System Administrators can log in to Project Insight using your normal Project Insight Credentials. To Configure SSO go to System Configuration under the Administration Panel and select the Security Tab.
Three SSO Configurations are provided which allow you to utilize up to three custom Identity Providers (IdP) for Single Sign-On Authentication. The first SSO Configuration is shown below.
Display Name is a reference name for this particular SSO which can be anything you choose. It is intended as a user-friendly label for reference and may also be seen on the login page for all users as the SSO login link.
Alias will be automatically generated from the display name, but can be manually entered. Alias allows you to call out a specific sso to sign in to from the login screen using the url parameter https://[mydomain].projectinsight.net/l.aspx?ssoAutoLogin=myalias
Identitiy Provider (IdP) In most cases this is the url to your Identity Provider when performing Service Provider Initiated single sign-on. However when using Identity Provider Initiated SSO this must be the exact same value as what appears in the Issuer field of the Response.
Is IdP Initiated flag indicates that this configuration is triggered by the Identity Provider . You cannot use the same configuration for both Service Provider Initiated and Identity Provider Initiated single sign-on.
SSO Protocol selects what type of protocol to use for the single sign on. Currently you can choose to authenticate only with SAML 2.0 [http://saml.xml.org/saml-specifications] Protocol which is widely supported by many platforms including Active Directory Federation Services (ADFS).
Identity Claim Type specifies the type of claim used to indicate a users identity. In claims based authentication (Single Sign-On), once authenticated, the Identity Provider returns a collection of claims that verifies the user’s identity. Currently Project Insight only verifies one claim which can be the users UPN, NameID, Email Address, or a Custom Claim which should uniquely identify a user from your organization.
First Name Claim when using auto-registeration this claim is sent from your IdP to be the new user's first name. This is an optional field and can be completed during the sign-up process. Your ADFS server administrator must configure this claim to be sent along with the identity claim.
Last Name Claim when using auto-registeration this claim is sent from your IdP to be the new user's last name. This is an optional field and can be completed during the sign-up process. Your ADFS server administrator must configure this claim to be sent along with the identity claim.
Email Claim when using auto-registeration this claim is sent from your IdP to be the new user's email address. This is an optional field and can be completed during the sign-up process. Your ADFS server administrator must configure this claim to be sent along with the identity claim.
Auto Register Claim when using auto-registeration this claim is sent as a flag indicating that the user has successfully authenticated with your ADFS and is allowed to take part in auto-registration. This is an optional field and may be any custom claim of your choosing that returns "true" as the value to register a user. Your ADFS server administrator must configure this claim using a transformation.
User Permissions to Copy this should be an inactive user with very minimum permissions for your organization. An existing PI Administrator will still need to make updates for anyone who should have different permission levels, but this will at least get most people through the door.
IdP Signing Certificate is the X509 Certificate used to sign tokens sent from your Identity Provider. This certificate is completely optional for extra security. If it is not provided then we extract this certificate and vaildate the signature from the response.
Enable Auto Registration indicates that this single-sign-on configuration is allowed to accept auto-registration users when checked.
Is Primary Login flag indicates that this Single Sign-On Configuration will be your primary login method, meaning that the normal Project Insight Login Screen will be bypassed and it will go straight to your Identity Provider. You can only have one Primary Login Configuration and should your authentication fail you will see the normal PI Login Screen. In the event that your IdP goes down or you misconfigure this configuration you can stop the autologin feature at the login page by supplying an additional URL parameter https://[mydomain].projectinsight.net/l.aspx?disablePrimarySSO=true
Delete this Configuration removes this SSO configuration upon clicking the save button.
Troubleshooting If you are having trouble setting up sso you can enable sso debugging at any time by using the url parameter https://[mydomain].projectinsight.net/l.aspx?enableDebugSSO=true which will give you an wealth of information about any error you may be recieving on the Project Insight side of the authentication. Some errors may occur on your Identity Provider, an easy way to tell if the configuration is a Project Insight misconfiguration or your Identity Provider (such as ADFS) is if you see the project insight login screen than there is most likely an issue on the PI configuration side.
Once at least one SSO configuration has been completed and saved, users and administrators will be able to set corresponding user names in the SSO configuration with the user profiles using the Single Sign-On tab.