Configuring SSO with the FrankieOne portal

Single sign-on is an authentication scheme that allows a user to log in with a single ID and password to any of several related, yet independent, software systems. True single sign-on allows the user to log in once and access services without re-entering authentication factors. Currently Frankie One’s portal only supports the SAML standard of integration.

📘

SAML Definition

SAML (Security Assertion Mark-up Language) is an umbrella standard that covers federation, identity management and single sign-on (SSO).

Getting Started with SAML

The portal admin pages for configuring SSO are currently under development and for that reason email comunication is required to finish the setup. This guide will use OKTA, a popular IdP service, as part of the guide for each step, but any other service compliant with the SAML standard will integrate successfully.

Concepts

  • SP - Service Provider; in our context, this is always Frankie One’s portal
  • IdP - Identity Provider; Okta, Azure AD, Google, OneLogin and any other identity service
  • Metadata - XML files containing details on how to integrate to both SP and IdP

The configuration needs to be done both on the SP side and on the IdP side. We will take care of configuring the SP and will generate the SP XML metadata, which is sent over to you by email or any other preferred means of communication.

🚧

IDP Initiated Authentication Only

The FrankieOne Portal only supports IDP initiated SSO authentication at the moment. Please have that in mind while following this Guide and setting up your SAML based SSO setup.

With the SP XML metadata file in hands, you’ll need to configure the IdP service. Depending on your IdP, there are two ways to do that, by file upload (1) and by manually entering details (2). Okta uses the latter.

  1. Upload the SP metadata file, from where all required information will be automatically extracted
  2. Manually insert the following details, which can be found in the SP XML metadata file (see image below)
  • Assertion Consumer Service (ACS), sometimes also called Login URL
  • SingleLogoutService sometimes also called Logout URL
  • Entity ID/Audience URL
  • Name ID format, always use “Email Address” for Frankie One
  • x.509 Certificate.

For both methods above, you will also be required to add extra attributes when configuring your IdP. The following extra attributes are stricly required on your IdP configuration:

  1. email: User’s unique email (must not be repeated for different users of the portal in the same environment uat, demo, production…)
  2. fullName: User’s complete name as to be displayed in portal
  3. roles: List of role names, exactly as displayed on Portal’s User configuration page (case sensitive). Depending on your IdP, it might be a list of string values or a single comma separated string value (no spaces). Okta accept both formats. These roles are case sensitive, so make sure they are spelt perfectly. As of 27 Oct 2021 system Roles defined are:
    a. App-FrankieFinancial-Role-UpdateRecords
    b. App-FrankieFinancial-Role-Admin
    c. App-FrankieFinancial-Role-ITOps
    d. App-FrankieFinancial-Role-ViewAsChild
    e. App-FrankieFinancial-Role-CustomerService
    f. App-FrankieFinancial-Role-ReadOnly
    g. App-FrankieFinancial-Role-Compliance

Missing the required attributes unique email, fullName and a list of existing roles will result in a failed integration, so make sure they are valid and correct

👍

After configuring your IdP, you’ll be provided by IdP with the IdP XML Metadata. Please download it and email it to [email protected].

Please ensure you mention what Domain the SAML is being configured for and which environment you'd like this provisioned in


Did this page help you?