Expoints

Single Sign On (SSO)

This page describes the configuration needed to establish a connection between your Active Directory (AD) and Expoints.
There are several references to "yourcustomername[number]". For acceptance use "acceptatie-yourcustomername[number]".
There are two examples given. One for Azure and one for AD FS for Windows Server 2012 R2. There might be differences with your version.
The examples use a basic configuration. Feel free to contact us if you would like to discuss additional options.

You can find Microsoft documentation on AD FS setup for Azure here and for on-premise here. Naturally, this does not contain the Expoints examples.

What should be supplied

After configuration the URL of the federation metadata or the federation metadata file itself should be provided. Please supply this address or file to your technical contact person, or mail it to expoints@dataleaf.nl.

For configuration with Azure we recommend to follow the instructions on this page.
Your configuration should look like the image below.

My Apps

To make the application work in My Apps, configure the "Sign on URL" as follow:

What needs to be configured

Relying Party Trusts

The following PT should be created
  • https://yourcustomername[number].expoints.nl/
The following steps should be repeated for every RPT.
This example shows the setup wizard for the https://yourcustomername[number].expoints.nl/ RPT.

  1. Press start
  2. Select Enter data about the relying party manually
  3. Enter a Display Name and optional notes.
  4. Select the AD FS profile
  5. We do not use an optional certificate for the token encryption, press next.
  6. Select Enable support for the WS-Federation Passive protocol and enter the address in the format of https://yourcustomername[number].expoints.nl/.
    Select Enable support for the SAML 2.0 Web SSO protocol and enter the address in the format of https://yourcustomername[number].expoints.nl/ .

  7. Enter a Relying party trust identifier, if this is not already added, in the format of https://yourcustomername[number].expoints.nl/
  8. (Optional) Configure multi-factor authentication.
  9. Configure authorizations for users (this is company dependent).
    We will configure Permit all users to access this relying party.
  10. Here you can check your configuration.
  11. The following is selected by default and we will leave it selected: Open the Edit Claim Rules dialog for this relying party trust when the wizard closes.
  12. Click close to create the RPT. The Edit Claim Rules screen will open, for which the next chapter will discuss the instructions.

Edit Claim Rules

For a successful connection with Expoints, the following claims are expected
  • name (username)
  • e-mail (not mandatory, but this will affect some functionality in the dashboard)
  • name id (only mandatory for SAML connection)
To create claims, go to the Relying party trusts:


  1. Click Add Rule...
  2. Select Send LDAP Attributes as Claims
  3. Enter a rule name in and select Active Directory at Attribute store
  4. Select a LDAP attribute for the Name claim. In this example we will use the email address.*
  5. Select Name at Outgoing Claim Type.
  6. Repeat steps 4 en 5 for additional claims
  7. Click Finish
* Note: It is important that the Outgoing Claim Type Name contains the Expoints username.

(optional) Roles

Expoints support the assignment of role(s) based on the "Role" claim. The role claim can be provided multiple times.
This first needs to be enabled in Expoints before use.
* Note: the name of the role in the claim must match with a role configured in Expoints.

Additional steps for the SAML protocol

Configure SAML Logout Endpoint

For the SAML protocol a Logout Endpoint needs to be configured.
  1. Select properties by right-clicking your connection at the Relying Party Trusts list.
  2. Go to the Endpoints tab and click the Add SAML... button at the bottom.
  3. Select SAML Logout as Endpoint type
  4. Select POST at the Binding drop down.
  5. For the Trusted URL, the same URL is used as the Relying party. In our example https://yourcustomername[number].expoints.nl/.
  6. At the Response URL, the URL is entered where you want AD FS to redirect after the logout.
If you redirect to the Expoints application, Expoints will redirect back to the login screen. At this point users can choose to login again. This will take them back to the application.

What is JIT?

JIT provisioning is a method of automating user account management for web applications. Information about the user is passed from the identity provider to the web application. When a user logs in, they trigger the flow of information from the identity provider to the app that’s needed to create or update their account.

In Expoints the identity can be supplemented with roles removing the need to assign these manually. This requires:

  • Configuration in Expoints
  • Sending the role claim in the login request
Expoints support two variants:
  • Default role for all new users
  • Roles from claims

Default role for all new users

The SSO connection is configured to assign a predetermined role for new users.

Roles from claims

Every time the users signs in the role claims in the sign request are used to grant access to Expoints. Note:
  • Every role should be provided in a separate role claim
  • The value of the role claims needs to match a role name configured in Expoints
  • If one of the supplied roles is unknown in the application, access will be denied
  • Sign in request with out a role claim will result in access being denied

Contact

For questions you can either contact us at expoints@dataleaf.nl or your Expoints experience manager. If you have none, mail to service@expoints.nl.