HOPEX Aquila EN

PLATFORM - Administration (Web) > Users > Authentication in HOPEX > Configuring SSO Authentication

Configuring SSO Authentication

The SSO service includes information (claims), which enables to identify a user or a user group.

The claims

The claims are included in the SSO service.

Examples of claims: a name, a group, an email, a role.

These claims are used to map this information with the data included in HOPEX.

To identify a person, you can for example map:

• the "displayname" claim with the Name attribute of the person in HOPEX.

• the "email" claim with the E-mail attribute of the person in HOPEX.

To identify a person group, your SSO service must include groups. These groups are listed under the claim "role".

To modify the claim used for mapping authentication groups, modify the ClaimForRoles of the identity provider (see Installation and Deployment > HOPEX Unified Authentication Service documentation).

To identify a person group, you can for example map:

• The claim role "rCmp-WebAXDevRemoteRdpTier2@MEGA" with a person group in HOPEX.

Example of information included in an SSO service:

{

"ValidateLifetime": true,

"AccessTokenType": "Reference",

"TokenHandle": "52c900bcfe54f2ef081b3fa704e19e11",

"Claims":{

"aud": "https://hopex/UAS/resources",

"iss": "https://hopex/UAS",

.....

"displayname": "Lou,Watts",

"name": "lws",

"email": "lwatts@mega.com",

"given_name": "",

"family_name": "Watts",

"groupsid": [

"S-1-5-21-0123456789-0123456789-513",

"S-1-1-0",

"S-1-5-32-544",

"S-1-5-32-545",

"role":[

"Domain Users@MEGA",

"Everyone",

"Administrators@BUILTIN",

"Users@BUILTIN",

"NETWORK@NT AUTHORITY",

"Authenticated Users@NT AUTHORITY",

"This Organization@NT AUTHORITY",

"rCmp-WebAXDevRemoteRdpTier2@MEGA",

"tNtfs-USTLVUCSD651DImagesRecorderModify@MEGA",

"tSvc-WebAX8AppXtenderRetentionFilingServiceFull@MEGA"

"lws": "1ae8ad551970e66e071536655b9542ad"

}

Configuring SSO Authentication

To configure SSO authentication:

1. Define the authentication parameters.

For example: the name and e-mail of the person.

See Defining an Authentication Parameter.

2. If you manage person groups:

• Define the authentication groups.

See Defining an SSO Authentication Group.

• Map the authentication groups with the person groups defined in HOPEX.

See Associating a HOPEX User Group with an Authenticated User Group.