1. FacilityOS Help Center
  2. LogisticsOS
  3. Authentication

SSO (SAML2)

Tim Shelton
Updated

SSO authentication provided by FacilityOS allows users to be authenticated via the customer's identity provider in order to access the software.

Client Responsibilities

  • Provide metadata and other documentation for configuring the SP (Service Provider).  Documentation should include:
    • Required metadata information such as the Entity ID and, if not using a SAML federation such as InCommon, any single-sign-on URL’s. 
    • List of available attributes with descriptions and sample values.
      • It is not recommended to limit attributes to a single unique identifier (e.g. EPPN).   In many cases, this may not match the unique identifier used in other areas of the application. 
    • Log Off – Include the recommended Log Off procedure (including URLs).
  • Default user group for all new SSO users
    • Typically, general SSO users are given access to search by tracking number and to create new shipping requests
  • If applicable, provide a list of the Desktop and Mobile clients to which SSO should be applied
    • This setting can be applied to all licenses, or on a per client basis.
    • Network access is required on all devices that will use SSO authentication. 
  • Decide whether the CSP should drive directly to SSO authentication. 
    • Note: This should only be employed when local application credentials will not be used by any users.

FacilityOS Responsibilities

  • Supply client with Entity ID, ACS URL and Return URL.
  • Provide X.509 Certificate, if required by the client.
  • Submit metadata through In-Common, if Identity Provider wishes to use an identity management federation.
  • Ensure that the authentication response handler correctly consumes the SAML-specific attributes.
  • Ensure Log Off requests are handled per the instructions provided by the Client.

Service Provider Setup Process

  1. Client provides FacilityOS documentation with entire metadata file, or if using an identity management federation such as InCommon, client will provide their Entity ID.
  2. Upon receipt of the documentation, FacilityOS will review and configure software to consume the provided metadata.  
  3. FacilityOS will configure the default user group that all users will be assigned.
  4. Once the configuration is complete, FacilityOS will send the metadata to the client if they are not using an identity management federation.
  5. Client receives FacilityOS metadata and updates their IdP.   
    1. At this point, direct interaction via phone is often helpful to resolve any setup issues.
  6. FacilityOS informs the client that SSO login is available for testing. The easiest process is generally a quick call to ensure the client can access as expected and troubleshoot if needed.
  7. Client acceptance testing occurs.
  8. FacilityOS provides the client with the application URL to publish.
Was this article helpful?
0 out of 0 found this helpful