FSSO - Federated Single Sign-On
Federated Single Sign-On (FSSO) is a feature that allows organizations to decide how users are authenticated when accessing ARGUS Cloud.
Using FSSO, organizations can ensure that user access to ARGUS Cloud, and other non-ARGUS products, is controlled by a single identity provider (IDP). Users do not have to manage multiple account usernames and passwords for different online services.
An organization’s FSSO setup is typically managed by IT security teams. As part of the configuration process, IT teams within ARGUS will collaborate with the organization and validate the implementation.
Recommendation: For a smooth and successful configuration, take time to familiarize yourself with FSSO before beginning the configuration process.
How FSSO works
FSSO Setup
Requirements
Before you begin:
- Set up your identity provider to work with ARGUS Cloud. You'll find instructions for our supported IDPs during the configuration process.
- Go to your identity provider for the required metadata to enter into ARGUS Cloud. Metadata can be downloaded from your identity provider either as an .xml file or retrieved manually.
The following metadata must be entered into ARGUS Cloud for federated single sign-on setup:
- Issuer URL
- Single Sign-On URL (SSO URL)
- Logout URL
- Sign-In Certificate
The FSSO setup procedure
Click Setup FSSO to begin setting up federated single sign-on.
Select your identity provider from the dropdown list.
Option: If your identity provider is not in this list, then select Other and enter the name of your identity provider.
Set up your IDP to support the federated sign-on. The IDP-dependent instructions are in the application's online guide.
Navigate to your identity provider and follow the steps within the guide to set up your identity provider to work with Argus Cloud.
Click the checkbox: Click this to confirm you have configured your IDP.
If you have an .xml file downloaded from your identity provider, then complete Step 5.
If you do not have the .xml file then skip to Step 6.
Click the check box: I have the federation metadata file.
Upload your .xml file.
Skip Step 6 and Step 7.
Go to Step 8.
Uncheck the check box: I have the federation metadata file.
Enter the necessary data:
Issuer URL: The unique identifier of the identity provider is formatted as a URL. This is used by ARGUS Cloud to validate that the authentication requests are coming from the correct identity provider.
Single Sign-On (SSO URL): Used by ARGUS Cloud to determine where users are sent to be authenticated.
Sign-In certificate: Download this certificate from your identity provider and upload it in ARGUS Cloud so that authentication requests can be verified.
Next Step: If you have a secondary identity provider to be used if the first identity provider fails, also known as high availability, then complete Step 8. If you do not have high availability, then skip to step 9.
If you have high availability, then click: I have high availability. Upload your secondary sign-in certificate.
Option: Your domain is listed under DOMAIN NAME. To add another domain, click Add Other Domains and enter the domain name.
Enter the contact details for the identity provider expert in your organization.
Enter:
Contact name
Contact email
Contact phone number
Click Submit.
Logging in once FSSO is enabled
Using information provided during your FSSO setup (see the above flowchart), ARGUS Cloud redirects users to the relevant identity provider to authenticate the user.
User initiates an ARGUS application (See below, Support for FSSO). This can be via a web application, or client desktop application.
User enters their username.
Result: ARGUS validates the domain name provided in the username. If the username belongs to a federated domain, ARGUS redirects the user to the login process associated with that identity provider.
The identity provider (IDP) takes control of the process from this step forward.
The IDP will either authenticate the user or request the user to authenticate (typically with username and password).
Result: The IDP redirects the user back to ARGUS with a valid access token. ARGUS accepts the IDP authentication and the user is connected to the originally requested application.
Support for FSSO
FSSO is offered and supported for ARGUS Cloud:
- ARGUS Enterprise versions 13.0 and later (earlier versions are not supported)
- ARGUS Developer
- ARGUS Voyanta
- ARGUS Taliance
NOTE: We currently offer Service provider-initiated SAML.
FSSO FAQs
Q: Can FSSO be enabled on a Sandbox environment prior to a Production environment?
A: FSSO cannot be enabled to a single environment (such as UAT) as it is a universal login to the Altus Cloud Platform.
Q: Will FSSO require downtime?
A: Enabling FSSO will not require downtime. If a user has logged into ARGUS Cloud prior to FSSO being enabled, the user will retain their login token while FSSO is being enabled.
Q: Can we return to the default login option at any time during or after deployment?
A: FSSO can be disabled at any time should the user wish to return to the default login option.
Q: Is SAML Authentication required?
A: SAML authentication is used when using FSSO with ARGUS Cloud on a supported product (i.e., ADFS, Azure AD, Okta).
Q: Will Altus require Token Encryption?
A: Token encryption is used for FSSO; however, it is not required.
Q: Will Altus require SCIM Provisioning for Lifecycle Management?
A: Altus Group does not manage access. The client manages access from the Active Directory and sets up user authorization through the ARGUS Portal.
Q: Will Altus require the use of the Application Proxy?
A: Application Proxy is not required, but FSSO can work with proxies.
Q: Do you require any special conditional access policies outside of the default standard?
A: FSSO does not require special conditional access policies.
Q: Which identity providers are supported?
A: ARGUS Software currently supports Okta, Microsoft Azure Active Directory, and Active Directory Federation Services.
Q: My identity provider is unsupported. What does this mean?
A: If you use an identity provider that is not listed under supported identity providers, it will still work with ARGUS Cloud however it is not fully supported by us, and we may not be able to fix all issues in the future.
Q: What federation metadata do I need to submit?
A: You must submit the following:
- Issuer URL - The unique identifier of the identity provider and will be formatted as a URL. This is used by ARGUS Cloud to validate that the authentication requests are coming from the correct identity provider.
- Single Sign-On URL (SSO URL) - Used by Argus Cloud to determine where users need to be sent to be authenticated.
- Logout URL – Used by Argus Cloud so that the application knows where to redirect users to logout.
- Sign-In Certificate – Allows authentication requests to be verified by Argus Cloud.
This can be entered manually or submitted in the form of an .xml file.
Q: Where can I find the federation metadata that I need to submit?
A: You need to get your federation metadata from your identity provider. Please refer to your identity provider’s help documentation.
Q: What configurations do I have to make to my identity provider?
A: If you use one of supported identity providers (Okta, Microsoft Azure Active Directory, and Active Directory Federation Services), there are help documents provided when you are setting up Federated Single Sign-On. Please refer to these documents for help with the steps you need to take to configure your identity provider. Please note, Argus software is not responsible for setting up your identity provider.
Q: I am asked to provide contact details when setting up Federated Single Sign-On. Whose contact details should I provide?
A: You should provide the contact details for the identity provider expert in your organization. This will be the person who makes changes to the identity provider and has a high degree of knowledge of it.
Q: I have submitted my data, now what?
A: Once you have submitted all the relevant data, our internal team will configure Federated Single Sign-On for your organization.
