How to set up Single Sign-On to Targetprocess with other SAML 2.0 Identity providers | Targetprocess - Visual management software

How to set up Single Sign-On to Targetprocess with other SAML 2.0 Identity providers

Besides main Identity Providers that are recommended to use and covered in dedicated guides,  Targetprocess SAML 2.0 SSO  is compatible with most of the other SAML 2.0 providers and this guide provides you with some additional information on this topic and some examples. 

Detailed HOW-TOs for specific providers

Single Sign-On settings in Targetprocess

General note: Targetprocess SSO does not support SAML Metadata file export, so configuration has to be done manually in any case. Please find below typical parameters available and their possible values.

Single Sign-On settings in Targetprocess

Assertion Consumer URL

This is embedded Targetprocess endpoint which is "listening" for requests from Identity providers and cannot be changed. In Identity provider application settings it's typically called "Assertion Consumer URL" or "Assertion Consumer Service (ACS)" 

Sign-On URL

It’s an identity provider URL endpoint which processes an authentication request from a user browser and returns an authentication response to verify the user. This URL is typically application-specific so you need to make sure that you’re using the correct URL provided by your identity provider. For some Identity providers such as PingOne you'll have to download SAML Metadata file to get this URL. It's "SingleSignOnService Binding" element and you need for "Location" value.

Enabled JIT Provisioning

This option is only affecting Targetprocess behavior, currently Targetprocess SSO does not provide additional JIT provisioning/deprovisioning features e.g. using SCIM (System for Cross-domain Identity Management) 

Disable login form

This option disables native Targetprocess login form completely and users are automatically redirected to SSO login. It's also only affecting Targetprocess behavior.

Exceptions list

Users listed in this list may access native Targetprocess login form with special “?login=form” added to Targetprocess URL, e.g. https://your_account.tpondemand.com/login.aspx?login=form
It’s always a good idea to add at least one Targetprocess administrator to this list to ensure that someone will be able to access Targetprocess settings if the identity provider goes offline or incorrect SSO settings were saved and users cannot login to Targetprocess using SSO due to a configuration error.

Single Sign-On application settings on Identity provider side. 

Most of the identity providers use same set of parameters, only names might be slightly different and sometimes there are additional fields, please find some of them below.

Protocol Version

Must be SAML 2.0

Assertion Consumer Service / ACS URL

In Targetprocess is "Assertion Consumer URL", as mentioned above.

EntityId

Your account URL without of HTTPS:// prefix, e.g. "account.tpondemand.com"

SSO attributes mapping

Currently Targetprocess SSO only supports and uses user e-mail adress for authentication, attribute is typically called 'email' or 'Email'.  

Single Logout Endpoint / Single Logout Response Endpoint

Not used in Targetprocess SSO, must be left blank.

Examples of configuration for various Identity Providers

PingIdentity / PingOne

PingIdentity / PingOne

Centrify

Centrify

 

 

 

 

 

 

Still have a question?

We're here to help! Just contact our friendly support team

Find out more about our APIs, Plugins, Mashups and custom extensions. Join our community of passionate users and even discuss directly with our developers.