HOPEX V4 Doc EN

HOPEX Administration (Web) > Managing Users > Authentication in HOPEX (Web Front-End) > Configuring SSO Authentication

Configuring SSO Authentication

The SSO service includes information (claims), which enables to identify a user or a user group.

The claims

The claims are included in the SSO service.

Examples of claims: a name, a group, an email, a role.

These claims are used to map this information with the data included in HOPEX.

To identify a person, you can for example map:

• the "displayname" claim with the Name attribute of the person in HOPEX.

• the "email" claim with the E-mail attribute of the person in HOPEX.

To identify a person group, your SSO service must include groups. These groups are listed under the claim "role".

See Modifying the claim used for mapping authentication groups.

To identify a person group, you can for example map:

• The claim role "rCmp-WebAXDevRemoteRdpTier2@MEGA" with a person group in HOPEX.

Example of information included in an SSO service:

{

"ValidateLifetime": true,

"AccessTokenType": "Reference",

"TokenHandle": "52c900bcfe54f2ef081b3fa704e19e11",

"Claims":{

"aud": "https://hopex/UAS/resources",

"iss": "https://hopex/UAS",

.....

"displayname": "Lou,Watts",

"name": "lws",

"email": "lwatts@mega.com",

"given_name": "",

"family_name": "Watts",

"groupsid": [

"S-1-5-21-0123456789-0123456789-513",

"S-1-1-0",

"S-1-5-32-544",

"S-1-5-32-545",

"role":[

"Domain Users@MEGA",

"Everyone",

"Administrators@BUILTIN",

"Users@BUILTIN",

"NETWORK@NT AUTHORITY",

"Authenticated Users@NT AUTHORITY",

"This Organization@NT AUTHORITY",

"rCmp-WebAXDevRemoteRdpTier2@MEGA",

"tNtfs-USTLVUCSD651DImagesRecorderModify@MEGA",

"tSvc-WebAX8AppXtenderRetentionFilingServiceFull@MEGA"

"lws": "1ae8ad551970e66e071536655b9542ad"

}

Configuring SSO Authentication

To configure SSO authentication:

1. Define the authentication parameters.

For example: the name and e-mail of the person.

See Defining an Authentication Parameter.

2. If you manage person groups:

• Define the authentication groups.

See Defining an authentication group.

• Map the authentication groups with the person groups defined in HOPEX.

See Associating a HOPEX user group with an authenticated user group.

Modifying the claim used for mapping authentication groups

To identify a person group, your SSO service must include groups. By default, these groups are listed under the claim "role".

To modify the claim used for mapping authentication groups:

1. Access environment options.

See Modifying options at environment level.

2. In the options tree, expand the Installation folder and select User Management.

3. In the right pane, modify the Claim to be used for mapping to authentication groups option.

Default value: role.