Service Provider Single Sign-On Realm Setup
In Service Provider Initiated SSO (SP-Initiated SSO), the authentication process begins when a user attempts to access CGI Advantage directly. If they are not already authenticated, the system redirects them to the designated Identity Provider (IdP) for login. Once authenticated, the IdP sends a security assertion back to CGI Advantage, granting the user access.
In Identity Provider Initiated SSO (IdP-Initiated SSO), the authentication process starts at the IdP. Users first log in to the IdP and then select CGI Advantage from a dashboard or portal. The IdP generates a security assertion and redirects the user into the application.
SP-Initiated SSO provides several advantages, including eliminating the need to maintain a separate application SSO portal, which is required for IdP-Initiated SSO. Additionally, users can continue using their existing CGI Advantage browser bookmarks, making the transition to SP-Initiated SSO smoother and easier to roll out.
The Service Provider Single Sign-On Realm Setup (SSOREALM) page is used to create and manage records for Keycloak realms on Advantage. The realms allow Advantage to support SP-Initiated SSO against multiple authentication directories. For example, half of the Advantage users could authenticate against one directory while the other half authenticate against another directory. This is a common scenario, where a site may have multiple directories – either by design or while they are in the process of migrating or consolidating to a single directory.
Field InformationField Information
Please enter a Support Ticket for assistance with setting up this configuration.
|
Field |
Default Value |
Description |
|
Realm Name |
The realm created in Keycloak for this integration. (Find this in Keycloak under "Realm Settings" or "Realms" in the Admin console.) Refer to CGI_Advantage_4_Keycloak_Setup_Guide.pdf on how to set up a new realm in Keycloak. |
|
|
Base URL |
The URL of the Keycloak container. |
|
|
User Name Attribute |
employee_id |
This attribute is used to get the user name of the user from Active Directory. For example, employee_id is the Username Attribute from Azure Active Directory, so the employee ID value and Advantage External directory information should be the same for verifying the user to authenticate. |
|
Client Id |
The Client created under the realm for an Advantage site. Credentials for the Keycloak client, including the Client ID, are used for token exchange with the Keycloak server to obtain the authentication token. |
|
|
Client Secret |
Credentials for the Keycloak client, including the client Secret, are used for token exchange with the Keycloak server to obtain the authentication token. |
|
|
Grant Type |
authorization_code |
Setting the Grant Type to authorization_code is essential for securely implementing the OpenID Connect authentication flows. The authorization_code Grant Type is used in scenarios where the Advantage application can obtain an access token by first receiving an authorization code from the authorization server. |