Versions Compared

Old Version 20

changes.mady.by.user Dave Nygaard

Saved on

compared with

New Version Current

changes.mady.by.user Malissa Olofernes

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

...

  1. Enter a support case to configure SSO. See Entering a Support Case for details.
  2. Coordinate with your Deem Activations Manager and Deem Integrations Manager. Configuring SSO is performed with a team of technical resources. Your Deem Activations Manager will coordinate the necessary resources to guide you through each step of the project.

  3. Configure your SAML service for production access. 

    Expand

    As SAML is a well-established standard, chances are you already have technology you can use. If not, you may need to deploy a SAML-capable service. SAML capabilities are provided by almost all of the major identity management and platform technology vendors, and you may use any of these standards-based software packages. There are also a number of open source SAML projects that you can leverage. 

    Once you've established your SAML-capable infrastructure, it should be configured to point to a Deem platform. This may be within our live environment, or in a special configuration in our live production platform. Coordinate with your Deem Integrations Manager and Activations Manager for specific details. 

    You need the following information to complete this task:

    • Target URL: A unique URL for your Deem domain that should be included with all of your SAML requests. Your Deem Integrations Manager provides this URL.
    • Deem's SAML end-point: "http://go.deem.com/sp/ACS.saml2"
    • SAML Audience: You must also send an Audience restriction — the value is "https://go.deem.com".

    Use this information to configure your SAML infrastructure. 
    Note: The time configured on your server should be accurate, as SAML is a time-sensitive protocol. You might want to set up the Network Time Protocol.


  4. Provide information about your SSO infrastructure. 

    Expand

    Once you've configured your SAML service, the following information is required for Deem to complete the configuration. Please provide the following to Deem:

    • Issuer: A unique identifier that represents you as a customer in the SAML assertion. Typically, this is a string or a URL. You may already have an issuer name set up — in which case you can tell Deem what it is. As best practice, the unique identifier should correspond to the domain name used for your Deem instance.
    • The X509 Certificate that is used to digitally sign your SAML assertions. This will be used by Deem to validate the SAML assertions you send.


  5. Configure the desired user experience. 

    Expand

    Since the user experience is a primary facet of SSO, you'll want to configure various aspects of this experience as follows:

    • Type of access: direct-access link, "Token Not Present" failover endpoint for deep-link access, or the hybrid model. For details, see above.
    • Logout and other errors: Deem provides flexible behavior for logout, session timeouts, and various error conditions. Users can either be redirected to a specified URL, or be shown a custom message. See the section on "Customizing your SSO Configuration" for more information, and work with your Deem Integrations Manager to configure the desired behavior.


  6. Test in the production environment. Work with your Deem Integrations and Activations Managers to establish a test of SSO as configured for your production environment. If there are any issues, collaboratively diagnose and correct.

...

Code Block
languagexml
themeConfluence
titleSample SAML Assertion
collapsetrue
<saml:Assertion ID="uuid-5D036492-5000-0DA1-02BF-68B5583580A1" IssueInstant="2013-03-16T00:02:54Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
    <saml:Issuer>${parterProvidedIssuerName}</saml:Issuer>
    <saml:Subject>
      <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified">bob.barker@thepriceisright.com</saml:NameID>
      <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
        <saml:SubjectConfirmationData Recipient="https://go.deem.com/sp/ACS.saml2" NotOnOrAfter="2013-03-16T00:12:54Z"/>
      </saml:SubjectConfirmation>
    </saml:Subject>
    <saml:Conditions NotBefore="2013-03-16T00:02:54Z" NotOnOrAfter="2013-03-16T00:12:54Z">
      <saml:AudienceRestriction>
        <saml:Audience>https://go.deem.com/sp/ACS.saml2</saml:Audience>
      </saml:AudienceRestriction>
    </saml:Conditions>
    <saml:AuthnStatement AuthnInstant="2013-03-16T00:02:54Z">
      <saml:AuthnContext>
        <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
      </saml:AuthnContext>
    </saml:AuthnStatement>
</saml:Assertion>

Customizing your SSO Configuration

Deem services for enterprises can be configured to support a wide variety of custom behaviors. You must provide the following data to your Deem Activations Manager to support a custom configuration.

...

  • aptSuite
  • birthday
  • city
  • companyName
  • costCenter
  • country
  • departmentCode
  • departmentName
  • division
  • emergencyContactName
  • emergencyContactPrimaryPhone
  • employeeID
  • employeeStatus
  • employeeType
  • groupwareID
  • homeAptSuite
  • homeCity
  • homeCountry
  • homePostalCode
  • homeStateProvince
  • homeStreet1
  • jobTitle
  • middleName
  • misField1
  • misField2
  • misField3
  • misField4
  • misField5
  • misField6
  • mobilePhone
  • postalCode
  • stateProvince
  • street1
  • subdomainName
  • userName
  • workFax
  • workPhone

...


Anchor
assertion
assertion
Sample SAML assertion for simple user provisioning

...