SAML 2.0 Authentication
Previous Topic  Next Topic 

SAML 2.0 Authentication


SAML 2.0 allows you to have single-sign-on (SSO) using a SAML 2.0 compliant identity provider.


The first step to implementing SSO with Pacific Timesheet is to create a SAML 2.0 application in your identity provider. You will need to configure where to go to in the Pacific Timesheet application. The will often be called the Single Sign On URL, the Recipient URL or the Destination URL. Enter your Pacific Timesheet URL in its full format, e.g.


https://xyz.pacifictimesheet.com/timesheet/home.do


Replace the 'xyz' portion above with the subdomain you use.


Troubleshooting Note: Make sure compression is turned on for any SAML 2.0 configuration. Pacific Timesheet expects the SAML data to be compressed.


Once you have created the Pacific Timesheet application icon you must then configure the security settings in Pacific Timesheet. First, find the values you need to enter into Pacific Timesheet by going to your identity provides Admin dashboard and finding the SSO settings for the application created above. Enter the following information into Pacific Timesheet on the System > Security page:


Property

Description

Name

This is the name used in the login button on the Pacific Timesheet login page.

Issuer URL

The value from the identity provider, for example: https://app.onelogin.com/saml/metadata/439734

SAML 2.0 Endpoint (HTTP)

The value from identity provider, for example: https://app.onelogin.com/trust/saml2/http-post/sso/439734

Certificate

The identity provider's X.509 security certificate. You can specify both a primary certificate, and optionally a secondary certificate. When a login request is authenticated the primary certificate is used first, and if that fails then the secondary certificate will be used. You would typically provide a secondary certificate a few days or weeks before the primary one expires to ensure there is no loss of access to the application when the primary certificate expires. Once the primary certificate is fully expired you can replace it with the secondary certificate at your earliest convenience, then clear the secondary certificate field.


Note that the X.509 certificate should be in PEM format, meaning it should start with the header line -----BEGIN CERTIFICATE----- and end with the footer line -----END CERTIFICATE-----

Logging

Check this option to help troubleshoot authentication failures. Errors are logged to the System Event Log, and can be view with the Reports > System Event Log report. For self-hosted systems you can also view detailed information in the log files located in the <PacificTimesheet>/tomcat/logs directory.


When you use an identity provider to connect to Pacific Timesheet, you will need a corresponding employee account in Pacific Timesheet. The identity provider's account information (be it email address, login, etc.) will be used to find a corresponding Pacific Timesheet account. The match will be made against the Pacific Timesheet account's login name, employee ID or email address, in that order.


Note: Even if SSO is enabled you can allow some employees to log in using Pacific Timesheet's standard authentication (user name and password). On the login page the employee can choose either to log in with the standard user name and password, or use the configured identity provider's SSO option. This allows you to have Pacific Timesheet accounts that do not use the configured identity provider, such as the 'admin' account, or client approver accounts, still able to log in with a user name and password.