As a broker, I want to be able to log in with my Brokers SSO settings so that I can use a central user directory. I want to be able to do this for Broker and Organization level users
SSO in Cloudmore requires that a matching user object has already been created in Cloudmore. The user needs to be set up in the organization with the correct permissions. Cloudmore does not support Just-In-Time-Provisioning of user objects for SSO. Users can be created either through the user interface or through the Cloudmore API. Users are matched on the “mail” attribute in the SAML token. The value that is passed from the Identity Provider (IdP) in the “mail” claim needs to match to a username of a user in Cloudmore
1: Enable SSO
For an organization wishing to use SSO, they need to have the feature enabled. From the Organization menu, go to Organization > Security Center and navigate to the section titled Single Sign-On (SSO). Tick the box Enable SSO. If SSO is to be enforced as the only source of entry, tick the Require Single Sign-On to log in that is surfaced once enabled
2: Upload a metadata XML file from your Identity Provider.
From the Organization menu, go to Organization > Security Center and navigate to the section titled Step 1.
- Cloudmore will validate the metadata file and make sure the required parameters are present and in the correct format
- Identity provider Entity ID - URL for the Identity Provider. (Show in UI step 1 after file upload)
Identity provider SSO URL - The URL the user should be redirected to. (Show in UI step 1 after file upload)
Identity provider Public x509 certificate - The certificate of the Identity Provider.
Click on Choose File and navigate to file in the Finder window and press return. Once the field is populated press Read File to populate the Metadata file location and Identity Provider entityID
For details on creating the application and metadata, click here for the guide
3: Upload the Cloudmore Metadata to your Identity Provider
From the Organization menu, go to Organization > Security Center and navigate to the section titled Step 2.
Press Download to retrieve the Cloudmore Metadata File
- If the Broker is using a branded URL login then any occurrences of "cloudmore.com" must be replaced in the metadata file with the branded URL and saved on the Organization Admin computer
If parent Broker is not using Branded Url Login, the standard metadata file is downloaded to the Organization Admin computer.
4: Set up Claims
Claims are attributes that the Identity Provider (IdP) sends together with the SAML token used by Cloudmore to match the SAML token to an existing user in Cloudmore.
From the Organization menu, go to Organization > Security Center and navigate to the section titled Step 3.
Claims are managed at the Identity provider, and the user would need to set up claims for:
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mail - This is the username and email address.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname - This is the first name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname - This is the last name