ARC Facilities supports Single Sign-On (SSO), a process that allows users to authenticate themselves against an external Identity Provider (IDP) rather than using the internal ARC Facilities username and password.
The benefit of this workflow is that companies only need manage a single user database. Connected applications provide users access based on this single database, which means that when an employee joins or departs the company, their access is automatically enabled/disabled for all connected systems.
To accomplish this, ARC Facilities - a Service Provider (SP), communicates using an industry standard protocol, (SAML 2.0 - Secure Assertion Markup Language) with an Identity Provider (IDP) to validate user credentials and provide access to ARC Facilities.
The basic workflow is as follows:
- A user opens ARC Facilities application through web browser
- Upon reaching the Sign In screen user navigates to Sign In with SSO screen where user enters their email ID
- ARC Facilities detects that the account is setup for SSO and redirects the user to the correct IDP.
- The user enters their credentials with the IDP.
- The IDP validates the user, then redirects the user back to ARC Facilities, providing the user’s information and groups to ARC Facilities
- ARC Facilities, using the information provided by the IDP, signs in the user into their account and sets permissions as defined for the user’s group
Both ARC Facilities and the Identity Provider need to be properly configured for Single Sign-On.
Steps to Configure the Identity Provider (IDP)
To configure the Identity Provider for use with ARC Facilities, you will need to enter some information into the IDP and extract some information for ARC Facilities.
- Note the Sign-In URL that is provided by the IDP
- Note the Sign-Out URL that is provided by the IDP
- Download a copy of the X.509 Certificate from the IDP
- Enter the following URL into the IDP field called SAML Post URL
- Provide the assertion attributes (Case sensitive) in the IDP
- Firstname: FirstName
- Lastname: LastName
- Email : Email
- Group: group_name
Note: These mappings are case sensitive and must be entered exactly.
Please send a SAML response to us so that we can verify the attributes mapping.
SAML response must be Base64 encoded
- Download the IDP Metadata file and send this to us, along with the SAML response above.
Steps to Configure ARC Facilities (By Admin user)
The admin user will first have to create a new standard account in ARC Facilities then sign in to ARC Facilities as a standard user. After signing in the admin user will proceed to create the SSO user group & enable as well as configure the SSO settings.
Enabling SSO in ARC Facilities
- Sign in to ARC Facilities using the administrator account
- Navigate to Settings > Account Settings
- Click Single Sign On (SSO) tab
- Upload the IDP Metadata to ARC Facilities
- Enter the Domain name (user's company domain name)
- Verify / select the attribute mappings in ARC Facilities
- Enter the Identity Provider sign in URL
- Enter the Identity Provider sign out URL (optional)
- Upload a copy of the X.509 security certificate
- Save your settings
Setting up Groups
ARC Facilities access is enabled through Groups creation
Group names are CASE SENSITIVE and must EXACTLY match the groups used in the Identity Provider (IdP).
To setup Groups in ARC Facilities, add them one at a time, using the provided field.
Once created, Groups will display in the Contacts listing for ARC Facilities. This group name must match with the AD name of the user's company.
Permissions in ARC Facilities
For ARC Facilities, permissions are assigned based on Account Teams. As with Groups above, an Account Team must exist that exactly matches the Groups provided by the Identity Provider.
Note: When creating groups using the tool above, an Account Team is automatically created in ARC Facilities.
You can then add Account Teams to campuses during campus creation.
If the campus already exists, you may associate them using the Account Teams settings menu.
Signing in to ARC Facilities through SSO login (by employee user)
An employee user of the client company can access ARC Facilities either through the SSO login screen after the admin user performs all the configurations necessary to implement SSO login through ARC Facilities.
When an employee user accesses ARC Facilities for the first time the following workflow will occur:
Go to ARC Facilities Sign In screen
- Click on “Sign in with SSO” link
- Provide the email ID and click on the [Next] button.
User is redirected to the IDP provider’s login screen (example of 'Okta' is shown in the screenshot below),
4. Enter the username and password and click on the [Sign in] button.
After authentication, the IDP returns the SP URL (ARC Facilities URL) which is already configured with the IDP. ARC Facilities validates the response and creates the user account (if it does not exist) and navigates the user inside the ARC Facilities Home screen as shown below,