Versions Compared

Old Version 16

changes.mady.by.user Ridwan

Saved on

compared with

New Version Current

changes.mady.by.user Chemwatch IT

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...


The entire process is managed by IT personnel in Melbourne, AUS.Users can be imported from a list using User Data Import Tool (in Settings under User Access) or via

Self-Registration

...

Import Tool

To import using a list, go to Settings < User Access < User Data Import/Export. NOTE: This process is managed by CW AUS IT Department. The customer will need to be connected with our IT team to import their User Data.

...

To self-register, have the user login via https://jr.chemwatch.net/chemwatch.web/sso/login?domain="xxxxx". The system will connect to their identity provider and the user will have to provide login user/password. If this is the first time they have logged in a user will be created in CW using their credentials. An Administrator will need to assign them products and permissions before their account is active and ready for use.

...

The following describes what login looks like when a user logs into their Chemwatch account via SSO:

...

  1. Service provider redirects call for authentication to Identity Provider (Federation Service). Federation server does not receive any information from Chemwatch. This is just a redirect.

  2. User authenticates into Identity Provider (IDP) with generic login and password. It happens outside of Chemwatch system completely.

  3. IDP redirects call back to Chemwatch with a message containing user name, Assertion of user login, and security token to be used for future calls to IDP. Chemwatch only knows SSO users by login names. No additional information is ever sent back by IDP.

  4. Chemwatch authenticates user only if successfully validated by the IDP. Chemwatch can be configured to enable self-registration and assign a default role for self-registered users. This removes the need to import users before SSO is enabled on an account. It happens automatically on a new user login.

  5. The token will stay valid for a specific time, as configured per the IDP.

  6. If token is invalidated, the user will need to authenticate with the IDP anew.

...

<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifiername" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID"/>

<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddressgivenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail AddressGiven Name"/>

<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givennameemailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given NameE-Mail Address"/>

<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.xmlsoapmicrosoft.orgcom/ws/20052008/0506/identity/claims/name"windowsaccountnameNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="NameWindows account name"/>

<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="http://schemas.microsoftxmlsoap.comorg/ws/20082005/0605/identity/claims/windowsaccountnamenameidentifier" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account nameName ID"/>

The For example, Chemwatch system will use one of the name claims, i.e., Name ID, Given Name, Name or Windows account name, as a first preference during SSO login, and will populate the User Login and Person Name fields (during self-registration on first user login) on the Chemwatch user record if this claim is available.

If both of Name ID, and one of the other name claims are available then Name ID maps to User Login and the other one maps to Person Name fields on the Chemwatch user record.If the Name ID claim is not available then the Given Name claim will be used to populate the User Login and Person Name fields on the Chemwatch user record.

If the Given Name claim is not available then the Name claim will be used to populate the User Login and Person Name fields on the Chemwatch user record.

One of either Name ID or , Given Name or Name or Windows account name claims must be made in order to successfully log in to Chemwatch via SSO. The E-mail Address claim will be used to populate the Email field of the Chemwatch user record if available.

...

Below is an example of from Microsoft Active Directory attribute/Outgoing Claim Type mappings that can be used for logging into Chemwatch via SSO:.

...

IMPORTANT NOTES:

If you set your IDP as above, then inside our Chemwatch application: your SAM-Account-Name will get mapped to our User Login field, your E-Mail-Adresses will get mapped to our Email and your Display-Name will get mapped to our Person Name fields respectively.Important point here to remember is that, as per above example, your Outgoing Claims: Name ID and and your E-Mail Address-Adresses will get mapped to our User Login and Email fields respectively. The 3rd Outgoing Claim: Given Name - gets mapped to our Person Name field.

In absence of the 2nd and the 3rd Outgoing Claims: E-Mail Address and Given Name as per above example, Name ID gets mapped to both Person Name and User Login fields at our end. But Email fields at our end will be left blank.

In absence of just the 3rd Outgoing Claim: Given Name as per above example, Name ID gets mapped to both Person Name and User Login fields at our end. And the E-Mail Address gets mapped to our Email field.

In this example, the Name ID is what uniquely identifies the SSO user in the system.

Sending the Outgoing Claim: Name ID is required.

You choose what your LDAP Attributes you want to map against those Outgoing Claim Types.

The metadata.xml from the Chemwatch side that will be used to configure your IDP looks like the following:

Code Block
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" ID="_b5284f77-1b41-466a-bca1-5f10169e8e64" entityID="https://jr.chemwatch.net/chemwatch.web">
<SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor use="signing">
  <KeyInfo xmlns="<http://www.w3.org/2000/09/xmldsig#">>
    <X509Data>
      <X509Certificate>"Place holder certificate"</X509Certificate>
    </X509Data>
  </KeyInfo>
</KeyDescriptor>

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>

<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<https://jr.chemwatch.net/chemwatch.web/sso/login/"xxxxx""> index="0" isDefault="true" />

<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="E-Mail Address"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Name ID"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="<http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Given Name"/>
<Attribute xmlns="urn:oasis:names:tc:SAML:2.0:assertion" Name="<http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"> NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" FriendlyName="Windows account name"/>

</SPSSODescriptor>
</EntityDescriptor>

A similar guide for MS Azure is available from SSO (Single Sign On) Guide for Microsoft Azure