Integrating your company's Single Sign-On (SSO) solution with the World Manager platform offers a convenient and secure way for all employees to access the platform. By integrating with the popular identity provider (IdP) OneLogin for SSO, you can enable employees to authenticate into your World Manager platform using their existing company credentials. Follow these instructions to configure the integration with OneLogin.
Prerequisites
- Admin access to JumpCloud
OneLogin Configuration
Add an Application
1. Log into JumpCloud: https://console.jumpcloud.com
2. Go to USER AUTHENTICATION → SSO
3. Click on the “+ Add New Application” button
Note: If you do not have any existing SSO applcations in JumpCloud, then you will see a "Get Started" button instead.
4. In the (search) text field, enter SAML
5. Click on the “Configure” button next to the “Custom SAML App” result that appears (to add)
General Info
1. Enter a (unique) name for the app + enable the “Show this application in User Portal” option, then click on the “activate” button
Tip: For the purposes of this article, we have used ‘WM Platform SSO’ as the name. However, we recommend using a name that is unique/specific to your World Manager platform.
SSO
1. Click on the ‘SSO’ tab
2. Under the ‘Service Provider Metadata’ section, complete the following details (below):
-
IdP Entity ID
- In the text field, enter:
https://<YourPlatformUrl>/login/saml/metadata/onelogin
- In the text field, enter:
-
SP Entity ID
- In the text field, enter:
https://<YourPlatformUrl>/login/saml/metadata/onelogin
- In the text field, enter:
-
ACS (Consumer) URL Validator
- In the text field, enter:
https://<YourPlatformUrl>/login/saml/onelogin
- In the text field, enter:
-
ACS URLs
- In the text field, enter:
https://<YourPlatformUrl>/login/saml/onelogin
- In the text field, enter:
Important: The ‘ACS (Consumer) URL’ field requires a REGEX
version of the ‘ACS (Consumer) URL Validator’ value.
-
SAMLSubject NameID:
- In the drop-down field, select the “Email” option
-
SAMLSubject NameID Format
- In the drop-down field, select the “urn:oasis:names:tc:SAML:2.0:nameid-format:persistent” option
3. Under the ‘Attributes’ section, action the following (below) to create attributes (aka fields):
-
Email
- Click on the “add attribute” button
- In the ‘Field name’ field, enter
email
- In the ‘Value’ drop-down, select the
email
option
Important: You can only use a valid email address as the identifier value.
-
First Name
- Click on the “add attribute” button
- In the ‘Service Provider Attribute Name’ field, enter
firstName
- In the ‘JumpCloud Attribute Name’ drop-down, select the
firstname
option
-
Last Name
- Click on the “add attribute” button
- In the ‘Service Provider Attribute Name’ field, enter
lastName
- In the ‘JumpCloud Attribute Name’ drop-down, select the
lastname
option
-
Group UUIDs
- Click on the “add attribute” button
- In the ‘Service Provider Attribute Name’ field, enter
groupUuids
- In the ‘JumpCloud Attribute Name’ drop-down, select the
Custom User or Group Attribute
option - In the ‘JumpCloud Attribute Name’ field, enter
groupUuids
-
Country UUIDs
- Click on the “add attribute” button
- In the ‘Service Provider Attribute Name’ field, enter
countryUuids
- In the ‘JumpCloud Attribute Name’ drop-down, select the
Custom User or Group Attribute
option - In the ‘JumpCloud Attribute Name’ field, enter
countryUuids
-
Area UUIDs
- Click on the “add attribute” button
- In the ‘Service Provider Attribute Name’ field, enter
areaUuids
- In the ‘JumpCloud Attribute Name’ drop-down, select the
Custom User or Group Attribute
option - In the ‘JumpCloud Attribute Name’ field, enter
areaUuids
-
Store UUIDs
- Click on the “add attribute” button
- In the ‘Service Provider Attribute Name’ field, enter
storeUuids
- In the ‘JumpCloud Attribute Name’ drop-down, select the
Custom User or Group Attribute
option - In the ‘JumpCloud Attribute Name’ field, enter
storeUuids
Once finished, you should be left with something like this:
Important: To ensure correct functionality, all attribute names must be entered exactly as specified.
4. Click on the “activate” button
5. In the confirmation prompt that appears, click on the “continue” button
Get IDP Details
1. Go to USER AUTHENTICATION → SSO
2. Click on the name of the app you created (to open)
3. Click on the ‘SSO’ tab
2. Under the ‘Enable SAML2.0’ section, action the following (below):
- Copy the ‘Issuer URL’ value
- Copy the ‘SAML 2.0 Endpoint (HTTP)’ value
- Under the ‘X.509 Certificate’ field, click on the “View Details” link
Important: Keep this information handy, as it will be required in later steps.
Assign UUID Values
1. Go to USER MANAGEMENT → Users
2. Find + open the properties of a user you wish to configure UUID data for
3. Click on the ‘Details’ tab, then click on the ‘Custom Attributes’ section (to expand)
4. Under the ‘Custom Attributes’ section, action the following (below):
-
Group UUIDs
- Click on the “add new custom attribute” button
- In the first text field, enter
groupUuids
- In the second text field, enter a valid Group UUID value
Tip: Currently, it is not possible to obtain Group UUID data from within the platform. Please either contact our Support Team, or use our SOAP API.
-
Country UUIDs
- Click on the “add new custom attribute” button
- In the first text field, enter
countryUuids
- In the second text field, enter a valid Country UUID value (or values)
-
Area UUIDs
- Click on the “add new custom attribute” button
- In the first text field, enter
areaUuids
- In the second text field, enter a valid Area UUID value (or values)
-
Store UUIDs
- Click on the “add new custom attribute” button
- In the first text field, enter
storeUuids
- In the second text field, enter a valid Store UUID value (or values)
Note: In order to assign multiple UUIDs, separate the values with a semicolon ;
- e.g. value1;value2
.
Important: Not all attributes can be assigned multiple UUID values, as it is dependent on the role the user's account group belongs to. See table below that outlines the data allowed per role:
Role(s) | Group UUIDs | Country UUIDs | Area UUIDs | Store UUIDs |
---|---|---|---|---|
World Manager | 1x | |||
National Manager (multi-country) | 1x | Multiple | ||
Area Manager (multi-area) | 1x | Multiple | ||
General Manager, Store Manager, Employee (multi-store) | 1x | Multiple |
5. Click on the “save user” button
6. Repeat steps 2 through 5 to assign UUID values for all applicable accounts
UUID Data Requirement
To successfully authenticate a user via SSO, there is a bare minimum requirement of UUID data that needs to be provided, which is dependent on the role the user's account group belongs to. See table below that outlines the data required per role:
Role(s) | Group UUID | Country UUID | Area UUID | Store UUID |
---|---|---|---|---|
World Manager | ✅ | |||
National Manager | ✅ | ✅ | ||
Area Manager | ✅ | ✅ | ||
General Manager, Store Manager, Employee | ✅ | ✅ |
To elaborate on the above, if you were creating a ‘Store Manager’ account, you would only need to provide valid ‘Group UUID’ and ‘Store UUID’ values. The ‘Country UUID’ and ‘Area UUID’ values are not required.
World Manager Configuration
Contact Support
All SSO-related configuration on the World Manager end is handled by the Support Team and is not visible within the platform. So, whenever you are ready to enable this authentication method, please send an email to wmsupport@franconnect.com with the following details:
- ‘IDP URL’ value
- ‘SAML 2.0 Endpoint (HTTP)’ value
- IDP Certificate file
Note: These values are from the 'SSO' section that you were previously instructed to download/copy.