Enabling ldP initiated SSO

These settings are required for enabling IdP initiated SSO.

To enable ldP initiated SSO:

  1. Modify the /system/customer/SIGN_ON_VARIABLE registry parameter by setting it to:
    com.workbrain.server.signoninterface.saml.SamlResponseWebSignOn
    These settings are required for enabling IdP initiated SSO.

    This existing registry is used to specify the Java class that will handle user login.

  2. Set the /system/customer/CUSTOM_LOGIN_PAGE registry parameter to:
    /loginRedirect.jsp

    This is a new WFM page that is designed to redirect any user that is not logged in to the IdP login page.

  3. Set the /system/WORKBRAIN_PARAMETERS/CUSTOM_LOGOUT_PAGE registry parameter to:
    /logoutRedirect.jsp

    This is a new WFM page that is designed to redirect any user that is logging out from Workforce Management.

  4. See the /system/customer/SSOFAILURE_REDIRECT_PAGE registry parameter to:
    /logoutRedirect.jsp

    This will redirect the user to the logout page if there are any errors in SamlResponseWebSignOn.

  5. Set the /system/security/SAML/HTTP_PARAM registry parameter to the name of the parameter in the HTTP header that contains the SAML token, for example:
    SAMLResponse
  6. You can configure an extension point for validating and parsing the SAML token in Mobility, WFM and ETM for IdP initiated SSO. This allows you to unify how the SAML response is handled by Mobility, WFM and ETM. The parser is specified in the /system/security/SAML/TOKEN_PARSER registry parameter. For example, you can specify the fully qualified Java class name of the SAML token parser like this:
    com.server.sso.MySamlTokenParser

    If you need an example of a SAML token parser, see Examples of a custom SAML token parser for more information.

  7. Set the /system/security/SAML/NAMESPACE registry parameter to the namespace prefix that is assigned to the SAML assertion namespace, for example:
     saml2
  8. Set the /system/security/LOGIN_REDIRECT_URL registry parameter to the absolute URL of the IdP login page for the WFM service provider, for example:
    https://localhost:9443/samlsso?spEntityID=workbrain

    The identity provider on the localhost uses this URL for the users of the WFM service provider.

    This URL format might change based on the identity provider that is used. This parameter is used by the loginRedirect.jsp to direct users to the IdP login page.

  9. Set the /system/security/LOGOUT_REDIRECT_URL registry parameter to the absolute URL of the redirect, for example:
    http://www.infor.com

    This parameter is used by logoutRedirect.jsp. Set this parameter to the URL that the user goes to after logging out.

  10. If you use mobility, set the /system/security/SAML/mobility/MOB_LOGIN_REDIRECT_URL registry parameter to the identity provider URL to redirect to when the user is not authenticated, for example:
    https://hostname:9443/samlsso?spEntityID=mobnew
  11. Set the vs_max_pvalue to 10000 for all records in the WFM VALIDATOR_SETTING table, since the SAML token will increase the size of each HTTP request.