Registering SAML Apps

EmpowerID supports SAML-based identity transactions, allowing you to federate EmpowerID with third-party applications that use SAML to exchange identity data. In this way, if your organization has a corporate account with a service provider application that uses SAML, you can register that application in EmpowerID, giving your users the ability to access any accounts they may have in that application from EmpowerID.

This topic describes the general steps for registering a third-party SAML application in EmpowerID and is divided into the following activities:

To register a SAML application in EmpowerID

  1. From the Navigation Sidebar, navigate to the Application Management page by expanding Applications and clicking Manage Applications.
  2. From the Actions pane of the Application Management page, click the Create Application action.
  3. This opens the Application Details form for the new application. This form contains various tabs and fields for registering the SAML application.

    In the following image, the Navigation Sidebar has been collapsed to conserve screen real estate.

  4. From the General tab of the Application Details form, do the following:
    1. Type an appropriate name, display name and description for the application in the Name, Display Name and Description fields, respectively.
    2. Allow Access Requests - Specify whether to allow access requests. When this option is selected, the application appears in the IT Shop, allowing users to request or claim an account in the application.
    3. Allow Request Account - Specify whether to allow users to request an account in the application. When this option is selected and Allow Access Requests is selected, users can request an account in the application.
    4. Allow Claim Account - Specify whether to give users the ability to claim an account they have in the application. When this option is selected, users can claim their accounts and gain instant access after passing the requisite identity proofs.
    5. Login Is Email Address - Specify whether the login for the application is an email address. This setting is necessary for passing the appropriate identity assertion to the application when logging in from EmpowerID.
    6. Make me the Application Owner - Specify whether you are the owner of the application. Application owners have the ability to manage the application and approve or deny access requests.
    7. Configure Advanced Claim and Request Account Options - Select this option and then provide the appropriate advanced configuration information if you have custom pages and workflows configured in EmpowerID for processing access requests as well as for managing any accounts linked to the application's (internal to EmpowerID) account directory.
  5. Click the Single Sign-On tab.
  6. Select SAML from the Single Sign-On Connection Type drop-down.
  7. Tick Create a New SAML Connection.
  8. In the SAML Connection Information section that appears, do the following:
    1. Select the template for your particular application from the SAML Application Template drop-down. For example, if you are creating a SAML application that configures your corporate Salesforce account for SSO with EmpowerID, you select Salesforce SSO Connection Settings. Doing so, populates the SAML Connection Information section with the base information necessary for federating Salesforce with EmpowerID.
    2. If you are configuring an application for SSO with EmpowerID and the application does not appear in the SAML Application Template drop-down, select Default SSO Connection Settings.
    3. Type a display name for the SAML Connection in the Display Name field.
    4. Select the appropriate certificate to sign the SAML assertions sent to the application from the Certificate drop-down.
    5. Edit the Assertion Consumer URL field as needed. This value is supplied by the service provider.
  9. Click the Users tab and choose whether to create an new account directory for the application or select an existing account directory from which to add accounts for the application. If you choose to create a new account directory, EmpowerID creates a special type of account store internal to EmpowerID, known as a "tracking-only" account store. A tracking-only account store account exists as a container within EmpowerID for storing user and group records for SSO or attestation without making a connection to the external directory associated with the application. Opting to create a new account store when registering applications in EmpowerID is advantageous in that doing so creates a one-to-one correlation between the account store and the application, as well as the SSO connection for the application. In the following example, we are choosing to create a new account directory.
  10. Optionally, add a group to the application by doing the following:
    1. Click the Groups tab and then click the Add Button (+) in the Groups grid.
    2. In the Group Information dialog that appears, search for the group you want to add to the application and then click the tile for that group.
    3. Click Add and repeat step b for any other groups.
  11. Optionally, you can define the IP addresses that are allowed to access the application. This gives you the ability to secure access to the application based on the location of the user trying to access it. For example, you can choose to deny users access when logging in from home, but allow them access when logging in from the internal network.
    • To add IP Address Ranges
      1. Click the IP Address Ranges tab and then click the Add Button (+) in the Assigned IP Ranges grid.
      2. In the Basic Information dialog that appears, tick Create a New IP Address Range and fill in the information for the IP Address Range if you need to create one or type the name of an existing IP Address Range in the Select Existing IP Address Range field and then click the tile for that range.
        See the discussion on IP Address Ranges in the Overview of Application Settings topic for more details on adding IP Address Ranges to an application.
      3. Click Add and repeat step b for any other IP Address Ranges.
  12. Click the Add to Cart button.
  13. Click the My Cart link located at the top of the page and in the Cart dialogue that appears type a reason for creating the application and then click Submit.

To claim an SSO application account

  1. Log in to the EmpowerID Web application as a person with an account in the SSO application you just created.
  2. From the Navigation Sidebar, navigate to the Request Access page for applications by expanding Applications and clicking Request Access.
  3. From the Request Access page, search for the SSO application and then click the Request Access link for that application.
  4. Click Claim Existing Account.
  5. In the Register SSO Application Account form that appears, type the username for the application account in the SSO Application Login field and then click Submit.
  6. Retrieve the one-time password (OTP) sent by EmpowerID to your email address, paste it in the Password field of the One-Time Password Validation form and then click Submit. The OTP is used by EmpowerID to verify that the access request originated from the user.
  7. From the Navigation Sidebar, navigate to your personal applications by expanding Applications and clicking Login.
  8. You should see a button for the application. In the below image, we requested access to the Salesforce application so we see a button for the Salesforce application.

  9. Click the button for the application.
  10. EmpowerID logs you in to the application, which in this case is Salesforce.