This introduction article will help Administrators to set up SSO authentication in an installed (locally hosted) environment using the TDAdmin interface. The user must have TDAdmin access with admin permission to 'Modify Authentication Settings'.
Overview
Single Sign On (SSO) can be configured to work with locally installed environments the same as it can be set up for a hosted SaaS environment. The steps in this article will guide an Administrator in finding and configuring SSO for their environment.
Where to Find This
This feature appears in the TDAdmin interface.
Navigate to SSO configuration settings following this path:
- TDAdmin landing page > Security tab > Configure SSO.
Using SSO in Installed Environments
For TeamDynamix to detect the SSO settings, a domain must be configured for the BE from TDAdmin. Typically, this will just match the hostname your users use to access the software and looks something like "projects.my-university.edu." TeamDynamix will use the URL to detect the BE and the SSO settings based on this domain setting.
When SSO is enabled and a user accesses one of these applications and they are not already authenticated, the software will redirect the user to the URL specified in the SsoLoginUrl with the Entity ID (configured in Admin) appended in the URL. The Shibboleth SP software takes over from there, passing the user to your Identity Provider, which will negotiate authentication and send the user back to Shibboleth SP, and Shibboleth SP will redirect the user back to the web application with the appropriate identity information attached.
Your Identity Provider's metadata needs to be configured within the Shibboleth SP. This can be done by adding a MetadataProvider element to the Shibboleth SP configuration, as documented here: https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPMetadataProvider. The Entity ID configured in the SSO settings in TeamDynamix TDAdmin for the BE MUST MATCH EXACTLY the entity ID in the Identity Provider metadata configured in the Shibboleth SP.
Installing the Shibboleth SP
Install the Shibboleth SP in IIS. Instructions and downloads are all on the Shibboleth site at the following URL:
https://wiki.shibboleth.net/confluence/display/SHIB2/Installation.
Set the requireSession attribute to "false" in either the <Host> or <Path> elements in the Shibboleth Service Provider configuration file (shibboleth2.xml).
Configuring the Web Application
There are also a handful of configurations which must be edited within TeamDynamix web applications installed on the server. These configurations exist in the web.config files of the applications, and should be changed as follows:
The SsoLoginUrl setting must be set to the Shibboleth SP's login URL. Typically this is set to "/Shibboleth.sso/Login". The web.config setting would look like this:
<add key="SsoLoginUrl" value="/Shibboleth.sso/Login"/>
This setting needs to be changed in the web.config files in the following web applications.
- TDAdmin
- TDNext
- TDClient
- TDMobile
- TDWebApi
Gotchas & Pitfalls
If you're having trouble getting everything working together, the following troubleshooting steps will be helpful. Please walk through each of these questions and answer them before contacting TeamDynamix support.
- Is TeamDynamix redirecting the user to the Shibboleth Service Provider when the TeamDynamix login page is accessed?
- Is the Shibboleth Service Provider redirecting to the Identity Provider during login?
- Is the Identity Provider allowing the user to enter credentials and authenticate? If not, what error is the Identity Provider displaying?
- After authentication, is the Identity Provider redirecting the user back to the Shibboleth Service Provider?
- Is the Shibboleth Service Provider redirecting the user back to the TeamDynamix login page?
- If you are able to authenticate with your Identity Provider, once you authenticate, are you stuck in an infinite redirect loop?
- What is the URL used to access the TeamDynamix login page?
- What is the URL TeamDynamix uses to redirect the user to the Shibboleth Service Provider?
If you're still having trouble, please include the answers to the above questions and a copy of the Shibboleth Service Provider shibboleth2.xml file (typically located in C:\opt\shibboleth-sp\etc\shibboleth) in any support request.