Single Sign-On (SSO) for Organizations using the Herrmann Platform

Brief Introduction:

Many organizations have various types of software that they use within their organization and each software requires a login.  To ease the burden of logging in and to provide even more security, organizations set up what is known as Single Sign On (SSO) technology. 

Because the Herrmann Platform requires a login, it now allows for SSO for organizations that have SAML Protocol or OpenID Connect already in place.

 The SSO option can be added to the Herrmann Platform for a client organization  after a discussion of the requirements with the organization’s IT, contract representative, a Herrmann Representative, and a Herrmann Technical Support provider.  

If your organization is interested in SSO, please review this article and contact your Herrmann Representative.

This article is divided into 2 sections:

General Overview

Detailed Implementation Steps

SSO is available on the Herrmann Platform as of October 2021 

General Overview

WHAT is SSO?

SSO integration with the Herrmann platform enables our customers to retain control of security and access for their employees. It also makes it easier for individuals to sign onto our platform using login credentials they already have. 

WHO is impacted by SSO?

Users logging in to the Herrmann Platform benefit from SSO since they only need to login once to the various web applications their organization uses.  This SSO benefits the organization by enhancing security. 
Organizations should designate at least one person to be the Herrmann Platform administrator to set up single sign-on for the organization.  Herrmann will train the administrator and support in setting up SSO.  The Administrator does not need specific technical credentials, but should have a connection to their IT department in the organization.

WHY is SSO Important?

SSO ensures that Herrmann Platform Users can login securely with their organization’s single sign on setup.  This makes logging in much easier and more secure.

HOW:

SSO within the Herrmann platform currently works with SAML protocol or OpenID Connect.  To engage SSO with the Herrmann platform:

• Herrmann will enable this “feature” for the organization first
• The Organization Administrator logs into the Herrmann Platform and uses the self-service administration tools to enter all required information (see specifics and screen shots below)

--------------------------------------------------------------------------------------------------------------------

Detailed Implementation Steps

•  Herrmann enables the SSO feature
• The Herrmann Client's Organization Administrator:
  1. Logs in to the Herrmann Platform and uses the Organization Administrator Tools
  2. SSO is enabled by selecting the checkbox 
  3. Select the Sign On Method based on the Organization’s method:
     1. 1. • SAML
           • Open ID

For SAML

4. Enter SSO URL - This will be from the Organization’s OKTA account

5. Enter Identity Provider Issuer URL/Identity

6. Enter Public certificate fingerprint

• • The public certificate that OKTA provides will have to be converted to a SHA256 fingerprint digest. In order to convert this follow the below steps:
    • The user setting up SSO for their organization will need to use a conversion tool. Go to the free conversion tool at https://www.samlcomponent.net/tools/fingerprint.aspx
    • Copy and paste the X0.509 certificate provided by Okta into the text area.
    • In the algorithm drop down select ‘SHA256’ and then select ‘calculate fingerprint’
    • Copy the generated ‘Formatted FingerPrint’ in the Public Certificate FingerPrint field within the SSO setup screen within the admin tools on the Herrmann platform.

For OpenID

1. Select the Sign-On Method  ‘Open ID Connect’
2. Client ID - This is a code that OKTA will generate for you when you create the app within OKTA.
3. Client Secret - This is also a credential that OKTA will generate for you upon app creation in OKTA.
4. Authorization URL - This is labeled ‘OKTA Domain’ within the ‘General Settings’ in the OKTA app that you have created.

Your Organization’s OKTA Preparations

IT/Admin Technical Setup

Client I.T./Okta admin will create OKTA App and assign app to users who will be accessing Herrmann services.

• Go to Applications and select ‘Add Application'

Select Create New App. This will pop up a new window. On the pop up window select Web for the platform and select OpenID Connect for the Sign on Method.

After selecting Create, you will be brought to a new screen where you will need to change the name of the application to Herrmann Platform and add the Login redirect URI provided by Herrmann.

• • Login Redirect URI for the Herrmann Platform: https://journey.herrmannsolutions.net/account/auth/oktaoauth/callback?org_id={YOUR ORG UUID}

After you have saved the application you will be on the General page for the created application. On this page you will need to Edit the General Settings and under the Allowed Grant types you will need to select ‘Implicit (Hybrid)’ which will then show the additional options. You will need to select ‘Allow ID Token with implicit grant type’ and then select Save.

Note: the Login redirect URLs is: https://journey.herrmannsolutions.net/?????????????

You will need to update the Initiate Login URI below and select ‘Either Okta or App’ in the Login initiated by field.  Also make sure that ‘Redirect to app to initiate login (OIDC Compliant)’ is selected for the Login Flow.

Initial Login URI for the Herrmann Platform: journey.herrmannsolutions.net/account/okta/{YOUR ORG UUID}

After saving the changes to the settings you will need to provide Herrmann with the Client ID, Client Secret, and Okta Domain on the General page for the application.

XXXX out the domain and id info

NOTE: Any person who does not have a User account in the Herrmann Platform will need to sign on through SSO by accepting an invitation link created in the Herrmann Platform.  

If they try to use the Herrmann Icon directly from OKTA they will receive an error message because they do not have a record in the Herrmann Platform.

For more general information on how to create an OpenID Connect application in Okta see the below link:

https://help.okta.com/en/prod/Content/Topics/Apps/Apps_App_Integration_Wizard_OIDC.htm