Configuring Single Sign-on (SSO)
Note: if you are using Azure Active Directory, see Configure Single Sign-on (SSO) using Azure Active Directory.
Single Sign-on (SSO) enables you to configure your tenancy so that Advance automatically signs in users.
Configuring Single Sign-on requires that you both configure your tenancy to use Single Sign-on and register Advance with your Single Sign-on provider.
Prerequisites
- Create a tenancy – Advance must have at least one tenancy before you can configure Single Sign-on.
- Single Sign-on provider – you must have a Single Sign-on provider with which you can register HotDocs Advance
To configure Single Sign-on
The process of configuring SSO for Advance depends on the SSO provider you use. Generally you will need to complete the following steps:
- Register Advance as a new application with your SSO provider
- Add the appropriate request claims to the application registration
- Set a new client secret for the application.
- Configure Advance; you will need the following information from your SSO provider:
- Metadata Endpoint – the URL from which to download the OpenID Connect metadata document provided by your identity service
- Client Identifier – the ID of the client with permissions to access the metadata endpoint
- Client Secret – the secret for the client
1. Register Advance with your single sign-on provider
Each Single Sign-on provider will require different steps to register Advance. However, all SSO providers will need an appropriate redirect URI for Advance.
The redirect URI is the URI for the Advance auth application for your tenancy, with the suffix /.oidc/callback. For example: https://yourtenancy.yourorganization.com/hdaauth/.oidc/callback
The URI is case sensitive and must be lower case.
2. Add request claims
You must also configure the request claims for your SSO provider.
2.1 ID Token Claims
The ID Token must have the following claims:
- given_name
- family_name
2.2 ID Token Implicit Flow
You must enable the Implicit Flow for the ID token.
4. Set your client secret
You must create a new client secret for the new app registration in your SSO provider. This is used by Advance to authenticate with the provider. Once you create the client secret, make a copy of it; you will need the secret when configuring your Advance tenancy to use SSO.
5. Update your tenancy SSO configuration
Once Advance is registered with your SSO provider, you should now have the following information:
- Metadata endpoint
- Client identifier
- Client secret
To configure SSO for your tenancy
- Log in to the Advance Auth Application
- Click the SSO Configuration link in the page header.
- Click the Create button.
- Enter the following information into the fields:
- Metadata Endpoint – the URL from which to download the OpenID Connect metadata document provided by your identity service
- Client Identifier – the ID of the client with permissions to access the metadata endpoint
- Client Secret – the secret for the client
- IsActive – select the IsActive checkbox to immediately activate SSO on your tenancy; if you leave the checkbox empty, you can still activate SSO later
- Click the Save button; Advance redirects you to the SSO Configuration page.
- On the SSO configuration page, there is a highlighted URI next to the text The value to provide is. For example, https://yourtenancy.yourorganization.com/hdaauth/.oidc/callback.
Check that this matches the Redirect URI you set when registering Advance with Azure AD.
Your tenancy is now configured to use Single Sign-on.