer based on SAML 2.0 protocol This parameter is a URL provided directly by the IdP.
- IdP provider Metadata, accessible through public URL, an XML file that identifies the public keys and information that the IdP makes available to the service that uses the service.
- The SAML Connector, properly configured in THRON
- Each identity provider has its own specific configuration flow to enable an external SAML client to perform an SSO. Make sure that your company uses an IdP that supports the SAML 2.0 standard, such as Microsoft Active Directory Federation Service.
- Make sure that the THRON Platform Administrator has created a specific group in which the users inserted by the connector will be included. This will allow the connector to keep track of all new users, give them the appropriate roles and, once done, remove them from this entry group to be included in the correct groups.
- Create a new SAML integration (normally this process is done by configuring an access app). The information to indicate is:
- THRON SSO URL: https://[clientId]-view.thron.com/api/auth/resources/saml/callback/[clientId]/[appId] this is the URL to the SAML application created in THRON. Use this URL as both "Recipient Url" and "Destination URL". The APPID parameter can be found in the URL of the THRON application configuration page https://[clientId].thron.com/#/marketplace/management/app/[appId]
- Define the "Service provider Entity ID": https://[clientId].thron.com/[clientId]. The same identifier will be used in the configuration of the SAML Connector in THRON.
- Define the name of the attributes for the user's username, email, lastname, firstname fields. This information is needed by the THRON SAML Connector to understand how to map the user information provided by SAML.
- Go to the Marketplace section and install a SAML Connector.
- Configure the integration by providing the URL to your provider's Metadata IdP. Each IdP should provide an accessible URL.
- Define a Service Provider Entity Id, for example: http://[clientId].thron.com/[clientId]
- Download and install the provided XML file and use it for the IdP side configuration (if requested by your provider)