Authentication With Identity Providers (SSO)

Integration With Identity Providers

See also Automatic Allocation of Requestor Licenses to New or Suspended Users via SSO Login

This page is intended for Clarizen Admin users integrating Clarizen with identity provider applications and includes the following sections:

 

About Clarizen SAML Integration Infrastructure

Clarizen provides out-of-the-box Single sign-on (SSO) solutions utilizing an infrastructure that enables integration with any SAML and SAML2 compliant identity provider.

 

Integrating an SAML-based SSO

In order to integrate SSO capabilities there are actions required both on Clarizen and on the IDP side as detailed ahead.

Clarizen Side

  1. Go to Settings⇒Global Settings
    Under Federated Authentication click edit
  2. Enable the 'Use Federated Authentication' checkbox


  3. Upload the Certificate:
    • Should be exported for the specific Identity Provider solution
    • .pem and .cer certification formats are supported


  4. Set the SAML end point in the Sign-in URL field:
    • Should be provided by specific Identity Provider solution
  5. [Optional] Set the Sign-out URL, which is the URL to which you will automatically be redirected when signing out of Clarizen
  6. [Optional] Change the Relaying Party Identifier (Issuer/Entity ID) from the default "Clarizen"
  7. Define who can access Clarizen with a user name and password instead of via SSO only.
    From the Enable Password Authentication menu select:
    1. No one (except Administrators)
    2. External users
    3. Internal users
    4. Everyone - both External and Internal users (default)
  8. [Optional] Define whether to allow API access to Clarizen using SSO, to enable select the Enable API access checkbox
  9. [Optional] Define whether to skip the login page, allowing direct access to unauthenticated users when accessing specific pages in Clarizen (for example: by clicking a link received in an email which contains the Organization ID), to enable select the Unauthenticated User URL redirect checkbox
  10. There are several advanced options available as detailed below
  11. Access to Clarizen via an SSO is achieved via a special link and not via the Clarizen login page:
    • Once the Federated Authentication settings are defined within Clarizen, this link will be added to the Clarizen login page under the login section.
    • The link is presented in the following format and depends on your environment as detailed above:
      https://eu1.clarizen.com/Clarizen/Pages/Integrations/SAML/SamlRequest.aspx?EntityId=999999
      Where 999999 is the internal ID of your Clarizen account.

 

IDP Side

Configure your identity provider.

Note: Each identity provider may use different terms for the parameters.

Alternatively, utilize the metadata download to import all of your settings to your IDP

  1. Configure your Clarizen SAML end point (ACS - Assertion Consumer Service) based on the environment you are associated with:
    • EU – https://eu1.clarizen.com/Clarizen/Pages/Integrations/SAML/SamlResponse.aspx
    • SV – https://app2.clarizen.com/Clarizen/Pages/Integrations/SAML/SamlResponse.aspx
    • TB – https://app.clarizentb.com/Clarizen/Pages/Integrations/SAML/SamlResponse.aspx
  2. Ensure that the Clarizen SAML ID for all of your identity provider's relevant users matches that user's Clarizen user name field
    Usually the Identity Provider enables you to configure this through some type of rule (for example, the user's email)
  3. The Relaying Party Identifier (Issuer/Entity ID) should match the value set above in Clarizen side, by default it is set to 'Clarizen'

 

Advanced options

There are several advanced options available, the more commonly used options are explained below.

Note:

When utilizing the metadata download to import all of your settings to your IDP be sure to first complete all of your Clarizen side setup and only then import the entire settings to your IDP

 

SAML ASSERTION Encryption

Clarizen supports SAML assertion encryption.

In order to support SAML assertion encryption, you need to either upload your own private key certificate or use an encryption certificate that is internally generated, both of which allows us to decrypt the assertion.

To activate the encryption in Clarizen:
  1. Complete Steps 1 and 2 detailed in the Integrating an SAML-Based SSO section above
  2. Open the SSO advanced options
  3. Choose the encryption certificate to be used, select the Encrypted via internal certificate option from the menu, or:
    1. Upload your own Private Key certificate

      Once uploaded, a confirmation password  message will appear.


    2. Type the certificate's password and click 
    3. Confirm that the Encrypted via uploaded certificate option is selected
  4. Click 

 

Add encryption in your IDP: 
  1. Open the Clarizen Properties screen
  2. Click the encryption tab
  3. Browse and upload the public certificate 
  4. Apply the changes and close the Property's window

See Configuring ADFS for Clarizen single sign-on (SSO) for an example

 

Automatic Provisioning

Please note that the SSO solutions explained above does not solve the issue of User Provisioning.
You need to handle user synchronization between your identity provider and Clarizen separately.

This can be done either manually, automatically using the Clarizen SOAP & REST web service APIs or using Clarizen’s Active Directory User Sync tool

 

Signed Request

The SAML request can be signed. Signed requests need to be enabled in Clarizen's federated authentication settings, after enabling the setting the authentication request certificate can be downloaded from the settings screen.

To enable signed requests:
  1. Go to Settings⇒Global Settings
  2. Under Federated Authentication click edit
    The Federated Authentication setup window opens
  3. Open the SSO advanced options
  4. Select the Use HTTP Post Binding option
  5. Select the ​Enable additional request features option

    Once enabled the Download Certificate button is activated
  6. Click the  Download Certificate button to can download the authentication request certificate
  7. Click 
  8. Upload the certificate in your IDP
    See Configuring ADFS for Clarizen single sign-on as an example

 

Download Metadata

Once you have completed your setup,defining all of the relevant steps in Clarizen above, download the entire configuration as a Metadata file by Clicking the Download Metadata button.

This file can then be uploaded to the Single Sign On Identity Provider to expedite the Clarizen Single Sign On process.

Please see Configuring ADFS for Clarizen single sign-on for an example of the upload process.

 

Configuring ADFS for Clarizen single sign-on (SSO)

Configuring ADFS for Clarizen single sign-on (SSO)

Clarizen has the ability to integrate with an identity provider. This integration allows your organization to provision users, provide single sign on solutions and integrate with the Microsoft Active Directory Federation Services (ADFS) 2.0 and 3.0 identity provider.

 

This document includes:

 

General ADFS Setup

This procedure uses samportal.example.com as the ADFS Web site.
Replace this with your ADFS Web site address.

  1. Log into the ADFS server and open the management console
  2. Right-click Service and choose Edit Federation Service Properties....
  3. Confirm that the General settings match your DNS entries and certificate names
    Take note of the Federation Service Identifier, since that is used in the Clarizen SAML 2.0 configuration settings
  4. Browse to the certificates and export the Token-Signing certificate​

    1. Right-click the certificate and select View Certificate
    2. Select the Details tab
    3. Click Copy to File….
      The Certificate Export Wizard launches
      Click Next
    4. Ensure that No, do not export the private key is select, and then click Next
    5. Select Base-64 encoded X.509 (.cer)

      Click Next
    6. Select where you want to save the file and give it a name.
      Click Next.
    7. Select Finish
  5. Log into Clarizen and follow the SSO setup instructions to activate SSO in Clarizen and upload the certificate 
  6. Set the Sign-in URL in Clarizen based on your preferred ADFS configuration:
    1. For IDP initiated SSO:
      https:// somesite /adfs/ls/idpinitiatedsignon.aspx?logintorp= Clarizen  (where the ' somesite ' should be your ADFS external server address and ' Clarizen ' represents the defined identifier)
    2. For SP initiated SSO:
      https:// somesite /adfs/ls/   (where the ' somesite ' should be your ADFS external server address)
  7. Click Save.

 

Automatic Configuration

To configure ADFS Automatically:

  1. Open the ADFS Management console and select Relying Party Trusts.
  2. Right-click the ‘Relaying Party Trusts’
  3. Select ‘Add Relaying Party Trust..’ menu item

    A wizard will open
  4. Click the ‘Start’ button
  5. Select the 'Import data about the relying party from a file' option
  6. Click 'Browse...' to locate the Metadata file downloaded from Clarizen
    Click 'Next'
  7. In the ‘Display name’ type ‘Clarizen’

    Click ‘Next’
  8. Ensure that Permit all users to access this relying party option is selected

    Click ‘Next’
  9. In the ‘Ready to Add Trust’ step click ‘Next’ without making any changes
  10. Ensure that the checkbox is selected and click ‘Close’ to open the ‘Edit Claim Rules’ dialog
  11. Add claim rules as detailed below

 

Manual Configuration

To manually configure the ADFS follow the instructions below

Configuration summary

The ADFS should be configured with the following parameters:

Relying Party Identifier
  • Identifier: Clarizen (default) 
  • Advanced: Select a hash algorithm. SHA-1 and SHA-2 are supported.
  • Endpoint: POST with relevant URL

 

Claim Rules should only contain a simple Claims rule:
  • Send LDAP as Claims
  • Claims Rule Name: Name ID
  • Attributes store: Active Directory
  • LDAP Attributes: Email Addresses
  • Outgoing Claim Type: Name ID

 

ADFS Relying Party Configuration

At this point manually configure the Relying partner:
Open the ADFS Management console and select Relying Party Trusts.

  1. Right-click the 'Relying Party Trusts'
  2. Select 'Add Relying Party Trust..' menu item

    A wizard will open
  3. Click the 'Start' button
  4. Select the 'Enter data about the relying party manually' option

    Click 'Next'
  5. In the 'Display name' type 'Clarizen'

    Click 'Next'
  6. In the 'Choose Profile' step, select the 'ADFS 2.0 profile' option

    Click 'Next'
  7. Skip the 'Configure Certificate' step by clicking the 'Next' button
  8. In the 'Configure URL' step, enter the relevant API endpoint URL
  9. In the 'Configure Identifiers' step, for the 'Relying party trust identifier' enter 'Clarizen' and click on the 'Add' button to the right, so it will be added to the 'Relaying party trust identifiers' list

    Click 'Next' to move to the next step
  10. Ensure that Permit all users to access this relying party option

    Click 'Next'
  11. In the 'Ready to Add Trust' step click 'Next' without making any changes
  12. Ensure that the checkbox is selected and click 'Close' to open the 'Edit Claim Rules' dialog
  13. Add claim rules as detailed below

 

Enable SAML Assertion Encryption

To enable authentication encryption, activate the authentication in Clarizen as explained here, then complete the following steps:

  1. From the main window, select Clarizen and click on the 'Properties' link on the right side:
  2. Click the 'Encryption' tab
  3. Click Browse and select the Public certificate file (cer file)
  4. Click 'Apply' to confirm your selection and 'OK' to close the dialog

 

Enable Signed Request

The SAML request can be signed. Signed requests need to be enabled in Clarizen's Federated Authentication settings, after enabling the setting the authentication request certificate can be downloaded from the settings screen.

To enable signed requests:

  1. Open Clarizen's relying party identifier in ADFS
  2. Click the 'Signature' tab
  3. Click 'Add...' to upload the signature certificate downloaded from Clarizen
  4. Click 'Apply' to confirm your selection and 'OK' to close the dialog

 

Add Claim rules

Define the relevant Claim rules, for the default claim rules settings please see claim rules configuration summary.

  1. In the 'Edit Claim Rules' dialog, click on the 'Add Rule...' button
  2. Ensure that the 'Send LDAP Attributes as Claims' is selected from the options in the 'Claim rule template' list

    Click 'Next'
  3. In the 'Claim rule name' input, enter 'NameID'
  4. From the 'Attribute store' select the 'Active Directory' option
  5. For the 'LDAP Attribute' select the attribute you would like to use for authentication ('E-Mail-Address' for instance) and for the 'Outgoing Claim Type' select the 'Name ID' value
  6. Click 'Finish' and 'OK' to close this dialog
  7. From the main window, select the new claim and click on the 'Properties' link on the right side:
  8. Click the 'Advanced' tab
  9. Select a hash algorithm from the list. SHA-1 and SHA-2 are supported.
  10. Click 'Apply' to confirm your selection and 'OK' to close the dialog

 

Configuring OneLogin

User Management Configuration via OneLogin (LDAP Integration)

This page is intended for Clarizen Admin users setting up SSO capabilities and includes the following sections:

 

About Automatic User Management Option

The Automatic User Management option is configured in OneLogin solution.
OneLogin uses Clarizen's API to provision, update, suspend and delete users according to the changes in its users' repository
and the configuration set by the administrator.

Figure 1: Automatic User Management Diagram

Configuration

 

The following steps are used to automatically configure OneLogin to provision users to Clarizen :

 

Configuration Steps

  1. To begin the process, you are required to have a OneLogin account in place. It is recommended to add and configure your
    organization's LDAP connector to OneLogin in order to create the users identities repository inOneLogin automatically, and
    to use the corp-net authentication as the single-sign-on authentication.
    To learn more about creating a OneLogin account and configuring your LDAP connector, please visit the OneLogin web site .
  2. Create a new role that defines your OneLogin users who need to be connected to Clarizen to the Clarizen agent in OneLogin.
    You can create this role by navigating to People → Roles → New Role .
  3. Navigate to Apps → Find app tab in OneLogin and search for the 'Clarizen' application.
  4. Click the Add link in order to add it to your list of applications in OneLogin.
  5. Click continue to be able to edit the application data.
  6. The authentication tab should appear as follows:

​Figure 2: Authentication Tab

You do not need to change any of the basic default settings apart from one exception; you might want to change the
'Send Invitation Email setting'.

This checkbox defines whether or not Clarizen users receive an invitation email from Clarizen when automatically provisioned
by OneLogin .

Note: Two additional fields might appear here. The following table contains the field values to apply:
Field
Value
Customer URL
https://app2.clarizen.com/Clarizen/Pages/Integrations/SAML/SamlResponse.aspx
WSDL Document URL
https://api2.clarizen.com/v1.0/Clarizen.svc
  1. Click the API tab and set your organization's administrator credentials ( Clarizen Admin credentials used for provisioning
    operations). These credentials are used to identify the Clarizen organization to which you provision your users.

    T he Clarizen agent provisioning process can be connected or disconnected o n the same tab .

    After clicking Connect , the Provisioning tab becomes available.

Figure 3: API Tab

  1. Click the Provisioning tab to configure the provisioning preferences.

Figure 4: Provisioning Tab

The setting Manually approve defines which of the management actions is approvable by the administrator and which actions occur
automatically. Approve or revoke of actions are achieved by navigating to People → Provisioning → Provisioning Tasks within
OneLogin.

The setting Deprovisioning action defines what action to take within Clarizen on de-provisioning events.

A de-provisioning event may happen when a user is deleted from OneLogin, removed from a Clarizen- assigned role, or if Clarizen
is removed from OneLogin altogether.

Action options when a de-provisioning event occurs are to either change the user's state to 'Deleted' within Clarizen, change the user's
state to 'Suspended' within Clarizen, or to do nothing.

  1. Click the Access Control tab, and select the role that you created in Step 2 of the Configuration steps .

Figure 5: Access Control Tab

Seeing it Work

Navigate to People → Users and manually add people to your Clarizen role, or create a mapping via People → Mappings that sets
this role automatically for your users according to filters set by you.


Users that have the Clarizen role are automatically added to the Login tab in the Clarizen application configuration.
They are processed automatically or pending authorization, depending on your OneLogin 'Manual Approve' settings.

You can view and authorize provisioning processes via People → Provisioning and see the results in the People module in Clarizen .

Figure 6: Logins Tab

Configuring Azure Active Directory

To see a guide on configuring Azure Active Directory, click here.

Configuring OKTA

To see a guide on configuring OKTA, click here.

Have more questions? Submit a request

Comments