Besides main Identity Providers that are recommended to use and covered in dedicated guides, Targetprocess SAML 2.0 SSO is compatible with most of the other SAML 2.0 providers and this guide provides you with some additional information on this topic and some examples.
Detailed HOW-TOs for specific providers
- How to setup Single Sign-On with Okta
- How to setup Single Sign-On with OneLogin
- How to setup Single Sign-On with ADFS
- How to setup Single Sign-On with Google Apps
Single Sign-On settings in Targetprocess
General note: Targetprocess SSO does not support SAML Metadata file export, so configuration has to be done manually in any case. Please find below typical parameters available and their possible values.
Assertion Consumer URL
This is embedded Targetprocess endpoint which is "listening" for requests from Identity providers and cannot be changed. In Identity provider application settings it's typically called "Assertion Consumer URL" or "Assertion Consumer Service (ACS)"
It’s an identity provider URL endpoint which processes an authentication request from a user browser and returns an authentication response to verify the user. This URL is typically application-specific so you need to make sure that you’re using the correct URL provided by your identity provider. For some Identity providers such as PingOne you'll have to download SAML Metadata file to get this URL. It's "SingleSignOnService Binding" element and you need for "Location" value.
Enabled JIT Provisioning
This option is only affecting Targetprocess behavior, currently Targetprocess SSO does not provide additional JIT provisioning/deprovisioning features e.g. using SCIM (System for Cross-domain Identity Management)
Disable login form
This option disables native Targetprocess login form completely and users are automatically redirected to SSO login. It's also only affecting Targetprocess behavior.
Users listed in this list may access native Targetprocess login form with special “?login=form” added to Targetprocess URL, e.g. https://your_account.tpondemand.com/login.aspx?login=form
It’s always a good idea to add at least one Targetprocess administrator to this list to ensure that someone will be able to access Targetprocess settings if the identity provider goes offline or incorrect SSO settings were saved and users cannot login to Targetprocess using SSO due to a configuration error.
Single Sign-On application settings on Identity provider side.
Most of the identity providers use same set of parameters, only names might be slightly different and sometimes there are additional fields, please find some of them below.
Must be SAML 2.0
Assertion Consumer Service / ACS URL
In Targetprocess is "Assertion Consumer URL", as mentioned above.
Your account URL without of HTTPS:// prefix, e.g. "account.tpondemand.com"
SSO attributes mapping
Currently Targetprocess SSO only supports and uses user e-mail adress for authentication, attribute is typically called 'email' or 'Email'.
Single Logout Endpoint / Single Logout Response Endpoint
Not used in Targetprocess SSO, must be left blank.
Examples of configuration for various Identity Providers
PingIdentity / PingOne