Single Sign On (SSO)

Access to this feature may only be available with the ‘Complete’ edition. Ask your Wasp representative for details.

Single Sign On (SSO) or Active Directory Federated Services (ADFS) integration, allows your users to log on to Inventory Cloud using their network credentials. This eliminates the need to create and remember a separate username and password for Inventory Cloud. After activating Single Sign On, your users will be automatically logged in when they access InventoryCloud.

Only the Application Administrator is allowed to activate Single Sign On.

Note: There are steps that must be completed prior to activating Single Sign On. We strongly encourage users to review the topic Active Directory Federated Services (ADFS) – Configuration for more information.

Note for On-Premise Users: Single Sign On via ADFS requires an https front end. You can configure the On-Premise site itself to use https itself or if you’ve set up a separate https firewall specify that https entry point using the config tool. Refer Wasp Configuration Tool.

Steps to activate Single Sign On (SSO)

Active Directory Federated Services (ADFS) – Configuration

• User Account Requirements

Single Sign On - Settings

Steps to activate Single Sign On (SSO):

1. Click on the Settings icon, then select Settings.

2. Under Settings > Single Sign On, select Activate Single Sign On.

3. There are two options in the drop down menu:

• Wasp Directory Authentication - When this option is selected, you will need to invite users, who will create user names and passwords specifically for Inventory Cloud.

• Active Directory Federated Authentication - Select this option to activate single sign on. This causes InventoryCloud to utilize the users network credentials for authentication.

4. Enter the Metadata URL, then select the Validate button. This is the URL for your AF AD server.

5. After the connection to the AF AD server is successful (after the Validate button is selected), an option will appear to disable the Inventory Cloud login screen and use only the AD login. If selected, the user will not see a login screen at all when accessing Inventory Cloud.

6. After the connection is made, the Thumbprint and Ignore Chain Errors fields are activated. If there is a problem with the certificate (if you receive an error that the certificate can't be verified, for example) you can select the Ignore Chain Errors check box. When selected, InventoryCloud will ignore the warning and create a Thumbprint for the certificate.
   
   Keep in mind that while Ignore Chain Errors and Thumbprint creation are allowed, Wasp Technologies does not recommend using these options unless the certificate error is part of the user's normal configuration. If utilized, Wasp recommends researching and determining what the problem is with the certificate going forward.
   
   Note: When the certificate expires, Single Sign On will be disabled and users will need to log in using InventoryCloud username and password.

Active Directory Federated Services (ADFS) – Configuration

Note: Wasp On-Premise products are released without https support. Without https you can not activate Single Sign on (SSO) using ADFS. To edit the MVC callback, refer the topic Firewall.

Access to this feature may only be available with the ‘Complete’ edition. Ask your Wasp representative for details.

Following are the steps to add a configuration to ADFS server for any tenant you wish to use:

1. Start the ADFS Management console.

2. Select Add Relying Party Trust. Click on Start button to add a Claims aware Relying Party Trust.

3. Select “Enter data about the relying party manually”. Click on the Next button.

4. Enter a display name for your tenant. We suggest you to add your host name cdc.waspassetinventory.com in the Display name field. Click on the Next button.

5. ADFS uses the SSL certificate for security. Wasp does not support additional encryption certificates beyond SSL at this time. Click on the Next button.

6. Every Wasp tenant with the Active Directory feature supports WS-Federation Passive Protocol. The trailing backslash is important. Enter your host URL https://cdc.waspinventory.com/. Click on the Next button.

7. Your tenants URL, with trailing slash is the only Relying Party trust identifier we need. Click on the Next button.

8. Specify your internal user access control as you see fit, then click Next.

9. We have already specified everything we need for the trust itself. Click on the Next button.

10. We need to specify the claims returned during authentication. Click on the Configure claims issuance policy for this application checkbox.

11. Click on Edit Claim Issuance Policy to Add the Rule for issuing claims.

12. Accept Send LDAP Attributes as Claims, Hit on Next button.

13. Specify the claims as shown below, then click the Finish button.

14. User Account Requirements

• Email - The email returned by ADFS must match the email of the person configuring ADFS during validation. The email returned by ADFS must match the email of the person during registration and login as well. The email is used to find the Wasp user account during ADFS login. If the Active Directory email for a user changes that user will need to accept a new invitation and registration.
• Group - During Validation and login ADFS (given the above claim configuration) returns a list of group names. The Wasp users role must exactly match one of the groups returned by ADFS. Otherwise Validation, registration and login will fail.
• Wasp User name - The Wasp User name and password will be used by users to log into mobile devices. The Reset Password link on the user properties page should be used to set the password for mobile devices. The one issue is that the user can not change the user name and this is normally a part of the wasp user registration process. But during user registration with SSO, we validate primarily against ADFS. The Wasp user name is not validated during ADFS registration. To fill this gap, the registration page will automatically use the users email as the user account name for mobile login purposes.
• Testing - ADFS Validation is based on cookies. This makes many testing scenario difficult. For example - if you invite a new user then try to register using that link, the cookies from the ADFS will match the inviting user, not the invited user. An easy way to circumvent that problem is to
• Open the registration mail.
• Right-click the registration link and copy.
• Open a different browser (For example IE vs Chrome).
• Paste the link there to complete the user registration process.

• Tenant Provisioning – Initial User -  Freshly provisioned tenants do not have SSO activated so the initial user invitation and registration will work as it always has.

15. If, you experience unexpected errors after configuring your ADFS server in the Wasp Settings (SSO) ,information about most errors can be found in the event log of the server hosting ADFS.

Single Sign On - Settings

Click on the Settings > Single Sign On.

• Exclusive Active Directory - It allows to activate Single Sign On using your Active Directory Federated Service Metadata URL and Wasp configuration validation.
• Metadata Url - Enter the metadata URL and click on the Validate button.
• Is Federated Services Configuration Valid - It only appears indirectly via the success message after validation.
• Thumbprint - When you access some https site with an expired or a self-signed certificate. The browser will ask if you trust the certificate anyways. If you do trust it, the browser won't bother when you again visit the page next time. So, the Thumbprint lets you safely ignore some errors involving certificate validation by stating ‘I trust this certificate with thumbprint "xxxxx" even without full chain validation, as long as it’s the same certificate.