SAML or OIDC Authentication for Your Organization

The following section contains step-by-step instructions on how to configure SAML or OIDC federation for your organization domain.

Prerequisites

Before you start establishing federated single sign-on for your organization account users, make sure that the following information is available:

  • IdP Metadata: an XML file with your SAML identity provider metadata.

    Or if you do not have the file with metadata, you will need to enter the following details manually:

  • IdP Information:
  • IdP SSO URL: The single sign-on endpoint of your identity provider to which a browser redirects a user to sign in.
  • IdP Logout URL: The remote logout URL where the identity provider will send logout requests and responses. The Authorization service (Smart Trading Cloud) will redirect users to this URL after they sign out.
  • Signature Verification Certificate: Your identity provider's X.509 public key certificate that the Authorization service must use to validate assertions' correctness.
  • Discovery URI: the URI where an OpenID server publishes its metadata and which returns a JSON listing of the OpenID/OAuth endpoints, available scopes and claims, public keys used to sign the tokens, and other details.
  • Authorization URL: the URL to the authorization endpoint that accepts an authentication request, which includes the parameters defined by both the OAuth 2.0 and the OIDC 1.0 specifications.
  • Token URL: the URL to the token endpoint that accepts a client request with an authorization code issued to the client by the authorization endpoint.
  • User Info URL: the URL to the protected resource that returns authorized information on the end user represented by the corresponding Authorization Grant when the client presents an access token.
  • JWKS URL: the URL to the endpoint that returns a JWKS containing the public keys that enable clients to validate a JSON Web Token (JWT) issued by this OIDC provider.
  • Logout URL: the URL to log out an end user from the OIDC provider.
  • Issuer URL: the URL that identifies the OpenID provider.

Configure SAML or OIDC authentication both on the Authorization service (Smart Trading Cloud) for Smart Trading Cloud services, for example, Onboarding and Testing Cloud Service, and on the identity provider sides.

To configure SAML or OIDC federation for an organization domain:

  1. Go to the Authorization service at https://auth.edifecsfedcloud.com and sign in as an account administrator. ( Watch also the video tutorial available that shows you how to get started with Smart Trading Cloud.)
  2. Go to the User Registrations page ( on the left navigation bar).
  3. On the top right of the page, click Federation Configuration.
  4. Click Configure SAML Federation or Configure OIDC Federation.
    1. Review the caution message on SAML support by on-premise Edifecs products. If it is not applicable for your account users, click Continue.
    2. In SAML Federation Configuration, in Status, after you fill out the required fields below and register Onboarding and Testing Cloud Service as a service provider in your identity provider, enable SAML federation settings for all account users or only for administrators.
    3. Provide IdP information either through:

      IdP Metadata: Click Upload IdP Metadata to upload XML file with your SAML identity provider metadata.

      -OR-

      The following:

      • IdP SSO URL: Select Use HTTP-POST binding for authentication requests and/or Use HTTP-POST binding for response if you want the SAML protocol messages to be transferred within the base64-encoded content of an HTML form control. If not selected, the HTTP Redirect binding is used.
      • IdP Logout URL: Select Use HTTP-POST binding for logout if you want the logout messages to be transferred within the base64-encoded content of an HTML form control. If not selected, the HTTP Redirect binding is used.
      • Signature Verification Certificate
    4. In Username (Email) Source, for the Authorization service (Smart Trading Cloud) to extract the identity of the authenticated user from the SAML assertion, specify the location of the user name (email) in the assertion that the identity provider will send as a response.
      • Select Assertion subject if a user name will be located in the <saml:Subject> element of the response.
      • Select Assertion attribute if a user name will be located in the <saml:Attribute> element of the response. In User Email - Attribute Name, enter the value of the attribute Name (for example, urn:oid:0.9.2342.19200300.100.1.3). Select Use attribute friendly name for the Authorization service to rely on the human-readable form of the attribute.
    5. In Required Attributes, specify how the attributes will be labeled in assertions. When users are logged into their personal Onboarding and Testing Cloud Service accounts, they can see their first and last names in their profile information. For this, the identity provider must send this information to the Authorization service (Smart Trading Cloud) in the form of attributes. For the Authorization service to recognize these attributes, they should be specified how to be labeled in assertions.
    6. In User First Name - Attribute Name, enter the value of the attribute Name that carries the user's first name (for example, urn:oid:2.5.4.42). Select Use attribute friendly name for the Authorization service to rely on the human-readable form of the attribute.
    7. In User Last Name - Attribute Name, enter the value of the attribute Name that carries the user's last name (for example, urn:oid:2.5.4.4). Select Use attribute friendly name for the Authorization service to rely on the human-readable form of the attribute.
    8. Click Save.
    1. Review the caution message on OIDC support by on-premise Edifecs products. If it is not applicable for your account users, click Continue.
    2. In OIDC Federation Configuration, in Status, after you fill out the required fields below and register Onboarding and Testing Cloud Service as a service provider in your identity provider, enable OIDC federation settings for all account users or only for administrators.

      In Status, select one of the following:

      1. Enable for Administrators: Only account administrators will be able to authenticate with the identity provider. They will be able to sign in using their Smart Trading credentials as well.
      2. Enable for All Users: All the account users (including administrators) will be required to authenticate with the identity provider. The administrators will be able to sign in using their Smart Trading credentials as well.

      And then click OK.

    3. In Client ID, copy the Smart Trading Cloud identifier used during registration in the OIDC provider to your identity provider.
    4. In Client Secret, enter a secret key retrieved from your identity provider to protect the client identity.
    5. In Client Auth Method, select POST or Basic to determine whether the client ID and the client secret should be sent to the OIDC provider within the HTTP request body as a form parameter or the Authorization HTTP header with a basic scheme.
    6. In Scopes, enter a space-separated list of scopes to be used in an authorization request.
    7. Provide IdP Metadata either through:

      Metadata URL: Enter Discovery URI: the URI where an OpenID server publishes its metadata and which returns a JSON listing of the OpenID/OAuth endpoints, available scopes and claims, public keys used to sign the tokens, and other details.

      -OR-

      Provided Metadata:

      • Authorization URL: Enter the URL to the authorization endpoint that accepts an authentication request, which includes the parameters defined by both the OAuth 2.0 and the OIDC 1.0 specifications.
      • Token URL: Enter the URL to the token endpoint that accepts a client request with an authorization code issued to the client by the authorization endpoint.
      • User Info URL: Enter the URL to the protected resource that returns authorized information on the end user represented by the corresponding Authorization Grant when the client presents an access token.
      • JWKS URL: Enter the URL to the endpoint that returns a JWKS containing the public keys that enable clients to validate a JSON Web Token (JWT) issued by this OIDC provider.
      • Logout URL: Enter the URL to log out an end user from the OIDC provider.
      • Issuer URL: Enter the URL that identifies the OpenID provider.
    8. In Required Attributes, specify how the attributes will be labeled in assertions. When users are logged into their personal Onboarding and Testing Cloud Service accounts, they can see their first and last names in their profile information. For this, the identity provider must send this information to the Authorization service (Smart Trading Cloud) in the form of attributes. For the Authorization service to recognize these attributes, they should be specified how to be labeled in assertions.
    9. In User Email - Attribute Name, the value of the attribute Email that carries the user's email address is filled in automatically.
    10. In User First Name - Attribute Name, enter the value of the attribute Name that carries the user's first name.
    11. In User Last Name - Attribute Name, enter the value of the attribute Name that carries the user's last name.
    12. Click Save.
  5. Select which domains this configuration must be applied to.

Service provider metadata

In the Authorization service (Smart Trading Cloud), you can download the saml-conf.xml file with the service provider metadata. To do this, click Smart Trading Cloud SAML SP Metadata.

To configure SAML federation for your identity provider:

  1. Go to your identity provider settings and add Onboarding and Testing Cloud Service as a service provider using the metadata (the saml-conf.xml file) (consult your identity provider documentation on how to set up a new trusted application).
  2. (As a last step of this configuration scenario) Go back to SAML Federation Configuration in the Authorization service. To enable SAML federation, in Status, select one of the following:
    • Enable for Administrators: Only account administrators will be able to authenticate with the identity provider. They will be able to sign in using their Smart Trading credentials as well.
    • Enable for All Users: All the account users (including administrators) will be required to authenticate with the identity provider. The administrators will be able to sign in using their Smart Trading credentials as well.

    An then click OK.

Single Sign-on (SSO)

The following workflow occurs when single sign-on is enabled.

Single sign-on enabled

  1. A user goes to any Smart Trading Cloud service, for example, Onboarding and Testing Cloud Service, using a web browser. The user is redirected to the Identity Provider’s sign-in screen.
  2. The user enters credentials.
  3. The Identity Provider authenticates the user's credentials and redirects the user to the Onboarding and Testing Cloud Service home page.

The following workflow occurs when single sign-on is disabled.

Single sign-on disabled

  1. A user goes to any Smart Trading Cloud service, for example, Onboarding and Testing Cloud Service, using a web browser. The user is redirected to Onboarding and Testing Cloud Service sign-in screen where they are prompted to enter their email address.
  2. The user is redirect to the next page to enter the password.
  3. After successful authentication, the user can use Onboarding and Testing Cloud Service.

Warning Edifecs do not recommend that you enable SAML or OIDC authentication if your account users work with the Smart Trading Cloud artifacts through the following on-premise Edifecs applications:
- Edifecs Application Manager (version 9.2.3.1 or earlier)
- XEngine (version 9.2.3.1 or earlier)
- SpecBuilder (version 9.2.3 or earlier)
- XES Module for FHIR (version 9.2.3.1 or earlier)