This article goes over how to set up logging in directly from users' Identity Provider (IDP). You can fill in the RelayState field to log in to CF directly from your IdP. Otherwise, you can use a method that uses a bookmark app, we support Okta, Microsoft Azure, OneLogin, and Duo.
Method 1: Use default federated apps in IdP Dashboard (This method uses IdP-initiated SSO)
By default, many IdPs support a built-in dashboard that shows all federated apps (such as Okta, OneLogin, Duo Security, etc.). Users can log in to the IdP and choose a specific app from this dashboard.
Please ensure that the RelayState is configured in your IdP. See “RelayState” at SSO - How to setup SSO in CF.
Some Idps (such as: PingFederate, AD FS,.etc) do not natively provide a built-in dashboard for users to see and access all federated applications. However, there are a few approaches that you can consider to provide a user-friendly interface for accessing federated applications.
Users can create a custom web portal that lists all federated applications and provides links for IdP-initiated SSO. This portal can be a simple web application where each link points to the IdP-initiated SSO URL for each application.
1. AD FS
Prerequires: make sure the below adfs-properties are set to true
(Get-AdfsProperties).RelayStateForIdpInitiatedSignOnEnabled
(Get-AdfsProperties).EnableIdpInitiatedSignonPage
Generate the relay state URL: click here to go to AD FS help document
Fill in the below fields in AD FS:
IDP URL String: the URL you generated
Relying Party Identifier
Relay State / Target App: copy the relayState from Gamma SSO Setting
2. PingFederate
Follow this part /idp/startSSO.ping in the PingFederate help document
Note: Creative Force only supports SAML 2.0, you must use TargetResource parameter
Method 2: Create a Bookmark Application (This method uses SP-initiated SSO)
Users can also create a bookmark application in their Identity Provider. It’s important to note that SP-initiated SSO is the best security practice. So we strongly recommend using this flow to log in directly from IdP.
To configure the bookmark app integration see the below section.
Step 1: Set up Single Sign-On within Creative Force, you can follow the instructions in this article.
This is a mandatory step, it must be complete before moving to the below steps.
Step 2: Bookmark Amazon Cognito apps in an enterprise dashboard and log in directly from user IDP.
Make sure SSO is running then copy the link and download the “App logo” from Gamma.
Step 3: Create a bookmark app
Okta
In the Admin Console -> go to Applications. Click ‘Browse App Catalog’.
2. In the Search field, enter Bookmark App. Click Bookmark App integration.
3. Click Add to create a Bookmark App instance
4. In the General Settings for the Bookmark App, enter the name of the external application and the URL from creating bookmark app section under SSO settings in Creative Force. Click Done to create the Bookmark App.
5. Add logo for app
6. After creating an app, navigate to the “Assignments tab” to assign users:
Click Assign to People or Groups
Select user
Note:
Assigned people need to be activated before using SSO login
If you want to create new users, please navigate to Directory -> People
Microsoft Azure
Login to Azure Portal
Navigate to “Azure Active Directory” in Azure Services. Or create a resource “Azure Active Directory” if you don’t have it.
2. Create new App & Integrate into Creative Force
Navigate to “Enterprise applications”.
In the tab “All applications”, select “New Application”.
Click “Create your own application”, input a unique app’s name. Make sure that name can not be found in the applications gallery. Click the “Create” button and wait for the app to be created.
After the new application is created, navigate to the “Single sign-on” in the application screen. Fill in the URL from creating bookmark app section under SSO settings in Creative Force.
Add logo for app: After the new application is created, navigate to the “Properties” in the application screen and select the logo you downloaded before via Gamma then Click “Save”.
3. Assign users to the new app
In the application screen, navigate to “Users and groups” and click “Add user/group”.
Click “Users” and select the accounts that you want to assign to the app and click “Select”
After selecting accounts, click “Assign”.
OneLogin
In the Admin Console, go to Applications
In the Search, input “Generic Connector (UC2)”, and enter App
In the Configuration Settings for the Bookmark App, enter the name of the external application and logo for the app > Click Save to create the Bookmark App
In the Configuration Settings, fill in the URL from creating bookmark app section under SSO settings in Creative Force
After creating an app, navigate to the “Assignments tab” and then assign the user to the integration App
Add one user, go to “User” menu/ Choose user / User Infor/ navigate to the “Applications tab”/ click on the plus sign to add an application.
Add user by role: on the “Access” tab, select the user’s role and click save
Note:
1 user, In menu User > User > Click the button “New user” and input information.
Import user, click the dropdown “More Actions”, and select “Import User”
Duo
Log in to the Duo Admin Panel, click Single Sign-On in the navigation bar on the left, and then click Duo Central > click Add tile > Choose Add bookmark title
Input bookmark of information > Input URL > Click Save
Enable status Duo Central
Step 4: Log in directly from user IdP
Log in to Okta, Microsoft Azure, OneLogin or Duo.
Click on the app you just created accordingly.