Configure the federated security

  1. On the Home page, click System Settings > Federated Security.

    The Federated Security page appears.

  2. Federated Security is Off by default. You can only turn the federated security on when an active authentication provider is configured (see step 14).

    Note When Federated Security is on, turn off Windows Authentication. To do so, modify the Web.config file. See the TotalAgility Installation Guide for more information.

  3. Enter a display Name for the authentication provider.
  4. On the Endpoint Type list, select the endpoint type to specify whether the endpoint supports WS-Federation or SAML.
  5. Specify the URL for the WS-Federation or SAML endpoint of the provider in the Endpoint URL box.
  6. Optionally, specify the relying party URL in the Relying Party box.

    Note
    • If you provide the relying party identifier and APP ID URI in the Federated Security Provider as https://<servername>/TotalAgility/, you need not specify the relying party URL when configuring the federated security in TotalAgility. If you provide a different relying party identifier in the Federated Security Provider, ensure that the identifier provided in the Federated Security Provider must match with the relying party URL specified in TotalAgility.

    • On upgrading to TotalAgility 7.5.0, the relying party identifier and APP ID URI specified in the Federated Security Provider that is being used with TotalAgility will be https://<servername>/TotalAgility/.

  7. Specify the issuer identity of the provider in the Issuer box. At runtime, this identity helps to verify that any claims passed to TotalAgility are from the correct provider.
  8. Specify the Sign Out URL.

    When you log off the provider, the specified URL opens.

  9. Select either setting to specify the Logout option:
    • TotalAgility and Provider: Logs you out of the provider as well as TotalAgility.

    • TotalAgility: Logs you out of TotalAgility.

  10. Enter the text in the Certificate box.

    At runtime, the certificate is used to verify that any claims passed to TotalAgility are from the correct provider.

  11. Click Yes for Active to specify that the provider is active (Default: No).
  12. Determine how an existing user is found in TotalAgility when you log on using the authentication provider.
    1. Click Configure for User Claim Mappings.

      User claim mappings apply if the user does not exist in TotalAgility.

    2. In the User Claims Mapping page, match the user to either Username or Email Address:

      1. If you match to Username, specify the following:
        • Username is taken From Security Token (Default).

        • For Name and Email Address, click Enter on Login to enter the name manually at runtime or click From Security Token to take the name from a security token.

      2. If you match to Email, specify the following:
        • For Username and Name, click Enter on Login to enter the name manually at runtime or click From Security Token to take the name from a security token.

        • Email Address is taken From Security Token (Default).

    3. Click Close.
  13. To define a set of rules to indicate the TotalAgility Category, and groups a new user is added to after being successfully authenticated with the provider, click Configure for User Claim Rules and configure the Default User Claim and a set of rules.
    1. Consume a Category and Working Category.
    2. Optionally, consume a Working Group.
    3. To define rule, click Yes for Custom User Rules and do the following:
      1. Enter a rule Name for the claim.

      2. Specify the Claim Type and Claim Value.

      3. To specify the Category the user is added to if the custom rule is satisfied, consume a Category.

      4. To specify the Working Category the user is added to if the custom rule is satisfied, consume a Category.

      5. To specify the Working Group the user is added to if the custom rule is satisfied, consume a Group.

        Note Specify at least one of the preceding optional settings for a custom user rule.
      6. Optionally consume the resource Groups the user is added to if the custom rule is satisfied.

      7. Click Add .

        Note The Custom User Rules take priority over Default User Claim rules.
    4. Click Close to close the User Claim Rules page.
  14. In the Authentication Providers page, click Add to add the Authentication Provider.
  15. Click On for Federated Security.

    Note the following:

    • For TotalAgility on-premise, restart TotalAgility Application Pool for the Federated Security setting to take effect.
    • For TotalAgility in an Azure environment, restart of Application Pool is not required.
    • If Federated Security is in use on the Azure tenant and is connected to an integration server, the integration server will also make use of the same security settings. You must restart the TotalAgility Application pool on the Integration server for the new Azure Tenant configuration settings to take effect.

Additional information

Once the authentication provider is added and Federated Security is turned on, upon logging on to TotalAgility Designer, the user is redirected to configured authentication provider URL.

If multiple authentication providers are configured, the user can select one and the Authentication Provider Logon page opens.

Once the user is authenticated by the provider, he or she gets logged on to TotalAgility:

  • If the user exists in TotalAgility and matches a TotalAgility user using the claims mappings, he or she gets logged on to TotalAgility.

  • If the user does not exist in TotalAgility, he or she is added based on the user claim rules and then gets logged on to TotalAgility.

Launch the TotalAgility Designer in recovery mode

If the Federated Security was configured incorrectly, you can launch the TotalAgility Designer in Recovery Mode to modify the Federated Security configuration.

  1. Use the following URL: http://localhost/TotalAgility/Designer/Default.htm?sessionId=589CE226A8B4F38FEFDB351B7597DF7E.
  2. Enter a valid user name and password.

    Note You must have Read/Write or Full Control access permissions to Server to update the configuration. See Access permissions.