How to login to EBF with SSO

Okta SSO

Okta Configurations

1 Login into Okta developer account

2 Go to Applications >> Applications >> Create App Integration

3 Select SAML 2.0 in the Sign-in method section and click on Next.

4 On the General Settings tab Enter any string as a name for your integration and click on Next button

5 On the Configure SAML tab, configure

i In the Single sign-on URL enter: “https://<EBF domain name or IP address>/saml/acs”

ii In Audience URI (SP Entity ID) enter: “https://<EBF domain name or IP address>/saml/acs”

iii Click on Show Advanced Settings

iv In the Signature Certificate upload app/saml/certs/sp.crt

v Select Enable Single Logout

vi In the Single Logout URL enter: “https://<EBF domain name or IP address>/saml/slo”

vii In the SP Issuer enter “https://<EBF domain name or IP address>/saml/acs” - same as Audience URI (SP Entity ID)

viii In the Attribute Statements section, enter below Attribute maps and than click Next button:

6 In the Feedback tab, select I’m an Okta customer adding an internal app and click Finish.

Okta: Assign Okta Users to EBF SSO

Go to the Assignments tab and Assign users to the newly created App integration.

EBF Configurations

NOTE: HTTPS EBF instance is mandatory for Okta SSO

1 Make changes in the settings.conf file: Now, go to the directory /data/timesys/ebf/setup. Edit settings.conf and set the below config variables as per your Okta EBF integration.

  • SAML_IDP_URL”: “<SAML metadata URL>”

  • entityId”: “https://<EBF domain name or IP address>/saml/acs/”

  • assertionConsumerService”: {“url”: “https://<EBF domain name or IP address>/saml/acs/”

  • singleLogoutService”: {“url”: “https:///<EBF domain name or IP address>/saml/slo”

  • x509cert”: “<formatted certificate string uploaded to Okta app integration>”

  • privateKey”:”<formatted private key string>”

2 After making the changes, restart EBF app by running below commands

cd /data/timesys/ebf
sudo docker-compose down
sudo docker-compose up -d

3 Login into the EBF by entering the Okta Username and Password by clicking on the Login with Okta button.

Microsoft Azure AD SSO

Azure AD Configurations

Registering the application in Active Directory

The EBF application is registered as a non-gallery application. From the Active Directory dashboard:

  • Click “Enterprise Applications” on the sidebar

  • Click “+ New Application”

  • “Create your own application”

  • Enter a name for the application

  • Select “Integrate any other application you don’t find in the gallery (Non-gallery)”

  • Click Create

Assigning users and groups

To allow users to login to EBF via Active Directory, they must be added to the Enterprise Application. From the application dashboard:

  • Click “Users and Groups”

  • Click “Add user/group”

  • Select users or groups that should have access to

Users must have an email address added to their Active Directory account in order to log into EBF.

Configuring EBF SAML

Once an Enterprise application is added, you can configure the SAML settings required to log into EBF.

From the Active Directory dashboard:

  • Click “App Registrations” on the sidebar

  • Click the EBF application

Adding EBF as a valid redirect target

  • Click “Authentication” on the sidebar

  • Click “Add a platform”

  • Select Web

  • Enter “https://<EBF domain name Or IP address>/users/saml/acs” or “http://<EBF domain name Or IP address>/users/saml/acs” as the Redirect URI depending on EBF instance is HTTPS or HTTP

Adding the EBF certificate

  • Click “Certificates & secrets” on the sidebar

  • Upload the provided certificate

Token Configuration

  • Click “Token configuration” on the sidebar

  • Click “+ Add Optional Claim”

  • Select “SAML”

  • Select “email”

  • Click “Add”

  • AD may prompt you to enable a Graph permission, do so

Exposing to EBF

  • Click “Expose an API”

  • Set Application ID URI (Default is fine, whatever you want)

Connecting EBF to Active Directory

To point EBF at your Active Directory tenant, we need you to email us two pieces of information. From the Active Directory dashboard:

  • Click “App registrations”

  • Click the EBF application

Federation Metadata

  • Click “Endpoints”

  • Copy the “Federation metadata document” link and paste it into the email

Application ID URI

  • Copy the “Application ID URI” and paste it into the email

That should be it. Once we enter the provided data into the EBF instance, you should be able to log in via Active Directory.

EBF Configurations

FOR HTTP

1 Make changes in the settings.conf file: Now, go to the directory /data/timesys/ebf/setup. Edit settings.conf and set the below config variables as per your Microsoft Azure integration.

  • “SAML_IDP_URL”: “<Federation metadata document URL>”

  • “entityId”: “<Azure Application ID URI>”

  • “assertionConsumerService”: { “url”: “http://<EBF domain name Or IP address>/saml/acs/”

  • “singleLogoutService”: { “url”: “http://<EBF domain name Or IP address>/saml/slo”

  • “x509cert”: “<formatted certificate string uploaded to Azure>”

  • “privateKey”:”<formatted private key string>”

2 After making the changes, restart EBF app by running below commands

cd /data/timesys/ebf
sudo docker-compose down
sudo docker-compose up -d

FOR HTTPS

1 Make changes in the settings.conf file: Now, go to the directory /data/timesys/ebf/setup. Edit settings.conf and set the below config variables as per your Microsoft Azure EBF integration.

  • “SAML_IDP_URL”: “<Federation metadata document URL>”

  • “entityId”: “<Azure Application ID URI>”

  • “assertionConsumerService”: { “url”: “https://<EBF domain name Or IP address>/saml/acs/”

  • “singleLogoutService”: { “url”: “https://<EBF domain name Or IP address>/saml/slo”

  • “x509cert”: “<formatted certificate string uploaded to Azure>”

  • “privateKey”:”<formatted private key string>”

2 After making the changes, restart EBF app by running below commands

cd /data/timesys/ebf
sudo docker-compose down
sudo docker-compose up -d

3 Login into the EBF by entering the Microsoft Azure Username and Password. Click on the Login with Microsoft button.