Single sign-on with SAML can be used with applications running in a browser.
SAML is a standard for exchanging authentication data between security domains. SAML is an XML-based protocol that uses security tokens containing assertions to pass information about a user between an identity provider and a service provider and it enables web-based authentication scenarios including single sign-on across all ARIS runnables.
Please contact your LDAP administrator before you change any configuration.
Prerequisite
Server
Users who want to use SSO must have a valid Microsoft® Active Directory Domain Services user login.
This user is available in ARIS Administration.
ARIS Administration authenticates against LDAP.
The SAML identity provider supports the HTTP POST binding as specified by the SAML 2.0 specification.
Client
Your web browser supports JavaScript.
The following steps must be taken to use SSO:
Procedure
The single sign-on configuration options must be set in the ARIS Administration.
ARIS must be registered as a trusted service provider at the SAML identity provider.
You configured SSO.
Configuration options in ARIS Administration
Enable SSO for the servers (SAML)
Prerequisite
You have the Technical configuration administrator function privilege.
If you use multiple LDAP systems, the user names must be unambiguous through all LDAP systems. Otherwise, no SSO is possible.
Procedure
Start ARIS.
Click Application launcher >
Administration. The Administration opens with the
Configuration view.
Click the arrow next to SAML.
Click General.
Click Edit.
Enable Use SAML.
Enter the ID of the identity provider in the Identity provider ID field.
Enter the ID of the service provider in the Service provider ID field.
Enter the end point of the identity provider that is used for single sign-on in the Single sign-on URL field.
Enter the end point of the identity provider that is used for single log-out in in the Single logout URL field.
You have configured SSO using SAML in ARIS Administration. If you use multiple LDAP systems, the user names must be unambiguous through all LDAP systems. Otherwise, no SSO is possible.
Please note that SSO (single sign-on) using SAML will not work in case of multiple LDAP servers and same login names (even with different entities) in different LDAP systems.
Register ARIS as a trusted service provider
Establish a circle of trust between the identity provider and the service provider.
Procedure
Open a browser.
Enter the following URL into the address bar:
https://<SERVERNAME>/umc/rest/saml/metadata.xml?tenant=<TENANTID>
You get a metadata file. Save this file as an XML file.
Send the metadata file to your SAML identity provider that the metadata can be uploaded.
Your system is configured to be used with single sign-on and SAML.
Troubleshooting
You can find detailed information on SAML authentication issues in the log files of ARIS Administration located in
<Your installation folder>\ARIS10.0\server\bin\work\work_umcadmin_<size>\base\logs
Example
C:\SoftwareAG\ARIS10.0\server\bin\work\work_umcadmin_m\base\logs