Single Sign-On Configuration

Overview

This article guides you through configuring Single Sign-On (SSO) for your Ondexx instance. Ondexx supports integration with multiple Identity Providers (IdPs), allowing users to authenticate using their preferred domain, a secondary domain for disaster recovery, and a deployment domain for UAT and major updates.

Single Sign-On can be configured by Super Admins under Configuration > Single Sign-On

Configuring Your Primary Domain

1. Signing Certificate: Select the appropriate certificate for your domain. Note that certificates have expiry dates; choose one that is valid. The current options are:
   • Ondexx Digital Signature 1 (Not Valid After Wednesday, Feb 28, 2024 Eastern Standard Time)
   • Ondexx Digital Signature 2 (Not Valid After Saturday, Nov 14, 2026 Eastern Standard Time)
2. Download Metadata: Click on “Federation Metadata” to download the metadata XML file that corresponds to your chosen signing certificate.
3. Service Provider Details: Using both the Metadata file and the EntityID and ACS (Assertion Consumer Service) URL specific to your Ondexx service, configure your Identity Provider.

Setting Up Identity Provider Details

1. Primary Claim/Assertion Field: Choose the primary email address or the relevant field as the claim.
2. Federation Service Entity ID and Endpoint URL: Enter the details provided by your IdP, which will be unique to your organization’s ADFS accounts or other IdPs.
3. Federation Service Token-Signing Certificate: Paste the certificate provided by your IdP.
4. Additional Trust Settings: Check this box if your IdP requires Ondexx to sign SAML Assertions
5. Enable SSO: Check “Enable Single Sign-On” for your primary domain.

Required Identity Provider User Attributes & Claims

• NameID:
  • Format must always be “urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”.
  • Use the field that corresponds to the Primary Claim field you selected within Ondexx (i.e. Email or EmployeeID)
• email (or emailaddress)
• firstname (or givenname)
• lastname (or surname)

Note: Users of the Microsoft identity platform may wish to refer to the following article on the Microsoft Entra help site, Customize SAML token claims.

Optional Identity Provider User Attributes & Claims

• title or (jobtitle)
• department
• division
• company (or companyname)
• city
• region
• country
• groups

Configuring Secondary and Deployment Domains

• Secondary Domain: This domain is hosted by Red Wolf and is used for disaster recovery. It’s typically formatted as {customer_name}.ondexx.net.
• Deployment Domain: Used for Customer UAT and major updates, managed by Red Wolf, usually in the form of deployment-{customer_name}.ondexx.net.

For each domain, you can enable SSO separately and configure it with the relevant IdP details. The metadata download for each domain will reflect the domain’s respective signing certificate.

Finalizing Configurations

• Ensure that all configurations are correct for each domain.
• Remember, changes are not committed until you click the “SAVE” button at the bottom of the page.

Troubleshooting and Support

• If your domain’s DNS experiences issues, switch to the secondary domain to ensure continuous access.
• Always ensure that your signing certificates are up to date to avoid service interruptions.
• For further assistance, contact Ondexx support or refer to the detailed documentation provided within the Ondexx help center.