Enable Single Sign-On using SAML on EZOfficeInventory

SAML Integration

EZOfficeInventory supports multiple login options. These include Google Account, Microsoft Account, LDAP and SAML providers. You can configure which login options to give to users from Settings → Company Settings → Authentication. In this post, we’ll discuss SAML.

Users in your organization can access EZOfficeInventory through SAML. No need for your users to remember separate credentials for EZOfficeInventory. To start, enable SAML Integration from Settings → Add Ons.

What is SAML?

Security Assertion Markup Language (SAML) is an XML standard that enables a user to log on once to affiliated but separate websites. SAML creates end points that give an organization’s users a single URL to sign in and select the applications they are authorized to use. This provides an additional level of security and simplifies user authentication. One of the main components of SAML include assertions which are :
– Authentication assertion validates the user’s identity.
– Attribute assertion contains specific information about the user.
– Authorization assertion identifies what the user is authorized to do.

Why implement SAML?

Reasons include usability, directory integration and security. A user can access applications with a single click and allows to launch apps from SSO portals. In terms of security, SAML eliminates the use of passwords, centralizes access control and prevents illegal or unnecessary access from former employees.

How SAML works?

SAML SSO works by authenticating a user against the company’s identity provider, say OneLogin or Okta. It transfers the user’s data from one destination to another i.e. from identity provider to the service provider. In this case, EZOfficeInventory is your service provider.

Your identity provider authenticates the user by creating an XML document containing user’s credentials and email address. It then signs it using the certificate and sends back the information to EZOfficeInventory.
Some of the Identity Providers supported by EZOfficeInventory are:
– OneLogin
– Okta
– Centrify
– Simplify
– Auth0

Configuring an identity provider for EZOfficeInventory

Here, we will be using OneLogin as an example, which provides SSO and identity management for cloud based applications. With OneLogin, users can enable enterprise-grade SSO over the cloud, allowing all end-users to connect with included SaaS services. For other providers, the steps are similar.

1. Adding the App
Find ‘EZOfficeInventory’ from the OneLogin page, go to Apps → Add Apps → Find Applications.

adding service provider

Click ‘Save’ and your OneLogin account is ready to be integrated with EZOfficeInventory app. From the Company Apps, you can view all saved applications in your OneLogin account.

2. Making sure users have the correct attributes
Your SAML users should have the attributes for Last Name and Email Address, which are required by EZOfficeInventory to retrieve and validate users.

Configure Users' data

These attributes can be mapped to Last Name and Email addresses of members in EZOfficeInventory settings.

Configuring EZOfficeInventory for SAML

Once you have set up an EZOfficeInventory app on your preferred SAML identity provider, configure the settings in EZOfficeInventory from Settings → Add Ons → SAML Integration. Again, we have used OneLogin as an example.

inventory control software

A. Whitelisting the IPs on SAML
Some identity providers require IPs to be whitelisted. Make sure that the following two IPs are whitelisted in your SAML settings:
1. 54.221.243.145
2. 50.16.201.234

B. Add EZOfficeInventory consumer service URL to your SAML Settings
The EZOfficeInventory consumer service url can be obtained from Settings → Add Ons → SAML Integration:
https://<Your Company Subdomain>.ezofficeinventory.com/users/auth/saml/callback

C. Fill in the configuration settings
The following information needs to be configured in your EZOfficeInventory’s account (see image to identify the fields):

Configure SAML on EZOfficeInventory

1. Unique Identity Provider URL: Find and copy your Identity Provider URL from Apps → Company Apps → EZOfficeInventory → SSO tab → SAML 2.0 Endpoint (HTTP) (see the image below). You will be required to paste this link in ‘Identity Provider URL’ field while configuring EZOfficeInventory for SAML Integration.

OneLogin

2. Identity Provider X.509 Certificate: Unique for every account owner, this certificate is provided by the identity provider. In OneLogin, find and copy your X.509 certificate from Apps → Company Apps → EZOfficeInventory → SSO tab → X.509 Certificate (see image above). EZOfficeInventory will use the certificate to validate the response from your identity provider letting the user to login in using SAML.

Note: Make sure to follow the below format for the certificate when pasting it in the certificate field so EZOfficeInventory validates your Identity provider’s certificate without any error. It’s as follows:
—–BEGIN CERTIFICATE—–
your certificate details here
—–END CERTIFICATE—–

3. Adding new users to the User Listing: This is only available if you have User Listings enabled from Company Settings → Visibility. If you don’t use User Listings, skip to the next field. Your users who do not exist as members in EZOfficeInventory but access the system using SAML will be auto created in EZOfficeInventory, and will be assigned to User Listing. ‘No User Listing’ gives staff users visibility only into the items checked out to them. Users get full visibility in ‘Default User Listing’ selection

4. Label Login Button Text: By default it’s labeled as ‘Access through SAML SSO’. You can rename it to any text preferable to you e.g. Access using Acme Corp Login.

5. Attributes required for SAML configuration: Last Name and Email attributes need to be present for EZOfficeInventory. These attributes/parameters should be sent over to EZOfficeInventory from your identity provider. In OneLogin, they can be viewed from Apps → Company Apps → EZOfficeInventory → Parameters. Also, map these parameters in EZOfficeInventory. If your Last Name attribute in SAML is last_name, then fill in ‘last_name’ against the Last Name field. Same goes for the Email.

6. Scroll down to the end of the Add Ons page in EZOfficeInventory settings, and click ‘Update’. You now have a SAML enabled EZOfficeInventory account.

Login Experience

The following takes place when a user tries to login to a SAML enabled EZOfficeInventory account:
– When the user goes to your EZOfficeInventory portal, they see the SAML access option. See image below.EZOfficeInventory
– Clicking Access through SAML takes a user to SAML Provider’s page for authentication.
– If the user is already signed in to your SAML Provider’s account (e.g. OneLogin) they’ll directly land into the EZOfficeInventory portal.
– The email address of the user determines which EZOfficeInventory member they are.
– A user who isn’t added to an EZOfficeInventory’s account under Members tab, but accesses that EZOfficeInventory account for the first time via SAML, is added as a new staff user.

Note: In a scenario, where users might want to use SAML as the only authentication option in EZOfficeInventory, you can disable other options from Company Settings -> Authentication. See image below how the login page looks later.SAML on EZOfficeInventory
For LDAP integration with EZOfficeInventory, click here.

Share your Queries

Log into your account to try this out and let us know what you think at info@ezofficeinventory.com. You can log in your feedback on our User Community Forum or join in the conversation on Twitter @EZOfficeInventory.

FAQs

Q. How to verify the information while setting up SAML Integration for EZOfficeInventory?
A. Following are some of the URLs that you may require during the configuration process:
Sign On URL: https://<Your Company’s Subdomain>.ezofficeinventory.com/users/sign_in
Identifier/Issuer: https://www.ezofficeinventory.com (Note: Do not enter your subdomain with it)
Assertion Consumer Service URL: https://<Your Company’s Subdomain>.com/users/auth/saml/callback

Q. What if the Identity Provider asks for 4 attributes e.g. First Name, Last Name, Email and Principle Name? Will it matter as EZOfficeInventory only looks for First Name, Last Name and Email?

A. The extra attribute will not be an issue. However, while configuring, you’d most probably have to map the exact attribute names of the first name, last name and email fields that are provided by the Identity provider in the Settings -> Add Ons page.

Q. Sensitive information exchanged in the SAML assertion?
A. No, only the email address is sent.

Q. How to paste your SAML SSO Certificate?
A. During the EZOfficeInventory’s configuration process, paste the certificate in the field in between the following marks:
—–BEGIN CERTIFICATE—–
Paste certificate details here
—–END CERTIFICATE—–

Q. Someone at your organization tried accessing your EZOfficeInventory portal through SAML, but could not log in. To fix this, verify that your integration has been set up correctly.
A. A common issue is not having Last Name and Email attributes configured in your SAML Set Up. To diagnose this:
1) Make sure EZOfficeInventory is getting the Last Name and Email for members. The relevant options are available under Settings → Add Ons → SAML
2) Look for typos in SAML Attribute Names added in EZOfficeInventory Settings. For example, if your SAML Attribute for Last Name is last_name, it should be entered as such.
3) In most cases, the parameters/attributes are mapped in your preferred identity provider configuration settings, otherwise your service provide will ask you to map them.