SSO Configuration: CyberArk

Integrating your company's Single Sign-On (SSO) solution with the World Manager platform offers a convenient and secure way for all employees to access the platform. By integrating with the identity provider (IdP) CyberArk for SSO, you can enable employees to authenticate into your World Manager platform using their existing company credentials. Follow these instructions to configure the integration with CyberArk.

Prerequisites

  • Admin access to CyberArk

CyberArk Configuration

Add a Web App

1. Log into CyberArk (Identity Administration)

2. Go to Apps & Widgets → Web Apps

3. Click on the “Add Web Apps” button

4. Click on the ‘Custom’ tab, then click on the “Add” button next to the “SAML” option

5. Select the applicable option in the ‘Organization’ drop-down, then click on the “Yes” button

6. Click on the “Close” button (or X icon)

Settings

1. Enter a (unique) name for the app + check the “Show in user app list” option, then click on the “Save” button

Tip: For the purposes of this article, we have used ‘WM Platform SSO’ as the name. However, we recommend using a name that is unique/specific to your World Manager platform.

Trust

1. Click on the ‘Trust’ menu item

2. Under the ‘Identity Provider Configuration’ section, expand all of the rows, then action the following (below):

  • Copy the ‘IdP Entity ID / Issuer’ value
  • Copy the ‘Single Sign On URL’ value
  • Under the ‘Signing Certificate’ field, click on the “Download” button

Important: Keep this information handy, as it will be required in later steps.

3. Under the ‘’ section, select the “Manual Configuration” option, then complete the following details (below), then click on the “Save” button:

  • SP Entity ID / Issuer / Audience
    • In the text field, enter: https://<YourPlatformUrl>/login/saml/metadata/cyberark
  • ACS (Consumer) URL Validator
    • In the text field, enter: https://<YourPlatformUrl>/login/saml/cyberark
  • NameID Format
    • In the drop-down field, select the “persistent” option

SAML Response

1. Click on the ‘SAML Response’ menu item

2. Action the following (below) to create attributes (aka fields):

  • Email
    • Click on the “Add” button
    • In the ‘Attribute Name’ field, enter email
    • In the ‘Attribute Value’ field, enter LoginUser.Email

Important: You can only use a valid email address as the identifier value.

  • First Name
    • Click on the “Add” button
    • In the ‘Attribute Name’ field, enter firstName
    • In the ‘Attribute Value’ field, enter LoginUser.FirstName
  • Last Name
    • Click on the “Add” button
    • In the ‘Attribute Name’ field, enter lastName
    • In the ‘Attribute Value’ field, enter LoginUser.LastName
    • Click on the “Save” button

Once finished, you should be left with something like this:

Important: To ensure correct functionality, all attribute names must be entered exactly as specified.

Permissions

1. Click on the ‘Permissions’ menu item

2. Click on the “Add” button

3. In the text field, enter everybody, then press ENTER

4. In the results that appear, check the “Everybody” option, then click on the “Add” button

5. For the “Everybody” row, check the option under the ‘Grant’ column, then click on the “Save” button

Important: For the purposes of this article, we have selected the “Everybody" group so that all users can utilise this SAML SSO app/functionality. However, you do not have to provide permission to the “Everybody” group and can instead pick-and-choose who to allow (by role, group and/or user).

Create User Attributes

1. Go to Settings → Customization

2. Click on the ‘Additional Attributes’ menu item

3. Action the following (below) to create attributes (aka fields):

  • Group UUIDs
    • Click on the “Add” button
    • In the ‘Name’ field, enter Group_UUIDs
    • In the ‘Type’ drop-down, select the “Text” option
    • Click on the “Add” button
  • Country UUIDs
    • Click on the “New User Field” button
    • In the ‘Name’ field, enter Country_UUIDs
    • In the ‘Type’ drop-down, select the “Text” option
    • Click on the “Add” button
  • Area UUIDs
    • Click on the “New User Field” button
    • In the ‘Name’ field, enter Area_UUIDs
    • In the ‘Type’ drop-down, select the “Text” option
    • Click on the “Add” button
  • Store UUIDs
    • Click on the “Save and Add Another” button
    • In the ‘Name’ field, enter Store_UUIDs
    • In the ‘Type’ drop-down, select the “Text” option
    • Click on the “Add” button

Once finished, you should be left with something like this:

Add User Attributes to App

1. Go (back) to Apps & Widgets → Web Apps

2. Click on the name of the app you created (to edit)

3. Click on the ‘SAML Response’ tab

4. Action the following (below) to create (additional) attributes (aka fields):

  • Group UUIDs
    • Click on the “Add” button
    • In the ‘Attribute Name’ field, enter groupUuids
    • In the ‘Attribute Value’ field, enter LoginUser.Get('Group_UUIDs')
  • Country UUIDs
    • Click on the “Add” button
    • In the ‘Attribute Name’ field, enter countryUuids
    • In the ‘Attribute Value’ field, enter LoginUser.Get('Country_UUIDs')
  • Area UUIDs
    • Click on the “Add” button
    • In the ‘Attribute Name’ field, enter areaUuids
    • In the ‘Attribute Value’ field, enter LoginUser.Get('Area_UUIDs')
  • Store UUIDs
    • Click on the “Add” button
    • In the ‘Attribute Name’ field, enter storeUuids
    • In the ‘Attribute Value’ field, enter LoginUser.Get('Store_UUIDs')
    • Click on the “Save” button

Once finished, you should be left with something like this:

Assign UUID Values

1. Go to Core Services → Users

2. Find + open the properties of a user you wish to configure UUID data for

3. Click on the ‘Additional Attributes’ menu item, then action the following (below):

  • Group UUIDs
    • Click on the ‘pencil’ (edit) icon
    • In the text field, enter a valid Group UUID value

Tip: Currently, it is not possible to obtain Group UUID data from within the platform. Please either contact our Support Team, or use our SOAP API.

  • Country UUIDs
    • Click on the ‘pencil’ (edit) icon
    • In the text field, enter a valid Country UUID value (or values)
  • Area UUIDs
    • Click on the ‘pencil’ (edit) icon
    • In the text field, enter a valid Area UUID value (or values)
  • Store UUIDs
    • Click on the ‘pencil’ (edit) icon
    • In the text field, enter a valid Store UUID value (or values)

4. Click on the “Save” button

5. Repeat steps 2 through 4 to assign UUID values for all applicable accounts

UUID Data Requirement

To successfully authenticate a user via SSO, there is a bare minimum requirement of UUID data that needs to be provided, which is dependent on the role the user's account group belongs to. See table below that outlines the data required per role:

Role(s) Group UUID Country UUID Area UUID Store UUID
World Manager      
National Manager    
Area Manager    
General Manager, Store Manager, Employee    

To elaborate on the above, if you were creating a ‘Store Manager’ account, you would only need to provide valid ‘Group UUID’ and ‘Store UUID’ values. The ‘Country UUID’ and ‘Area UUID’ values are not required.

World Manager Configuration

Contact Support

All SSO-related configuration on the World Manager end is handled by the Support Team and is not visible within the platform. So, whenever you are ready to enable this authentication method, please send an email to wmsupport@franconnect.com with the following details:

  • ‘IdP Entity ID / Issuer’ value
  • ‘Single Sign On URL’ value
  • Signing Certificate file

Note: These values are from the 'Trust' section that you were previously instructed to download/copy.

Was this article helpful?
0 out of 0 found this helpful