SSO Overview

What Kind of SSO Does TraceGains Support?

TraceGains provides support for Single Sign-On (SSO) using the Security Assertion Markup Language (SAML) V2.0 OASIS specification. This article covers general guidelines for creating a custom SSO configuration with TraceGains as the Service Provider.

Key Terms

• Service Provider (Sp) - in all supported SAML workflows, TraceGains is the participant Service Provider.
• Assertion Consumer Service (ACS) - a component of the SSO architecture that receives and processes authentication assertions sent by the Identity Provider.
• Identity Provider (IdP) - component of the SSO architecture that manages user identities and authenticates users before sending an authentication assertion to the Service Provider.
• Single Logout (SLO) - allows users to log out of all applications in the SSO session with a single action.
• Digest Algorithm - cryptographic algorithm used to convert data into a fixed-length, unique sequence of characters (hash value) that can be used for data integrity verification and secure data storage.
• X.509 Certificate - a digital certificate that uses the widely accepted X.509 public key infrastructure (PKI) standard to verify the identity of a user, device, or entity.

Disclaimers

• User accounts can only be assigned to a single IdP configuration per TraceGains instance.
  • User accounts with access to multiple TraceGains instances can be assigned a different IdP configuration per instance, allowing a user account to be authenticated by any configured IdP for that user account.
• Once SSO has been enabled for a TraceGains Network user account, TraceGains can no longer authenticate that user account. Authentication must be done through the IdP.
• Any account assigned at least one SSO IdP configuration from any TraceGains instance is no longer allowed to request password resets or request account confirmations until all SSO assignments for the account have been removed.
• If the user account can no longer be authenticated by any of the account’s registered IdP configurations, the account will no longer be able to authenticate to any TraceGains instance.

Getting Started

To set up SSO in TraceGains, you must enable the SSO permission for an access role. By default, this permission is not granted to any access roles in a TraceGains instance.

How to enable SSO permission:

Step 1: Log in to your TraceGains account with a System Admin role.

Step 2: Navigate to the Configuration>Access>Roles page and select the access role that you want to enable SSO for.

Step 3: In the access role settings, enable the Single Sign-On permission.

Configure New Custom Identity Provider

IdP-Initiated SSO

The screenshot below shows the information TraceGains will need from your Identity Provider to create an SAML configuration in TraceGains.

Digest Algorithm: TraceGains supports the most common Digest Algorithm methods from the OASIS standard, but we recommend the default SHA256 or SHA512 algorithms.

X.509 Certificate: The field supports the generally accepted Base-64 encoded string format, with or without the certificate BEGIN/END prefix and suffix.

Sp-Initiated SSO

If an SSO enabled user account attempts to login to TraceGains directly, TraceGains will initiate the Sp-Initiated SSO workflow. The screenshot above contains the most common defaults for the Sp-Initiated workflow.

TraceGains recommends that you enable Sign Authn Request if your IdP supports the configuration.

TraceGains uses the most common NameID Format by default, all OASIS specification formats are supported.

Just-in-Time Provisioning

TraceGains supports the System for Cross-domain Identity Management (SCIM) for use in Just-in-Time (JIT) account provisioning. Enable Just-in-Time Provisioning to allow TraceGains to automatically create unknown accounts when users are authenticating from an IdP-Initiated SAML workflow request.

When TraceGains receives a successfully verified Idp-Initiated SAML payload for an SSO configuration that has JIT provisioning enabled, TraceGains will create a new account for the user if one does not exist and the SAML payload includes the required SCIM attributes.

To reduce the amount of maintenance required in assigning users to SSO configurations TraceGains suggests enabling the Enable Identity Provider Sync option in an SSO configuration. If enabled, user accounts that successfully authenticate using SSO will automatically be assigned to the SSO configuration as their registered IdP.

This option is particularly useful when JIT provisioning has been enabled, or when user accounts need to be transitioned from one Idp configuration to another. This option can safely be left enabled, but TraceGains recommends that it be disabled once its use is out of scope.

Frequently Asked Questions

Q: Does IdP-initiated SSO only work for Enterprise users?

A: When a user creates an account in TraceGains, their single account is global and can be used to access one or more Enterprise sites and TraceGains Gather® supplier groups. The user then gains role-based access to their TraceGains account after authenticating their discrete account through the IdP. 

Q: Can I use JIT provisioning to update roles for employees already in the system?

A: No. JIT provisioning cannot update roles for existing users; it can only create new users and assign them to roles. Therefore, it is advantageous to start this process early, before you have an overwhelming number of roles and/or users in the system.

Q: Can I edit TG user roles through my IdP?

A: Updating a user’s TraceGains role through an IdP after provisioning is not supported. Role updates must be performed manually in a TraceGains enterprise instance by an authorized user.

Troubleshooting

• Error: "SAML 2.0 login to TraceGains" when logging in
  • This error occurs when a user is assigned an SSO, but old login credentials are saved in the web browser. 
  • Solution: Clear saved TraceGains credentials from your browser and reattempt SSO login.

Further Reading

To learn how to configure Okta SSO within TraceGains, read this article.