Single sign-on solution

OVERVIEW

Rapid Global has the ability integrate its products and services with third party vendor applications. One of the many integration solutions we can provide is a Single Sign-On (SSO) using SAML 2.0 based products such as Active Directory Federation Services (ADFS).

WHAT IS AN SSO?

An SSO is a solution which allows you to use your company’s local domain login credentials to log in to your Rapid Global suite of products, meaning you no longer have to remember multiple account login details.

BENEFITS OF USING AN SSO

  • Enhanced user experience: Your employees will no longer be required to use separate login credentials to access your Rapid Global products. Instead they will be able to easily access your system, safely and securely
  • Enhanced security: By using SAML 2.0, no user login credentials are sent from your company to Rapid Global which increases security by reducing the possibility of phishing based and other attacks
  • Automated services: We can configure your SSO to automatically create new administrators and inductees in Rapid Induct when new users are added to your Active Directory.

WHAT IS ACTIVE DIRECTORY FEDERATED SERVICES?

ADFS is a feature in Windows Server which allows for a SSO to be implemented for use outside of your organisation. The core principle that ADFS bases itself on is trust. With ADFS, each party manages their own identities and permissions within a Federated environment for the Single Sign-On.

This means that you have the ability to manage and control who will have access to your Rapid Global products via the Single Sign-on, and what level of permissions they will have by creating your own Federated identities.

TECHNICAL REQUIREMENTS

To implement this solution, you must have a Federation Server which is WS-* or SAML 2.0 compatible, such as PingFederate or Microsoft ADFS.

ADFS REQUIREMENTS

To create your SSO, you need to provide us with the following information:

  • The address of your Federated Server XML meta-data
  • Your company’s email address domain
  • Details of who will be using the SSO (e.g. Rapid Induct administrators and/or trainees)
  • Advice on whether you want users automatically added into Rapid Induct when new users are added into your ADFS Group(s). If you do, we also require:
    • Permissions for each AD Group, including specific access to Rapid Global functionality
    • The default location for each group in Rapid Global (i.e. assignment to either a state or a specific site within Rapid Induct)

ADDITIONAL REQUIREMENTS

In addition to the above, the following is also required:

  • You must add our Federation Server as a Relying Party Trust in your Federation Server
  • Rapid Global’s ADFS server’s metadata updates itself on a periodic basic. As a result of this, it is highly encouraged that you enable Monitoring Federation Metadata

CLAIM CERTIFICATE REQUIREMENTS

At minimum the claims certificate must include the users Given Name, Last Name and Email

  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

If automatic creation of users in Rapid Induct is required, a group must be created

  • http://schemas.xmlsoap.org/claims/Group

By default, all SSO users will be affiliated with a default location within Rapid Induct based on their group unless overridden by using one or both of the following values:

  • The below must match the State in Rapid Induct you want to affiliate the user with
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/locality
  • The below must match the Site Name in Rapid Induct you want to affiliate the user with
    • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/streeta

ADFS FEDERATION METADATA URL

Rapid Global’s Federation Metadata URL is https://idf.adfs.logon.rapidglobal.com/FederationMetadata/2007-06/FederationMetadata.xml