Eliona
English
English
  • Overview
  • Guides
    • 🚀Right, let's get started!
    • Login
    • Set up a Project
    • Create User
    • Create and assign project roles
    • Add Asset
    • Create Custom Widgets
    • Add Rules
    • Install the Eliona App
    • Add BIM
    • Add Smart Assist view
    • Create a Digital Twin
    • White Labeling in Eliona
    • Image to Alarm
    • Suppressing Messages
    • Configure a meter change
    • Utilize QR-Code
    • How the “Wayfinding” works
  • Manuals
    • User Interface
    • Dashboard
      • Widget Block List
    • Alarms
    • Ticket Management
    • Rule Engine
    • Asset Management
    • Analytics & Reports
    • Smart Assist
      • SmartAssist View
      • Smart Assist Elements
    • Map
    • BIM
    • Digital Twin
    • Connection
      • MQTT
      • Webhook
      • RESTful
      • Kafka
      • OPC UA
      • Legacy
      • Format
      • Functions
    • Settings
      • Apps
        • Asset Filter
      • Templates
      • Script Engine
      • Audit Trail
      • Licence
      • System
    • Eliona Engineering
      • Users
      • Roles
      • Projects
      • Tag Management
      • Notifications Providers
      • Escalation
      • Assets Modeling
        • Asset template library
      • Asset Editor
    • Monitoring
    • Augmented Reality
    • Bookmarks
    • Notifications
  • ELIONA APPS
    • Apps
      • ABB Free@Home
      • Akenza
      • Booking
      • CoffeeCloud
      • Device Simulator
      • Exchange app
      • Glutz
      • GP Joule
      • Hailo
      • Kentix
      • KentixOne
      • Kontakt.io
      • Localino
      • Microsoft 365
      • Microsoft ADFS
      • Loriot.io
      • Niagara
      • myStrom App
      • OpenBOS
      • Renzbox
      • ROOMZ
      • SAML SSO
      • Signify
      • SpreadSheet
      • Stopwatch
      • Thingdust
      • Xovis
      • Xovis People Counter
      • Zevvy
    • Integrations
      • Niagara Module
    • App SDK
  • REFERENCES
    • Rest API
    • Engineering
  • Support Center
    • Changelog
    • FAQ
    • Service Desk
Powered by GitBook
On this page
  • Eliona app for SAML single-sign-on
  • Migration from ADFS to SAML SSO
  • Configuration
  1. ELIONA APPS
  2. Apps

SAML SSO

PreviousROOMZNextSignify

Last updated 1 month ago

Eliona app for SAML single-sign-on

The SAML SSO (Security Assertion Markup Language Single Sign-On) app allows users to log into Eliona using various SAML 2.0 SSO providers, including Microsoft ADFS. This setup streamlines authentication by using a single set of credentials.

Migration from ADFS to SAML SSO

Note: This section is relevant only if you previously used the ADFS app and are upgrading to Eliona v13.2 or later. If you're installing Eliona for the first time, you can skip this section.

Before Eliona v13.2, the "ADFS" app was used to provide Single Sign-On (SSO) for Azure. Starting with v13.2, Eliona introduces support for a broader range of Identity Providers, fully implementing the SAML SSO protocol. As a result, the "ADFS" app has been replaced by the new "SAML SSO" app.

Important: ADFS login will stop working after upgrading to Eliona v13.2. To restore SSO functionality, follow these steps:

  1. Install the SAML SSO app.

  2. Verify the configuration of the SAML SSO app. It should automatically detect and apply the previous ADFS configuration. (The configurations of both apps should appear similar.)

  3. In your Azure configuration, update the Reply URL to: https://{your-eliona-domain.com}/apps-public/saml-sso/saml/acs

  4. Ensure that the Entity ID in your Azure configuration matches the one specified in the SAML SSO app.

Once these steps are complete, test the login process to confirm that SSO is working as expected. After successful verification, you can safely remove the ADFS app.

Configuration

The SAML 2.0 Service Provider is configured by defining one or more authentication credentials:

Attribute
Description

id

Configuration Id. Can only be 1

enable

If the configuration is enabled or not

serviceProviderCertificate

The Certificate of this SAML Service Provider (SP). Can be a self-signed x509 certificate.

serviceProviderPrivateKey

The Private Key matching the Certificate of this SAML Service Provider (SP). DO NOT use RSA key length lower than 2048

idpMetadataUrl

The Metadata URL of the Identity Provider (IdP) if available. Otherwise use the metadataXml to provide Metadata of IdP directly and leave this null

idpMetadataXml

Provide the IdP Metadata XML directly, if you do not have the idpMetadataUrl accessible

ownUrl

The own URL of this Eliona instance

userToArchive

If enabled, the newly created user is archived and cannot log in until an admin has activated it

allowInitializationByIdp

Allow IdP-initiated assertions

signedRequest

If the SP should make a signed SAML Authn-Request or not

forceAuthn

Normally this value is set to false for an SP. If set to true the user has to re-authenticate (login at IdP) even if it has a valid session to the IdP

entityId

Service provider Entity ID. Unique identifier URI, typically based on tenant's domain. Normally, the default value can be left as it is.

loginFailedUrl

The URL to redirect to if the login failed. If this value is null the default page /noLogin will be shown

The configuration is done via a corresponding JSON structure. As an example, the following JSON structure can be used to define an endpoint for app permissions:

{
  "id": 1,
  "enable": true,
  "serviceProviderCertificate": "-----BEGIN CERTIFICATE-----***-----END CERTIFICATE-----",
  "serviceProviderPrivateKey": "-----BEGIN PRIVATE KEY-----***-----END PRIVATE KEY-----",
  "idpMetadataUrl": "https://login.thirdparty-idp.example/federationmetadata/metadata.xml",
  "idpMetadataXml": null,
  "ownUrl": "https://customer.eliona.cloud",
  "userToArchive": false,
  "allowInitializationByIdp": false,
  "signedRequest": true,
  "forceAuthn": false,
  "entityId": "{ownUrl}/saml/metadata",
  "loginFailedUrl": "{ownUrl}/noLogin"
}

Configurations can be created using this structure in Eliona under Settings > Apps > System > SAML SSO App. To do this, select the /configuration endpoint with the POST method.

Refer to your SSO provider's documentation for configuration on provider's side.

Attribute mapping

The default attribute mapping (suited for Azure AD) can be altered using the /configuration/attribute-mapping endpoint.

{
  "uuid": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn",
  "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress",
  "firstName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname",
  "lastName": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname",
  "phone": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/phoneNumber"
}

If you want to use email as an identifier (recommended), leave out the uuid field empty. If you want to use a different unique user ID (for example UPN), then fill out the uuid field with its SAML attribute name.

Permission mapping

To pass access control list, the SAML SSO app allows assigning user roles during user creation.

Example for setting up project roles:

First, create project roles "Project user" and "Project guest" in Eliona Engineering module, then configure /configuration/permission-mapping endpoint with following configuration:

{
  "defaultSystemRole": "System user",
  "defaultProjRole": "Project user",
  "defaultLanguage": "en",
  "projRoleSamlAttribute": "MemberOf", // SAML Attribute name providing role name
  "projRoleMap": [
    {
      "elionaRole": "Project user",
      "samlValue": "Manager"
    },
    {
      "elionaRole": "Project guest",
      "samlValue": "Guest"
    }
  ]
}

Azure AD as a SAML SSO Identity Provider

To configure Azure Active Directory (Azure AD) specifically for SAML-based Single Sign-On (SSO), follow these steps:

  1. Create an Enterprise Application in Azure AD

    • Navigate to Azure Active Directory > Enterprise applications. (Note that App registrations are for OAuth/OIDC workflow, while Enterprise applications are for SAML.)

    • Click New application, then choose "Create your own application".

    • Enter your application name and select "Integrate any other application you don't find in the gallery".

    • Click Create.

  2. Configure Single Sign-On (SAML)

    • In your enterprise application, under Manage, select Single sign-on.

    • Choose SAML as the single sign-on method.

  3. Set Up Basic SAML Configuration

    • Click Edit on the Basic SAML Configuration panel.

      • Identifier (Entity ID): Set this to a unique URI, typically based on your tenant's domain, or other verified domain. For example, yourtenant.onmicrosoft.com/your-app-id. Does not have to correspond to the actual Eliona instance domain. Can be also set using manifest field "identifierUris".

      • Reply URL (Assertion Consumer Service URL): Enter the URL where Azure AD will send SAML responses, for example: https://customer.eliona.cloud/apps-public/saml-sso/saml/acs.

  4. Download Azure AD Metadata

    • Under the SAML Signing Certificate section, download the Federation Metadata XML file or copy the metadata URL provided:

    https://login.microsoftonline.com/{tenant-id}/federationmetadata/2007-06/federationmetadata.xml
    • Replace {tenant-id} with your actual Azure AD tenant ID.

  5. Assign Users and Groups

    • Under Users and groups, assign users or groups permitted to authenticate via SAML to Eliona.

  6. Configure SAML SSO Settings in Eliona

    • MS Log-in: Activate the log-in button "via Microsoft" by setting the configuration as "Enabled".

    • Metadata URL: Enter the metadata URL copied from Azure AD (see step 4).

    • Own URL: Enter your Eliona instance URL (e.g., https://customer.eliona.cloud).

    • Entity ID: Set the entity ID from step 3.

    • Certificate: Optionally use a self-generated certificate for securing communications.

Go to the .

For more detailed guidance, refer to the official .

Azure portal
Microsoft Azure SAML documentation
Eliona Single-Sign-On