WXP Collaboration SSO Integration

Introduction

WXP Collaboration provides Single Sign-On (SSO) through the Security Assertion Markup Language (SAML) 2.0 standard. This allows organizations to use their Identity Provider (IdP) of choice to provide authorization credentials to WXP Collaboration’s Technology Insights application, which acts as the Service Provider (SP) in the SAML process. Customers must use IdP software that supports the SAML 2.0 standard. Examples include Microsoft Azure, Microsoft ADFS 2.1 or later, Okta, Oracle Identity Federation, SailPoint IdentityNow, SecureAuth, and the free option OpenTPS. Because SAML 2.0 is widely accepted, most IdP platforms are supported.

Requirements

SAML 2.0 IdP provider
Specific IdP assertions
Group membership for role assignment

Specific IdP Assertions Requirement

The IdP software your organization uses must provide the following assertions for SSO integration to work.

Attribute	Required/Optional	Description
email	Required	User email (used as ID).
memberOf	Required	Comma-separated list of WXP Collaboration application groups.
name	Required	User display name.

Group Membership for Role Assignment

The memberOf attribute is used to assign specific permissions within WXP Collaboration. Users should only be assigned to one role at a time. The following groups are currently supported:

Group Name	UI Display Name	Role	Description
vyopta_admin	Admin Group Mapping	Administrator - WXP Collaboration application	Users with this role have administrator access to the WXP Collaboration.
vyopta_vandbvwr	Read-Only Group Mapping	Viewer- Strict Dashboard Viewer	Users with this role only have access to dashboards.
vyopta_vanrptrdr	Dashboard Group Mapping	viewer/reader-only - WXP Collaboration	Users with this role only have access to dashboards and datasets.
vyopta_vanrptvwr	User Group Mapping	Viewer or reader-only viewer	This is the default role for the WXP Collaboration.

Note: Users should be assigned one role at a time.

Group names can be customized to follow your organizational standards. However, they must be mapped to the corresponding WXP Collaboration group name during SSO configuration. For details about each group’s permissions, see User Permissions.

Note: By default, memberOf sends all AD groups a user belongs to. SSO administrators must configure the IdP to send only the relevant WXP Collaboration groups.

Configuring SSO

Part 1 - Provide your IdP team with the required data

From the Admin Portal of WXP Collaboration application, click Account Settings > Single Sign-On.
Provide your IdP team with the URLs of the Service Provider Entity ID and the Assertion Consumer Service.

Part 2 - Configure SSO in the Admin Portal of WXP Collaboration

After providing the information to your IdP team, they must supply you with:

Single Sign-On URL
Single Sign-Out URL (optional)
Issuer (IdP Entity ID)
NameID policy format
If the IdP allows HTTP-POST or HTTP-Redirect
A verification/validation token

Input the information provided by your IdP team.
When supplying the certificate, remove the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines.
If your organization uses custom group naming, map them to the appropriate WXP Collaboration group names.
(Optional) To sign SAML requests, select the Sign SAML Request checkbox and download the metadata to supply to your IdP team to uplaad. If the Download SAML Metadata link is not active, click SAVE and refresh the page.
Click Save.
Test your SSO configuration using another browser or incognito mode.
1. Once verified, you may continue using WXP Collaboration application.
2. If login fails, remain logged in and open a ticket with WXP Collaboration Support.

Contact Us

For any assistance, Create a support case or email us at support@wxp.hp.com.