Setting Up SSO Applications

Once you have managed your users and groups directly through Passly, you can choose how you want third party services/software to interact with Passly through the Single Sign On (SSO) Manager. To manage your SSO applications, click SSO manager from the sidebar.

Picture1.png

From here, you will see all of the Applications already added to your library. Passly offers hundreds of websites and services that are compatible with the SSO Manager, from Amazon to Zendesk. 

 

To add a new SSO application to your library, click the Picture2.png button.  There are two types of applications we support

SAML / WS-Federation

Passly SSO supports applications that are SAML 2.0 or WS-Federation compatible. These applications can be accessed from the Launch Pad.

Picture3.png

Once you select the option to manually add a new application to the library, you can select from the list of compatible applications using the search function, or scroll through the list on screen. Once you find an application you would like to add, click its name or icon to continue the setup process.

Application Configuration

Picture4.png

The first screen that will appear is the application configuration screen. In order for your application to be added to your library, you’ll need to configure the following settings:

  • Application Image: This option allows you to set an icon that identifies the application in By default, the application image is the logo of the selected organization, in this case being the O365 logo. In order to replace the image, it should be less than 100x100 pixels (though 64x64 pixels is recommended), smaller than 100kb, and a supported format (PNG, GIF, JPEG/JPG).
  • Application Name: This is the identifier used in the portal. It is recommended that you select a Display Name that properly describes the function of the portal application.
  • Authentication Policy: This is the authentication Policy a user within the application’s database will use to access Passly following provisioning. For more information, see Authentication Policies

Note: When you’re ready to activate the application, make sure “Application is enabled” is selected. By default, the application won't show in anyone's Launch Pad when initially added because no permissions have been granted.

Protocol Setup

Picture5.png

This screen allows you to configure the SSO settings for the application. If you do not know them, and aren't using one that's pre-configured, you will need to check the documentation for the other application. 

 

There are three main options under the main protocol type list:

  • SAML SP-Init - Service Provider Initiated SAML. With this option, the SP (application you’re logging into) will redirect you to Passly for Authentication. You can also login directly from the Launch Pad in Passly.
  • SAML IdP Init - Identity Provider Initiated SAML. WIth this option, your users will go from Passly to the other application. In most cases, the users, if they know their credentials, can also login directly to the other application.
  • WS-Federation - Another protocol that supports SP-Initiated functionality. This is primarily used by Microsoft and is how the Office 365 application will be configured.

Additionally, there are more fields to consider when configuring Application Protocols:

  • Assertion Consumer Source URL: This is the URL that is used to initiate communication between the audience and the application. 
  • Audience URI: This is where requests typically originate. If there are multiple, you can check the box for Multiple URIs and enter them.
  • Service Entity ID (Issuer): This will typically be the primary URL of the site that is being authenticated. 
  • Identity Issuer: This is the Passly URL that the other application will call. Typically, it is found in the format https://{tenantname}.my.passly.com/trust

 

Attribute Transformation

Picture6.png

Attributes allow you to customize properties specific to your application by entering in an Attribute Value and a Send As field. Typically, Attribute Values contain User. followed by the attribute (ex: {User.PrincipalName}. Attributes can also be created from the Authentication Policy creation screen (See: Adding Authentication Policies). 

Once you are finished customizing your new SSO application, click “Add Application”.



Web Workflow

For applications that do not support SSO, you can add these to the Launch Pad as web workflows. There are two methods for configuring web workflow - User supplied vs. Admin supplied credentials. With User supplied credentials, you can manually setup proper login credentials for individual users. With Admin supplied credentials, you can automatically provide a single set of login credentials that are applicable for every user. You can select which one works best for you from the SSO manager.

Regardless of which option you pick, you can also download the Passly SSO Assistant Browser Extension from the Google Chrome Web Store. With the extension, you can manage all of your SSO applications without having to access your library from passly directly. (Note: As of now, the Passly SSO Assistant is only available on Google Chrome)

To begin, search for “Passly SSO Manager” in the Google Chrome Webstore, or click the following link: https://chrome.google.com/webstore/detail/authanvil-sso-assistant/mggmjmfbekbnaibbcocedihmfkificlb 

Add the extension to Chrome to get the most out of your Passly SSO Manager.

SSO - Office 365 

One of the most common SSO applications used is the Office365 Application. When an Office 365 application is successfully added to the library, you will have SSO access to many of Microsoft’s services, including OneDrive, Sharepoint, Word and Azure Portal. 

 

To add an Office 365 SSO application, click the Picture2.pngbutton > Picture7.png > and search for “Office 365”

Picture8.png

To begin creating an Office 365 login, click the icon or the application name. 

Picture9.png

Management Credentials 

 

From the “Office 365” page, you can add management credentials. An important thing to keep in mind when adding an Office 365 application is that Passly must manage Office 365 application requests manually through a compatibility verification. You must enter your managed domain name and its associated username and password used for accessing the master Office 365 account. Once you have entered in the required Management Credentials, click “Verify Compatibility” to submit the entered credentials for review. This process may take a few seconds. 

Picture10.png

Once you have been successfully verified, the above screen will appear. Next to where you entered your credentials is a brief summary of your admin account’s status. These include:

  1. Whether or not the Domain is Federated
  2. The email address is supported and can be used in Office 365/Outlook
  3. Whether or not the Domain is Verified 
  4. The number of SKU licenses available

The next step is to configure synchronization. There are three checkboxes to select. It is recommended that you select all three:

  1. Enable synchronization from Passly to Office 365
  2. Synchronize Users (unable to be deselected)
  3. Synchronize Groups

You will also set your mapping and licensing preferences. It is recommended that usernames be mapped by their principal name (ex: yourname instead of yourname@email.com). Your default license will be granted to users as they are sent over to Office 365. Select the best license that fits your needs. 

Attribute Transformation

Picture11.png

Attributes allow you to customize properties specific to your application by entering in an Attribute Value and a Send As field. Typically, Attribute Values contain User. followed by the attribute (ex: {User.PrincipalName}. Attributes can also be created from the Authentication Policy creation screen (See: Adding Authentication Policies). 

 

To comply with Microsoft’s latest updates requiring users to perform MFA to access O365, utilize the following Attribute Value and Issue as Type as shown below:

  • Attribute Value: http://schemas.microsoft.com/claims/multipleauthn
  • Send As: http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod

Picture12.png

Once you are finished customizing your new SSO application, click “Add Application”.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us