Do I need to add our outsystems app URL as a relying trusted party in our AD FS server to get the IdP plugin to work?

Thanks,

Daniel Brooks

Solution

Hi Daniel,

You need to configure the IdP connector on ADFS server. I believe that you can upload the XML metadata of a SAML Service Provider providing on ADFS and its done. There are some online tools that can generate that XML metadata where you previous can introduce your SP information: EntityID, Endpoints (Attribute Consume Service Endpoint, Single Logout Service Endpoint), its public X.509 cert, NameId Format, Organization info and Contact info.


Regards.

Solution

Telmo Martins wrote:

Hi Daniel,

You need to configure the IdP connector on ADFS server. I believe that you can upload the XML metadata of a SAML Service Provider providing on ADFS and its done. There are some online tools that can generate that XML metadata where you previous can introduce your SP information: EntityID, Endpoints (Attribute Consume Service Endpoint, Single Logout Service Endpoint), its public X.509 cert, NameId Format, Organization info and Contact info.


Regards.

Thank you for your reply.  Do you have any examples of customers setting up the Relying Party Trust in the ADFS server (manual setup or import metadata)?

Apologies if this was mentioned previous but how does one become an IdP_Administrator so that the site property of Idp_SSO_IsActive returns TRUE instead of FALSE?

Thank you for your help. 

Katerina

Katerina Perry wrote:

Apologies if this was mentioned previous but how does one become an IdP_Administrator so that the site property of Idp_SSO_IsActive returns TRUE instead of FALSE?

Thank you for your help. 

Katerina


Head to http(s)://[your server].com/Users/ to add a local user to the role you want.

Curious, what did you enter for the IdP Users Information Mappings in the IdP configuration page?

Daniel Brooks wrote:

Katerina Perry wrote:

Apologies if this was mentioned previous but how does one become an IdP_Administrator so that the site property of Idp_SSO_IsActive returns TRUE instead of FALSE?

Thank you for your help. 

Katerina


Head to http(s)://[your server].com/Users/ to add a local user to the role you want.

Curious, what did you enter for the IdP Users Information Mappings in the IdP configuration page?

Daniel, I didn't, missed that step and when I went back through the instructions after debugging countless times I realized there was nothing authenticating the users hence the FALSE result. Thank you, I will try this immediately. 


Katerina Perry wrote:

Daniel Brooks wrote:

Katerina Perry wrote:

Apologies if this was mentioned previous but how does one become an IdP_Administrator so that the site property of Idp_SSO_IsActive returns TRUE instead of FALSE?

Thank you for your help. 

Katerina


Head to http(s)://[your server].com/Users/ to add a local user to the role you want.

Curious, what did you enter for the IdP Users Information Mappings in the IdP configuration page?

Daniel, I didn't, missed that step and when I went back through the instructions after debugging countless times I realized there was nothing authenticating the users hence the FALSE result. Thank you, I will try this immediately. 


Ahh  .  This IdP integration is really tricky.  Learning the terms is just 1/3rd of the battle!

Good luck!

Daniel Brooks wrote:

Katerina Perry wrote:

Daniel Brooks wrote:

Katerina Perry wrote:

Apologies if this was mentioned previous but how does one become an IdP_Administrator so that the site property of Idp_SSO_IsActive returns TRUE instead of FALSE?

Thank you for your help. 

Katerina


Head to http(s)://[your server].com/Users/ to add a local user to the role you want.

Curious, what did you enter for the IdP Users Information Mappings in the IdP configuration page?

Daniel, I didn't, missed that step and when I went back through the instructions after debugging countless times I realized there was nothing authenticating the users hence the FALSE result. Thank you, I will try this immediately. 


Ahh  .  This IdP integration is really tricky.  Learning the terms is just 1/3rd of the battle!

Good luck!

Thank you. 


Hi All,

I am trying to use IDPConnector with OneIdentity but I am not able to generate the Metadata.xml using the below link. https://www.samltool.com/sp_metadata.php

Can anyone help me in this. Is IDPServer mandatory to install to use IDPConnector?

I will be using OneIdentity as my Identity Provider.


THanks,

Kunal

Hi Kunal,

The current version of the component allows you to export/import the metadata xml, no need for 3rd parties.

After you finish configuration on "SP connector settings and Claims" (and "SP connector internal settings"), you can export it.

Regards.

Daniel Brooks wrote:

Do I need to add our outsystems app URL as a relying trusted party in our AD FS server to get the IdP plugin to work?

Thanks,

Daniel Brooks

 

 


SSO using IDP connector


> Logging to IDP configuration page using

   below URL

              https://{your outsystem envirnament }/IdP/

           For example :-  https://xyz.outsystemscloud.com /IdP/



> Select  Identity Provider as Azure AD / ADFS



> Sign in to the Azure Active Directory portal and add the OutSystems Azure AD application from the gallery.

  • Navigate to Enterprise applications
  • Click New application.
  • Search for OutSystems Azure AD.
  • Select the application and click Add.



> Select SAML as the single sign-on method.

  • In the OutSystems Azure AD application dashboard click the Single sign-on entry.
  • Select SAML.

> Set up Single Sign-On with SAML.

> Alternatively, you can upload the metadata file  from the IdP connector.


> You can then configure the IdP connector with the provided information on sections 3 and 4, or upload the Federation Metadata XML file downloaded in the Azure AD application.



  • In your project Change “Preparation of the NoPermission screen” to redirect the user to the URL provided by IdP_SSO_URL action.


  • Note: if the system contains multiple tenants, the tenant switch has to have been done before calling IdP_SSO_URL.


> Logout Flow

  • Change LoginInfo web block on Common Flow (Optional: Single-logout).
  • In a standard OutSystems application the Common Flow is also responsible for handling Logout operation.
  • By default, the Logout will invalidate the session on the OutSystems application server, but with an IdP SSO scenario many times the logout must be also performed on IdP Server, redirecting the browser to a specific URL on IdP SSO server.
  • So, to achieve that, it's necessary to change the Logout default behavior.
  • If your IdP Server allows a Logout initiated by the SP (IdP Connector), configure the field IdP server Single Logout URL which should be provided by your IdP Server (the IdP Connector will generate the SAML messages to perform a Single-Logout).
  • Note: Your application shouldn't call the User_Logout or Logout system actions. The IdP connector is the one responsible for that call.
  • Change Preparation of the LoginInfo to redirect the user to the URL provided by IdP Server
  • If your IdP Server allows a Logout initiated by the SP through SAML messages: call the action IdP_SingleLogout_URL and call the Common\ExternalURL with its output.