Integrating your company's Single Sign-On (SSO) solution with the World Manager platform offers a convenient and secure way for all employees to access the platform. By integrating with the identity provider (IdP) CyberArk for SSO, you can enable employees to authenticate into your World Manager platform using their existing company credentials. Follow these instructions to configure the integration with CyberArk.
Prerequisites
- Admin access to CyberArk
CyberArk Configuration
Add a Web App
1. Log into CyberArk (Identity Administration)
2. Go to Apps & Widgets → Web Apps
3. Click on the “Add Web Apps” button
4. Click on the ‘Custom’ tab, then click on the “Add” button next to the “SAML” option
5. Select the applicable option in the ‘Organization’ drop-down, then click on the “Yes” button
6. Click on the “Close” button (or X icon)
Settings
1. Enter a (unique) name for the app + check the “Show in user app list” option, then click on the “Save” button
Tip: For the purposes of this article, we have used ‘WM Platform SSO’ as the name. However, we recommend using a name that is unique/specific to your World Manager platform.
Trust
1. Click on the ‘Trust’ menu item
2. Under the ‘Identity Provider Configuration’ section, expand all of the rows, then action the following (below):
- Copy the ‘IdP Entity ID / Issuer’ value
- Copy the ‘Single Sign On URL’ value
- Under the ‘Signing Certificate’ field, click on the “Download” button
Important: Keep this information handy, as it will be required in later steps.
3. Under the ‘’ section, select the “Manual Configuration” option, then complete the following details (below), then click on the “Save” button:
-
SP Entity ID / Issuer / Audience
- In the text field, enter:
https://<YourPlatformUrl>/login/saml/metadata/cyberark
- In the text field, enter:
-
ACS (Consumer) URL Validator
- In the text field, enter:
https://<YourPlatformUrl>/login/saml/cyberark
- In the text field, enter:
-
NameID Format
- In the drop-down field, select the “persistent” option
SAML Response
1. Click on the ‘SAML Response’ menu item
2. Action the following (below) to create attributes (aka fields):
-
Email
- Click on the “Add” button
- In the ‘Attribute Name’ field, enter
email
- In the ‘Attribute Value’ field, enter
LoginUser.Email
Important: You can only use a valid email address as the identifier value.
-
First Name
- Click on the “Add” button
- In the ‘Attribute Name’ field, enter
firstName
- In the ‘Attribute Value’ field, enter
LoginUser.FirstName
-
Last Name
- Click on the “Add” button
- In the ‘Attribute Name’ field, enter
lastName
- In the ‘Attribute Value’ field, enter
LoginUser.LastName
- Click on the “Save” button
Once finished, you should be left with something like this:
Important: To ensure correct functionality, all attribute names must be entered exactly as specified.
Permissions
1. Click on the ‘Permissions’ menu item
2. Click on the “Add” button
3. In the text field, enter everybody, then press ENTER
4. In the results that appear, check the “Everybody” option, then click on the “Add” button
5. For the “Everybody” row, check the option under the ‘Grant’ column, then click on the “Save” button
Important: For the purposes of this article, we have selected the “Everybody" group so that all users can utilise this SAML SSO app/functionality. However, you do not have to provide permission to the “Everybody” group and can instead pick-and-choose who to allow (by role, group and/or user).
Create User Attributes
1. Go to Settings → Customization
2. Click on the ‘Additional Attributes’ menu item
3. Action the following (below) to create attributes (aka fields):
-
Group UUIDs
- Click on the “Add” button
- In the ‘Name’ field, enter
Group_UUIDs
- In the ‘Type’ drop-down, select the “Text” option
- Click on the “Add” button
-
Country UUIDs
- Click on the “New User Field” button
- In the ‘Name’ field, enter
Country_UUIDs
- In the ‘Type’ drop-down, select the “Text” option
- Click on the “Add” button
-
Area UUIDs
- Click on the “New User Field” button
- In the ‘Name’ field, enter
Area_UUIDs
- In the ‘Type’ drop-down, select the “Text” option
- Click on the “Add” button
-
Store UUIDs
- Click on the “Save and Add Another” button
- In the ‘Name’ field, enter
Store_UUIDs
- In the ‘Type’ drop-down, select the “Text” option
- Click on the “Add” button
Once finished, you should be left with something like this:
Add User Attributes to App
1. Go (back) to Apps & Widgets → Web Apps
2. Click on the name of the app you created (to edit)
3. Click on the ‘SAML Response’ tab
4. Action the following (below) to create (additional) attributes (aka fields):
-
Group UUIDs
- Click on the “Add” button
- In the ‘Attribute Name’ field, enter
groupUuids
- In the ‘Attribute Value’ field, enter
LoginUser.Get('Group_UUIDs')
-
Country UUIDs
- Click on the “Add” button
- In the ‘Attribute Name’ field, enter
countryUuids
- In the ‘Attribute Value’ field, enter
LoginUser.Get('Country_UUIDs')
-
Area UUIDs
- Click on the “Add” button
- In the ‘Attribute Name’ field, enter
areaUuids
- In the ‘Attribute Value’ field, enter
LoginUser.Get('Area_UUIDs')
-
Store UUIDs
- Click on the “Add” button
- In the ‘Attribute Name’ field, enter
storeUuids
- In the ‘Attribute Value’ field, enter
LoginUser.Get('Store_UUIDs')
- Click on the “Save” button
Once finished, you should be left with something like this:
Assign UUID Values
1. Go to Core Services → Users
2. Find + open the properties of a user you wish to configure UUID data for
3. Click on the ‘Additional Attributes’ menu item, then action the following (below):
-
Group UUIDs
- Click on the ‘pencil’ (edit) icon
- In the text field, enter a valid Group UUID value
Tip: Currently, it is not possible to obtain Group UUID data from within the platform. Please either contact our Support Team, or use our SOAP API.
-
Country UUIDs
- Click on the ‘pencil’ (edit) icon
- In the text field, enter a valid Country UUID value (or values)
-
Area UUIDs
- Click on the ‘pencil’ (edit) icon
- In the text field, enter a valid Area UUID value (or values)
-
Store UUIDs
- Click on the ‘pencil’ (edit) icon
- In the text field, enter a valid Store UUID value (or values)
4. Click on the “Save” button
5. Repeat steps 2 through 4 to assign UUID values for all applicable accounts
UUID Data Requirement
To successfully authenticate a user via SSO, there is a bare minimum requirement of UUID data that needs to be provided, which is dependent on the role the user's account group belongs to. See table below that outlines the data required per role:
Role(s) | Group UUID | Country UUID | Area UUID | Store UUID |
---|---|---|---|---|
World Manager | ✅ | |||
National Manager | ✅ | ✅ | ||
Area Manager | ✅ | ✅ | ||
General Manager, Store Manager, Employee | ✅ | ✅ |
To elaborate on the above, if you were creating a ‘Store Manager’ account, you would only need to provide valid ‘Group UUID’ and ‘Store UUID’ values. The ‘Country UUID’ and ‘Area UUID’ values are not required.
World Manager Configuration
Contact Support
All SSO-related configuration on the World Manager end is handled by the Support Team and is not visible within the platform. So, whenever you are ready to enable this authentication method, please send an email to wmsupport@franconnect.com with the following details:
- ‘IdP Entity ID / Issuer’ value
- ‘Single Sign On URL’ value
- Signing Certificate file
Note: These values are from the 'Trust' section that you were previously instructed to download/copy.