Configure SAML single sign on (SSO) in IT Expert

Administrator users and partners can configure SAML 2.0 single sign on in the Administration > More > SSO option in IT Expert. Any identity provider (IdP) that supports the SAML protocol is supported. 

Once you configure SSO, all users with an email address on one of the domains you specify must use your identity provider to log in to IT Expert.

You can still use the IT Expert Administration > Users option to invite and manage users from email domains not using the domains you specify for SSO.

It is strongly recommended that at least one Administrator user who does not require SSO to log in is configured in IT Expert Administration > Users.

 

Configure your identity provider

Azure users also see Configure Azure AD for IT Expert SAML SSO

Before you configure SSO in IT Expert, use the Identity Provider details on the Administration > More > SSO page to configure the integration with IT Expert in your identity provider's user interface.

Refer to your identity provider's documentation for more information.

1. Log in to IT Expert and go to Administration > More > SSO.

2. Copy and paste the SAML Assertion Consumer Service (ACS) URL and the SP Entity ID in the appropriate fields. These values are specific to your account.

   Note: The SP Metadata URL will be displayed in step 2 of the IT Expert configuration. Some identity providers require it.

3. IT Expert requires that you configure your identity provider to send these three SAML attributes:

• "name": How user names are displayed
• "email": User email address
• "groups": The groups your IT Expert users are members of
  Note: Groups configuration is not applicable for partners.

  If your identity provider does not support adding the SAML attributes above, see the full list of supported SAML attributes below to use as alternatives.

  You can create groups in both your identity provider and IT Expert; group names must match exactly in both. You can assign access permission for each group on the IT Expert Administration > Groups tab. See IT Expert permissions

  Note: IT Expert contains two groups by default, Administrators and Users.

  Users you want to have Administrator rights in ITE must have a group SAML attribute with the value "Administrators." Users who should have regular user rights in ITE must have a group SAML attribute with the value "Users." Users without a group SAML attribute will not have access to ITE. 

  Consult the documentation for your identity provider to learn about adding SAML attributes.

  Note: Every time a user logs in using SSO, the identity provider sends EcoStruxure IT a list of the groups the user belongs to. If any changes to group assignments are needed, you make the changes in your identity provider, not in IT Expert.

Supported SAML attributes

EcoStruxure IT supports these attributes, if, for example, your identity provider only supports InCommon Federation Attributes, or other standard attributes:

SAML attribute	Description
name	Display name of the user
displayname
urn:oid:2.16.840.1.113730.3.1.241
http://schemas.microsoft.com/identity/claims/displayname
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
email	E-mail address of the user
urn:oid:0.9.2342.19200300.100.1.3
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
phone	Phone number of the user
phoneNumber
telephoneNumber
urn:oid:2.5.4.20
urn:oid:0.9.2342.19200300.100.1.20
urn:oid:0.9.2342.19200300.100.1.41
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone
group	List of groups the user is a member of
groups
urn:oid:2.16.840.1.113719.1.1.4.1.25
http://schemas.xmlsoap.org/claims/Group

 

Configure SSO in IT Expert

Your identity provider will provide the information needed to configure SSO in IT Expert.

Return to IT Expert Administration > More... > SSO.

Enter SAML details

1. Copy the SAML Single Sign-On URL from your identity provider into the SAML SSO sign-in URL field.

2. Upload your SAML SSO certificate or paste it into the text field. The certificate must be in *.PEM or *.CER format.

3. Specify your Sign-in email domain(s). For example, if user email addresses are user@mydomain.com, enter mydomain.com in the field. Separate multiple domains with a comma.

   Note: All users with an email address on one of the domains you specify must use your identity provider to log in to IT Expert.

Test SAML configuration

Verify that your SAML connection is configured properly. 

1. Open a different browser or an incognito window.

2. Go to https://ecostruxureit.com and click Log in. Choose Customer. 

3. Enter the test email address shown in ITE. 

   The password field will disappear, and the login for your identity provider will be displayed.

4. Log in to EcoStruxure IT as Administrator.

5. Return to SSO configuration in ITE. If the test login was successful, click Continue.
   If the test login was not successful, the SAML configuration is incorrect. Click Not working? Start again.

IMPORTANT: You must successfully test your connection to enable SSO for your email domains.

Verify domain ownership

You must verify that you own the domains you specified in the SAML details. There are three ways to verify ownership: DNS TXT, HTML file, or HTML META. The verification method you choose depends on your domain's web host. 

Contact your Customer Success Manager for help verifying your domain ownership if needed.

DNS

1. Go to the home page of your domain and create a DNS TXT record.

2. Copy the TXT content displayed in ITE starting with ecostruxure-it-verification=

3. Return to ITE and click Verify.

   

HTML file

1. Create the file ecostruxure-it-verification.html using the contents diplayed in ITE, and upload it to your domain's website. 
   Your website must be publicly available at the naked domain, with no www or any other subdomain prefix in its URL. Example: https://randomdomain.dk/ecostruxure-it-verification.html 

2. Return to ITE and click Verify.

   

HTML META

1. Add the meta tag displayed in ITE to the <head> section of your website's home page.
   Your website must be publicly available at the naked domain, with no www or any other subdomain prefix in its URL. Example: https://randomdomain.dk/ecostruxure-it-verification.html

2. Return to ITE and click Verify.

   

Repeat step 3 to verify all the domains you specified.

Once you have verified all your domains, your SSO configuration is complete. You can return to the SSO page to add and verify additional domains as necessary.

 

Enable Identity Provider (IdP) Initiated SSO login

Check to allow users to log in to IT Expert from the login page for your organization's identity provider. 
Note: IT Expert uses OIDC as a response protocol.

See Identity Provider (IdP) initiated SSO risks and considerations

 

Reset SSO configuration

Resetting your SSO configuration completely removes all SSO settings in IT Expert.

You must start again at step 1 to reconfigure SSO. The URLs and verification files from any previous ITE SSO configuration cannot be reused.

When you reset your SSO configuration, users who are required to use SSO to log in to ITE will no longer have access unless they also have IT Expert user accounts listed in Administration > Users.