Configurations
SAML Based Configurations
Register AE as SP with IDP
- SAML Service Provider (SP) initiated sign-in flow is used by AssistEdge.
- Use AE SP metadata to register AssistEdge in the Identity Provider (IDP). Following is the SP metadata URL:
http(s)://AssistEdgehost:port/api/saml/sp/descriptor
Configure AE server-side
Update the below mentioned parameters of the auth.yml file available at <<AssistEdge Build Folder>>\scripts\ folder:
| Name of the property | Description |
| Scheme | Set the value as SAML. |
| roboScheme | Set the value as SAML (or AD for mixed authentication) |
| ssoAutoRoleAssignment |
Set the value as true to assign a role automatically to the user.
You must edit the ssoRoleMap parameter if this parameter is set to true, else you can ignore mapping organization role with the specified AE role. |
| ssoRoleMap |
Update this parameter only if the ssoAutoRoleAssignment is set to true.
It maps your organization role with that of the specified AE role. For example, if IDP wants to map their Manager role to the AE Super_Admin role then Manager: “Super_Admin” is the required configuration.
You must restart ControlTower after updating this parameter. |
| entryPoint | Specify the IDP entrypoint. Refer the IDP metadata file for related details. |
| Issuer | The entity unique identifier of the service provider. |
| identifierFormat | Specify the name identifier format for the request. By default, it is set to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. |
| logoutUrl | Specify the base address to call with logout requests (default: entryPoint). Refer IDP metadata file for related details. |
| acceptedClockSkewMs | Specify the time (in milliseconds) of the skew that is acceptable between client and server when checking OnBefore and NotOnOrAfter assertion condition validity timestamps. If you set this value to -1 it disables checking these conditions. By default it is set to 0. |
| Cert | Specify the IDP's public signing certificate used to validate the signatures of the incoming SAML Responses. Refer IDP metadata file for related details |
| requestIdExpirationPeriodMs | Defines the expiration time when a Request ID generated for a SAML request will not be valid if seen in a SAML response in the InResponseTo field. Default is 8 hours. |
| failureRedirect | Specify a page to redirect or leave it empty incase of SAML authentication failure. Default is empty. |
| Validation Section | |
| Note: You can leave below attributes commented in case you do not want server side validation of credentials entered on Control Tower. | |
| browserPath |
Specify the installed chrome executable path. For example,
For Windows OS- check your program files directory and set the path as C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe. For Linus OS- install the chrome package and provide the path of chrome, for example /opt/google/chrome/chrome.
|
| usernameSelector | Specify the username selector value of IDP login page. For example, if selector chosen as id and its value is username then set the value as #username. The # symbol denotes the id selector to be used. |
| passwordSelector | Specify the password selector value of IDP login page. For example, set the value as #password. The # symbol denotes the id selector to be used. |
| loginSelector | Specify the login selector value of IDP login page. For example, set the value as #kc-login. The # symbol denotes the id selector to be used. |
| headless | Set this value as true if you need headless browser to perform the authentication |
For more information regarding SAML Config see URL https://www.npmjs.com/package/passport-saml. The supported version of the passport-saml is 3.2.0.
Configure Robot SE
RoboSE.exe.config file needs to be updated. This is available at <<AssistEdge Build Folder>>\client-tools\AutomationRuntime\Robot\RobotAgent\RobotSE.
- UserNameElement, UserNameElementSelector, PasswordElement, PasswordElementSelector, SubmitButtonElement, SubmitButtonElementSelector parameters of the IDP login page need to be updated to automate the user sign.
- Increase the SSoLoginWaitTime to specify the wait time in case the loading of the IDP login page is slow; else, go with the default configurations.
- Set the AutomateBrowser value as Chrome or IE.
|
NOTE: |
Once the above configuration is done, no further setup for the thick clients like Automation Studio or Engage is required. |