Configure SAML or OIDC Federation for Your Organization

This section contains instructions on how to configure SAML or OIDC federation for your organization domain.

Prerequisites

Before you start establishing federated single sign-on for your organization account users, make sure that the following information is available:

  • IdP Metadata: an XML file with your SAML identity provider metadata.

    Or if you do not have the file with metadata, you will need to enter the following details manually:

  • IdP Information:
  • IdP SSO URL: The single sign-on endpoint of your identity provider to which a browser redirects a user to sign in.
  • IdP Logout URL: The remote logout URL where the identity provider will send logout requests and responses. The Authorization service (Smart Trading Cloud) will redirect users to this URL after they sign out.
  • Signature Verification Certificate: Your identity provider's X.509 public key certificate that the Authorization service must use to validate assertions' correctness.
  • Discovery URI: the URI where an OpenID server publishes its metadata and which returns a JSON listing of the OpenID/OAuth endpoints, available scopes and claims, public keys used to sign the tokens, and other details.
  • Authorization URL: the URL to the authorization endpoint that accepts an authentication request, which includes the parameters defined by both the OAuth 2.0 and the OIDC 1.0 specifications.
  • Token URL: the URL to the token endpoint that accepts a client request with an authorization code issued to the client by the authorization endpoint.
  • User Info URL: the URL to the protected resource that returns authorized information on the end user represented by the corresponding Authorization Grant when the client presents an access token.
  • JWKS URL: the URL to the endpoint that returns a JWKS containing the public keys that enable clients to validate a JSON Web Token (JWT) issued by this OIDC provider.
  • Logout URL: the URL to log out an end user from the OIDC provider.
  • Issuer URL: the URL that identifies the OpenID provider.

Configure SAML or OIDC authentication both on the Authorization service (Smart Trading Cloud) for Smart Trading Cloud services, for example, Onboarding and Testing Cloud Service, and on the identity provider sides.

Group Mapping

While configuring the OIDC federation for your organization, you can also configure user group mapping. This allows you to specify attribute name in your IdP token which Smart Trading Cloud will use to automatically update the list of groups to which a logged-in user belongs.

To enable mapping of attributes to the user groups, you must ensure the following:

  • The name of the group in external IdP must be the same as the name of the group in Smart Trading Cloud.

  • If a user belongs to more than one group, the attribute (claim) in the IdP token must list all these groups:

  • For the attribute type string, list the group names separated by comma (,), semicolon (;), pipe (|), colon (:), or slash (/).

  • For the attribute type array of strings, list each group as an element.

Note: Group mapping is not supported for the Administrators group. You must add users manually to the Administrators group.

  1. Go to the Authorization service at https://auth.edifecsfedcloud.com and sign in as an account administrator. ( Watch also the video tutorial available that shows you how to get started with Smart Trading Cloud.)
  2. Go to the User Registrations page ( on the left navigation bar).
  3. On the top right of the page, click Configure User Federation.
  4. Click Configure SAML Federation or Configure OIDC Federation.
    1. Review the caution message on SAML support by on-premise Edifecs products. If it is not applicable for your account users, click Continue.
    2. In SAML Federation Configuration, in Status, after you fill out the required fields below and register Onboarding and Testing Cloud Service as a service provider in your identity provider, enable SAML federation settings for all account users or only for administrators.
    3. Provide IdP information either through:

      IdP Metadata: Click Upload IdP Metadata to upload XML file with your SAML identity provider metadata.

      -OR-

      The following:

      • IdP SSO URL: Select Use HTTP-POST binding for authentication requests and/or Use HTTP-POST binding for response if you want the SAML protocol messages to be transferred within the base64-encoded content of an HTML form control. If not selected, the HTTP Redirect binding is used.
      • IdP Logout URL: Select Use HTTP-POST binding for logout if you want the logout messages to be transferred within the base64-encoded content of an HTML form control. If not selected, the HTTP Redirect binding is used.
      • Signature Verification Certificate
    4. In Username (Email) Source, for the Authorization service (Smart Trading Cloud) to extract the identity of the authenticated user from the SAML assertion, specify the location of the user name (email) in the assertion that the identity provider will send as a response.
      • Select Assertion subject if a user name will be located in the <saml:Subject> element of the response.
      • Select Assertion attribute if a user name will be located in the <saml:Attribute> element of the response. In User Email - Attribute Name, enter the value of the attribute Name (for example, urn:oid:0.9.2342.19200300.100.1.3). Select Use attribute friendly name for the Authorization service to rely on the human-readable form of the attribute.
    5. In Required Attributes, specify how the attributes will be labeled in assertions. When users are logged into their personal Onboarding and Testing Cloud Service accounts, they can see their first and last names in their profile information. For this, the identity provider must send this information to the Authorization service (Smart Trading Cloud) in the form of attributes. For the Authorization service to recognize these attributes, they should be specified how to be labeled in assertions.
    6. In User First Name - Attribute Name, enter the value of the attribute Name that carries the user's first name (for example, urn:oid:2.5.4.42). Select Use attribute friendly name for the Authorization service to rely on the human-readable form of the attribute.
    7. In User Last Name - Attribute Name, enter the value of the attribute Name that carries the user's last name (for example, urn:oid:2.5.4.4). Select Use attribute friendly name for the Authorization service to rely on the human-readable form of the attribute.
    8. Click Save.
    1. Review the caution message on OIDC support by on-premise Edifecs products. If it is not applicable for your account users, click Continue.
    2. In OIDC Federation Configuration, in Status, after you fill out the required fields below and register Onboarding and Testing Cloud Service as a service provider in your identity provider, enable OIDC federation settings for all account users or only for administrators.

      In Status, select one of the following:

      1. Enable for Administrators: Only account administrators will be able to authenticate with the identity provider. They will be able to sign in using their Smart Trading credentials as well.
      2. Enable for All Users: All the account users (including administrators) will be required to authenticate with the identity provider. The administrators will be able to sign in using their Smart Trading credentials as well.

      And then click OK.

    3. In Client ID, copy the Smart Trading Cloud identifier used during registration in the OIDC provider to your identity provider.
    4. In Client Secret, enter a secret key retrieved from your identity provider to protect the client identity.
    5. In Client Auth Method, select POST or Basic to determine whether the client ID and the client secret should be sent to the OIDC provider within the HTTP request body as a form parameter or the Authorization HTTP header with a basic scheme.
    6. In Scopes, enter a space-separated list of scopes to be used in an authorization request.
    7. Provide IdP Metadata either through:

      Metadata URL: Enter Discovery URI: the URI where an OpenID server publishes its metadata and which returns a JSON listing of the OpenID/OAuth endpoints, available scopes and claims, public keys used to sign the tokens, and other details.

      -OR-

      Provided Metadata:

      • Authorization URL: Enter the URL to the authorization endpoint that accepts an authentication request, which includes the parameters defined by both the OAuth 2.0 and the OIDC 1.0 specifications.
      • Token URL: Enter the URL to the token endpoint that accepts a client request with an authorization code issued to the client by the authorization endpoint.
      • User Info URL: Enter the URL to the protected resource that returns authorized information on the end user represented by the corresponding Authorization Grant when the client presents an access token.
      • JWKS URL: Enter the URL to the endpoint that returns a JWKS containing the public keys that enable clients to validate a JSON Web Token (JWT) issued by this OIDC provider.
      • Logout URL: Enter the URL to log out an end user from the OIDC provider.
      • Issuer URL: Enter the URL that identifies the OpenID provider.
    8. In Required Attributes, specify how the attributes will be labeled in assertions. When users are logged into their personal Onboarding and Testing Cloud Service accounts, they can see their first and last names in their profile information. For this, the identity provider must send this information to the Authorization service (Smart Trading Cloud) in the form of attributes. For the Authorization service to recognize these attributes, they should be specified how to be labeled in assertions.
    9. In User Email - Attribute Name, the value of the attribute Email that carries the user's email address is filled in automatically.
    10. In User First Name - Attribute Name, enter the value of the attribute Name that carries the user's first name.
    11. In User Last Name - Attribute Name, enter the value of the attribute Name that carries the user's last name.
    12. Additionally, configure group mapping to allow Accounts Service to automatically update the user's group memberships:
    13. Select the check box Enable Group Mapping.
    14. Enter user group name to map with the attribute in the IdP token.
    15. Click Save.
  5. Select which domains this configuration must be applied to.

In the Authorization service (Smart Trading Cloud), you can download the saml-conf.xml file with the service provider metadata. To do this, click Smart Trading Cloud SAML SP Metadata.

  1. Go to your identity provider settings and add Onboarding and Testing Cloud Service as a service provider using the metadata (the saml-conf.xml file) (consult your identity provider documentation on how to set up a new trusted application).
  2. (As a last step of this configuration scenario) Go to the User Registrations page ( on the left navigation bar).
  3. On the top right of the page, click Configure User Federation.
  4. On the SAML Federation Configuration page, under Status, select one of the following to enable SAML federation:
    • Enable for Administrators: Only account administrators will be able to authenticate with the identity provider. They will be able to sign in using their Smart Trading credentials as well.
    • Enable for All Users: All the account users (including administrators) will be required to authenticate with the identity provider. The administrators will be able to sign in using their Smart Trading credentials as well.
  5. Click OK.

Warning Edifecs does not recommend that you enable SAML or OIDC authentication if your account users work with the Smart Trading Cloud artifacts through the following on-premise Edifecs applications:
- Edifecs Application Manager (version 9.2.3.1 or earlier)
- XEngine (version 9.2.3.1 or earlier)
- SpecBuilder (version 9.2.3 or earlier)
- XES Module for FHIR (version 9.2.3.1 or earlier)