Hello team,

 

We have enabled Azure AD SSO for our customer. One issue we face is that every time the customer hits the login page, they are required to click on the "Login with Single Sign On" link. Is it possible to auto redirect to SSO (assuming that users are signed in)?



Could you also please let us know if there are any config related changes we need to enable to auto login via SSO?

Like 2

Like

3 comments

We're also facing this same requirement for our client and haven't seen an option for this - would be great to hear if it's possible and if not if it could be added to Creatio.

Harvey Adcock, Shivani,



It is possible. Do you use cloud or on-premise?



BR,

Bhoobalan Palanivelu.

Hi Bhoobalan, it is possible on cloud instances by contacting Creatio to enable it. The implementation isn’t great unless all your users (including dev/admins) use SSO though, as the auto-redirect will be cached meaning you cannot log in using Creatio username and password without using a fresh incognito window every time - it’s quite frustrating. They need to add a link that can always be used to log in via non-SSO means. 

Show all comments

Hi Community,

 

When a new user is provisioned through SSO, we want restrict the user creation or restrict the user from 1st time login, so that we can implement an addition approval layer.

 

Is there a way to achieve the above task?

 

Thanks

Like 0

Like

1 comments

Sourav, 



Hope that I understand your question well. 



User creation during the 1st login occurs only if JIT is enabled. 

Unfortunately, there is no OOB tools or examples of implementations of  this functionality we can provide you with. 



I will create an idea for the responsible team to consider the possibility of adding such  functionality in future.  



Thank you. 

Show all comments

Hi Community,

 

I am trying to implement JIT when a user is not present. But by default it is creating a user as "Company Employee". Any suggestions how I can identify and create either Company Employee or Portal user based on the response that has been received in the SAML token.

I have followed the following two articles:

  1. Single Sign-On via ADFS
  2. Just-In-Time User Provisioning

 

Thanks,

Sourav Kumar Samal

Like 2

Like

3 comments

Hi All,

 

Can anyone answer on this?

 

Thanks,

Sourav

Dear Sourav, 



I would suggest you to carefully check the web.config file located in the root folder of Creatio. 

In this file you can find the list of login providers (the place where you enabling JIT by the guide):



        <provider name="SsoAuthProvider" type="Terrasoft.WebApp.Loader.Authentication.SSO.SsoAuthProvider, Terrasoft.WebApp.Loader">

          <parameters>

            <add name="UserType" value="General" />

            <add name="UseJit" value="false" />

          </parameters>

        </provider>

        <provider name="SSPSsoAuthProvider" type="Terrasoft.WebApp.Loader.Authentication.SSO.SsoAuthProvider, Terrasoft.WebApp.Loader">

          <parameters>

            <add name="UserType" value="SSP" />

          </parameters>



If you want to enable JIT for portal user you need to make sure that key <add name="UseJit" value="false" /> is added to the block related to the "SSPSsoAuthProvider"

so it looks like:

    <provider name="SSPSsoAuthProvider" type="Terrasoft.WebApp.Loader.Authentication.SSO.SsoAuthProvider, Terrasoft.WebApp.Loader">

          <parameters>

            <add name="UserType" value="SSP" />

            <add name="UseJit" value="true" />

          </parameters>



After that please make sure that SspLogin.aspx is specified in all keys instead of NuiLogin.aspx to make sure that user will get a proper portal cookie in case if you want to use a Service Provider initiated SSO flow to create portal users. 

Also please note that in this case ordinary company employees will have to login via direct link only or use the link to NuiLogin.aspx module if they want to use SSO as well. 



Kind regards,

Roman

Roman Brown,

Does this mean we can only use Jit either for Portal User or for Company Employee user?

 

Regards,

Sourav

Show all comments

Hi All,

 

We have a requirement to enable SSO with OKTA. Please suggest whether is it possible? If yes, how we can do that?

 

Thanks & Regards,

Sourav Kumar Samal

Like 0

Like

5 comments

Hello,

 

Yes, it is possible to set up SSO through OKTA. Unfortunately, we do not have specific instructions for this product, but you can use the Single Sign-On via ADFS Academy article for your reference. 

 

Best regards,

Bogdan

 

 

Bogdan,

 

We are also trying to configure from OKTA's side as well. But there are certain ask that we are unsure about. Could you please suggest on the following questions from Creatio perspective?

Thanks,

Sourav

Bogdan,

Is there any information on this?

 

Thanks

Sourav, 



This application is in "Upcoming" state meaning that it will be available in Future. 

As for your first question, you need to insert following values:

 



Kind regards,

Roman

 

Roman Brown,

 

What is the LocalCertificateFile and where to get this for onsite applications?

 

Thanks,

Sourav

Show all comments

From the /ServiceModel/AuthService.svc/Login authorization API respond with 4 Set-Cookie headers in the response. But according to the spec [https://datatracker.ietf.org/doc/html/rfc6265#section-4.1] , "Servers SHOULD NOT include more than one Set-Cookie header field in the same response with the same cookie-name."  From the client application, it can't get the all 4 header values, only first one retrievable. Could you please give a fix or suitable workaround for this.

Like 0

Like

2 comments
Best reply

Hi Anusha, 

 

it's now allowed in HTTP/2 (https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.5), which specifies: 

 

8.1.2.5.  Compressing the Cookie Header Field
 
   The Cookie header field [COOKIE] uses a semi-colon (";") to delimit
   cookie-pairs (or "crumbs").  This header field doesn't follow the
   list construction rules in HTTP (see [RFC7230], Section 3.2.2), which
   prevents cookie-pairs from being separated into different name-value
   pairs.  This can significantly reduce compression efficiency as
   individual cookie-pairs are updated.
 
   To allow for better compression efficiency, the Cookie header field
   MAY be split into separate header fields, each with one or more
   cookie-pairs.  If there are multiple Cookie header fields after
   decompression, these MUST be concatenated into a single octet string
   using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ")
   before being passed into a non-HTTP/2 context, such as an HTTP/1.1
   connection, or a generic HTTP server application.
 
   Therefore, the following two lists of Cookie header fields are
   semantically equivalent.
 
     cookie: a=b; c=d; e=f
 
     cookie: a=b
     cookie: c=d
     cookie: e=f

Please also check out this article:

 

https://datatracker.ietf.org/doc/html/rfc6265#page-7

 

Best Regards, 

 

Bogdan L.

 

Hi Anusha, 

 

it's now allowed in HTTP/2 (https://datatracker.ietf.org/doc/html/rfc7540#section-8.1.2.5), which specifies: 

 

8.1.2.5.  Compressing the Cookie Header Field
 
   The Cookie header field [COOKIE] uses a semi-colon (";") to delimit
   cookie-pairs (or "crumbs").  This header field doesn't follow the
   list construction rules in HTTP (see [RFC7230], Section 3.2.2), which
   prevents cookie-pairs from being separated into different name-value
   pairs.  This can significantly reduce compression efficiency as
   individual cookie-pairs are updated.
 
   To allow for better compression efficiency, the Cookie header field
   MAY be split into separate header fields, each with one or more
   cookie-pairs.  If there are multiple Cookie header fields after
   decompression, these MUST be concatenated into a single octet string
   using the two-octet delimiter of 0x3B, 0x20 (the ASCII string "; ")
   before being passed into a non-HTTP/2 context, such as an HTTP/1.1
   connection, or a generic HTTP server application.
 
   Therefore, the following two lists of Cookie header fields are
   semantically equivalent.
 
     cookie: a=b; c=d; e=f
 
     cookie: a=b
     cookie: c=d
     cookie: e=f

Please also check out this article:

 

https://datatracker.ietf.org/doc/html/rfc6265#page-7

 

Best Regards, 

 

Bogdan L.

 

Bogdan Lesyk,

Thanks Bogdan. It was really helpfull, will check alternative way to process from the client API side.

Show all comments