Configure the federated security
-
Navigate to
.
The Federated security dialog box is displayed.
-
The federated security is clear by default. You can enable
Use federated security only when an active authentication provider is
configured (see
Step 11).
Web.config file. See the TotalAgility Installation Guide for more information.When Federated security is on, turn off Windows Authentication. To do so, modify the
-
To configure an authentication provider, click
.
The Add authentication provider dialog box is displayed.
- Enter a display Name for the authentication provider.
- On the Endpoint Type list, select the endpoint type to specify whether the endpoint supports WS-Federation or SAML. (Default: WS-Federation)
- On the Endpoint URL list, specify the URL for the WS-Federation or SAML endpoint of the provider.
-
Optional. Specify the
Relying party URL.
-
If you provide the relying party identifier and APP ID URI in the Federated Security Provider as https://<servername>/TotalAgility/, you need not specify the relying party URL when configuring the federated security in TotalAgility. If you provide a different relying party identifier in the Federated Security Provider, ensure that the identifier provided in the Federated Security Provider must match with the relying party URL specified in TotalAgility.
- On upgrading to TotalAgility 7.6.0, the relying party identifier and APP ID URI specified in the Federated Security Provider that is being used with TotalAgility will be https://<servername>/TotalAgility/.
-
-
Specify the
Issuer identity of the provider.
At runtime, this identity helps to verify that any claims passed to TotalAgility are from the correct provider.
-
Specify the
Sign Out URL.
When you log off the provider, the specified URL opens.
-
Select either setting to specify the
Logout option:
-
TotalAgility and provider: Logs you out of the provider as well as TotalAgility.
-
TotalAgility (default): Logs you out of TotalAgility.
-
- To specify that the authentication provider is active, select Active. (Default: Clear)
-
Enter the public key of the provider in the
Certificate field.
At runtime, the certificate is used to verify that any claims passed are from the correct provider.
-
To determine how an existing user is found in
TotalAgility
when you log on using the authentication provider, do the following:
-
Click the
User claims mappings tab.
User claim mappings apply if the user does not exist in TotalAgility.
-
Match the user to username (default) or email. Select either option for
Match to:
Username
-
By default, Username is taken From security token.
-
For Name and Email address, select Enter on Login to enter the name manually at runtime, or click From security token to take the name from a security token.
Email
-
For Username and Name, click Enter on login to enter the name manually at runtime, or click From security token to take the name from a security token.
-
The Email Address is taken From security token (Default).
-
- Click Save.
-
Click the
User claims mappings tab.
-
To define a set of rules for specifying the
TotalAgility
category and groups to which a new user is added after being successfully authenticated with the provider, click the
User claims rules tab and configure the
Default user claim and
Custom user rules.
- Select a Category and Working category.
- Optional. Select a Working group.
-
Select
Use custom user rules and define the rule:
-
Click .
The Add custom user rule dialog box is displayed.
-
Enter a rule Name for the claim.
-
Specify the Claim type and Claim value.
-
To specify the category the user is added to if the custom rule is satisfied, select a Category.
-
To specify the Working category the user is added to if the custom rule is satisfied, select a category.
-
To specify the Working group the user is added to if the custom rule is satisfied, select a group.
Specify at least one of the preceding optional settings for a custom user rule. -
Optional. To add the resource groups the user is added to if the custom rule is satisfied, click Add for Groups.
The Add associated groups dialog box is displayed.
-
Select the required groups to add and click Done.
The Add custom user rule dialog box is displayed.
The custom user rules take precedence over the default user claim rules. -
Click Save.
The rule appears in the table with rule name and claim type details. You can modify or delete the custom rule.
-
-
To configure and specify the SAML request to the Identity provider signed with a certificate, do the following:
-
Click the
Signature settings tab.
Endpoint type is SAML.This tab is available only if the
- Browse the certificate (containing private key) you want to upload for signing the SAML request.
- Enter the Password to decrypt the certificate.
-
On the
Algorithm list, select the algorithm you want to use for signing, such as
RSA-SHA1.
The signing algorithm must match the algorithm that the identity provider is configured with.
-
Click
Save.
The SAML request is signed.
-
Click the
Signature settings tab.
- Click Save.
-
Select
Use federated security.
- For TotalAgility on-premise, restart the services for the Federated security settings to take effect.
- For TotalAgility in on-premise multi-tenant and Azure environments, restart of services is not required.
- If Federated security is in use on the Azure tenant and is connected to an Integration server, the Integration server will also make use of the same security settings. You must restart the TotalAgility Application pool on the Integration server for the new Azure tenant configuration settings to take effect.
- Click Close.
Launch the TotalAgility Designer using Federated security
Once the authentication provider is added and Federated security is turned on, upon logging on to TotalAgility Designer, the user is redirected to configured authentication provider URL.
If multiple authentication providers are configured, the user can select one and the Authentication Provider Logon page opens.
Once the user is authenticated by the provider, the user gets logged on to TotalAgility:
-
If the user exists in TotalAgility and matches a TotalAgility user using the claims mappings, the user gets logged on to TotalAgility.
-
If the user does not exist in TotalAgility, user is added based on the user claim rules and then gets logged on to TotalAgility.
Launch the TotalAgility Designer in recovery mode
If the Federated security was configured incorrectly, you can launch the TotalAgility Designer in Recovery mode to modify the Federated security configuration.
- Use the following URL: http://<server name>/TotalAgility/Designer/#/logon/recovery.
-
Specify the
Recovery mode session ID and click
Validate.
The recovery mode session ID is stored in the Web.config from the following setting:
<add key= "RecoveryModeSessionId" value= "589CE226A8B4F38FEFDB351B7597DF7E"/> -
Enter a valid
Username and
Password and click
Login.