How to login EBF with SSO
Okta SSO
Okta Configurations
- Login into Okta developer account
- Go to Applications >> Applications >> Create App Integration
- Select SAML 2.0 in the Sign-in method section and click on Next.
- On the General Settings tab Enter any string as a name for your integration and click on Next button
- On the Configure SAML tab, configure
i)In the Single sign-on URL enter: "https://<EBF domain name or IP address>/saml/acs"
ii)In Audience URI (SP Entity ID) enter: "https://<EBF domain name or IP address>/saml/acs"
iii)Click on Show Advanced Settings
iv)In the Signature Certificate upload app/saml/certs/sp.crt
v)Select Enable Single Logout
vi)In the Single Logout URL enter: "https://<EBF domain name or IP address>/saml/slo"
vii)In the SP Issuer enter "https://<EBF domain name or IP address>/saml/acs" - same as Audience URI (SP Entity ID)
viii)In the Attribute Statements section, enter below Attribute maps and than click Next button: - In the Feedback tab, select I'm an Okta customer adding an internal app and click Finish.
Okta: Assign Okta Users to EBF SSO
Go to the Assignments tab and Assign users to the newly created App integration.
EBF Configurations
FOR HTTPS EBF instances only:
HTTPS EBF instance is mandatory for Okta SSO
i)Make changes in the settings.conf file:
Now, go to the directory /data/timesys/ebf/setup. Edit settings.conf and set the below config variables as per your Okta EBF integration.
- "SAML_IDP_URL": "<SAML metadata URL>"
- "entityId": "https://<EBF domain name or IP address>/saml/acs/"
- "assertionConsumerService": {
"url": "https://<EBF domain name or IP address>/saml/acs/"
- "singleLogoutService": {
"url": "https:///<EBF domain name or IP address>/saml/slo"
- “x509cert”: “<formatted certificate string uploaded to Okta app integration>”
- "privateKey":”<formatted private key string>”
ii) After making the changes, restart EBF app by running below commands
$ cd /data/timesys/ebf
$ sudo docker-compose down
$ sudo docker-compose up -d
iii) Login into the EBF by entering the Okta Username and Password by clicking on the Login with Okta button.
Microsoft Azure AD SSO
Azure AD Configurations
Registering the application in Active Directory
The EBF application is registered as a non-gallery application. From the Active Directory dashboard:
- Click “Enterprise Applications” on the sidebar
- Click “+ New Application”
- “Create your own application”
- Enter a name for the application
- Select “Integrate any other application you don't find in the gallery (Non-gallery)”
- Click Create
Assigning users and groups
To allow users to login to EBF via Active Directory, they must be added to the Enterprise
Application. From the application dashboard:
- Click “Users and Groups”
- Click “Add user/group”
- Select users or groups that should have access to
Users must have an email address added to their Active Directory account in order to log into EBF.
Configuring EBF SAML
Once an Enterprise application is added, you can configure the SAML settings required to log into EBF.
From the Active Directory dashboard:
- Click “App Registrations” on the sidebar
- Click the EBF application
Adding EBF as a valid redirect target
- Click “Authentication” on the sidebar
- Click “Add a platform”
- Select Web
- Enter “https://<EBF domain name Or IP address>/users/saml/acs” or “http://<EBF domain name Or IP address>/users/saml/acs” as the Redirect URI depending on EBF instance is HTTPS or HTTP
Adding the EBF certificate
- Click “Certificates & secrets” on the sidebar
- Upload the provided certificate
Token Configuration
- Click “Token configuration” on the sidebar
- Click “+ Add Optional Claim”
- Select “SAML”
- Select “email”
- Click “Add”
- AD may prompt you to enable a Graph permission, do so
Exposing to EBF
- Click “Expose an API”
- Set Application ID URI (Default is fine, whatever you want)
Connecting EBF to Active Directory
To point EBF at your Active Directory tenant, we need you to email us two pieces of
information. From the Active Directory dashboard:
- Click “App registrations”
- Click the EBF application
Federation Metadata
- Click “Endpoints”
- Copy the “Federation metadata document” link and paste it into the email
Application ID URI
- Copy the “Application ID URI” and paste it into the email
That should be it. Once we enter the provided data into the EBF instance, you should be able
to log in via Active Directory.
EBF Configurations
How to Login SSO on EBF with Microsoft Azure:
FOR HTTP:
i)Make changes in the settings.conf file:
Now, go to the directory /data/timesys/ebf/setup. Edit settings.conf and set the below config variables as per your Microsoft Azure integration.
- "SAML_IDP_URL": "<Federation metadata document URL>"
- "entityId": "<Azure Application ID URI>"
- "assertionConsumerService": {
"url": "http://<EBF domain name Or IP address>/saml/acs/"
- "singleLogoutService": {
"url": "http://<EBF domain name Or IP address>/saml/slo"
- “x509cert”: “<formatted certificate string uploaded to Azure>”
- "privateKey":”<formatted private key string>”
ii) After making the changes, restart EBF app by running below commands
$ cd /data/timesys/ebf
$ sudo docker-compose down
$ sudo docker-compose up -d
FOR HTTPS:
i)Make changes in the settings.conf file:
Now, go to the directory /data/timesys/ebf/setup. Edit settings.conf and set the below config variables as per your Microsoft Azure EBF integration.
- "SAML_IDP_URL": "<Federation metadata document URL>"
- "entityId": "<Azure Application ID URI>"
- "assertionConsumerService": {
"url": "https://<EBF domain name Or IP address>/saml/acs/"
- "singleLogoutService": {
"url": "https://<EBF domain name Or IP address>/saml/slo"
- “x509cert”: “<formatted certificate string uploaded to Azure>”
- "privateKey":”<formatted private key string>”
ii) After making the changes, restart EBF app by running below commands
$ cd /data/timesys/ebf
$ sudo docker-compose down
$ sudo docker-compose up -d
iii) Login into the EBF by entering the Microsoft Azure Username and Password. Click on the Login with Microsoft button.
