1. Preamble

SAML enables users to uniquely identify themselves to the various web applications they use.

In the SAML model Project Monitor is a Service Provider.

You need an Identity Provider. In the rest of this document, IDP refers to your Identity Provider (e.g. Okta / Shibboleth / Keycloak or ADFS - Microsoft Active Directory Federation Services).

Remarks

Data expected by Virage Group :

• Customer metadata file
• customer authentication attribute

Data provided by Virage Group :

• Metadata file to be integrated into the customer's Identity Provider

2. Activate SAML authentication in 4 steps

2.0 Technical requirements: For installed platforms only (excluding SAAS)

1. In the monitormaker.properties file: configure the authentication strategy: Saml2Authenticator
Copy

com.vc.mm.authenticator= com.vc.mm.modules.user.Saml2Authenticator

💡
See the Operating folder for more information on available authentication strategies.
🚩
Specific to ADFS :
• Unzip the file Java Cryptography Extension jce_policy-8.zip in the %PM_HOME%\install\JDK or in your customer area http://file.viragegroup.com (public/delivery/install).
• Copy files local_policy.jar and US_export_policy.jar and paste them to replace the existing ones in the %PM_HOME%\jre\lib\security.
2. Restart the Wildfly service to take account of the change.

2.1. Get your IDP configuration: METADATA XML file

1. Obtain a metadata file in xml format from your IDP. This file will enable Project Monitor know your IDP and communicate with him.
🚩
Specific to Keycloak:
• The metadata file to be retrieved is that of the Realm (available from the configuration tab General)
2. Obtain or set the code of the user login field in your IDP

3. During authentication, Project Monitor and the IDP exchange information. This code is necessary for Project Monitor to find out which of this information contains the user login. For example, in Shibboleth urn:oid:0.9.2342.19200300.100.1.1 or according to the IDP, login or other "

2.2 Declaring your IDP in Project Monitor

1. Go to page Administration > Advanced settings >Technical configuration > SAML2 authentication
2. In the first field of the page, paste the XML content of the metadata file obtained in step SAML2 Authentication Memo - 2.1. Get your IDP configuration: METADATA XML file .
3. Enter the code for the login field. This code was obtained in step SAML2 Authentication Memo - 2.1. Get your IDP configuration: METADATA XML file.
🚩
Specific to ADFS :
• Set the maximum authentication time at 8 hours.
4. Click on Register.

2.3 Generate configuration for Project Monitor METADATA XML file

1. Still on the Administration > Advanced settings >Technical configuration > SAML2 authenticationin the second part of the page
2. Click on Generate to display all Project Monitor that will be required for the IDP, namely :
• metadata in XML format
• Assertion consumer service
• Service provider entity ID location
• Service provider entity ID binding
🚩

This information will enable your IDP to Project Monitor as Service Provider and communicate with it.

Please note: depending on the IDP settings, not all information may be required.

3. Copy the contents of the metadata (xml). These metadata will enable your IDP to know Project Monitor as Service Provider and communicate with it.

2.4. Register Project Monitor in your IDP

1. Create Project Monitor as an application in your IDP.
2. Supply the metadata obtained in step SAML2 Authentication Memo - 2.3 Generate the ‣ configuration : METADATA XML file to your IDP. 2 alternatives :

3. Test configuration

1. Create your users in Project Monitor if you haven't already.
2. Create your users in your IDP if you haven't already done so.
3. Connect to the application to validate the configuration.

4. SAML with AzureAD

4.1 In AzureAD

1. Access the AzureAD administration center.
2. Enable SAML authentication.
🚩
The AD group must contain users directly. Group nesting does not work in Azure AD.
3. Use the enterprise application Demonstrator-internal (up: adazure) present in Azure Active Directory.

4. Configure single sign-on in the application.

🚩
SAML details are displayed on the single sign-on page. The login mapping between Project Monitor and Azure.
5. Download XML file.
6. Check user list.

🚩
Users who need to connect to Project Monitor with the same login must be present in the enterprise application, in the section Users and Groups.

4.2 In Project Monitor

1. Click on Administration > Advanced settings >Technical configuration > SAML2 authentication
2. Paste the previously downloaded XML configuration.
3. Add the Login attribute of your ID Provider.

4. Click on Register.

5. Click on Administration > User settings > User management > Users.
6. Add users.

7. Check that they have also been added to Azure AD.

5. Connecting without SAML

Some users of Project Monitor are unknown to the IDP (external service provider, consultant). For these users, it is possible to connect to Project Monitor by login and password with the url : http://maplateforme/nex/login?local=true

6. Set exclusive connection mode

By default, users can log in using both SAML authentication and local authentication (url /neo/auth/auth.html?local=true or nex/login?local=true)

It is possible to disable this local authentication mode for all or some users, to allow them to use only the SAML authentication mode.

To disable local authentication mode, in the SAMLv2 authentication settings interface, check the box SSO access only :

This default setting can be overridden when :

• Some users of the application are not listed in the organization's directory (external users).
• Some technical users (interfaces) are used.

To authorize a specific user to use local authentication by override :

• In the user details screen, in the Parameterscheck the box Local authentication possible.