Configure a Third-Party Identity Provider

Single sign-on (SSO) is a technology that allows one system that acts as an identity provider (IDP) to authenticate the users of another system that acts as a service provider (SP). Users must have accounts in the IDP system but do not need to have accounts in the SP system. Examples of IDPs are: Google, Microsoft, and Facebook. Examples of SPs are any applications that allow you to log on to them after you first log on to an IDP that they support. For more information about SAML, see What is SAML, what is it used for and how does it work?

Meridian Cloud supports one configurable, third-party IDP in addition to its standard unconfigurable IDPs: Google, Microsoft, and Azure Active Directory. Meridian Cloud is compatible with any IDP that supports the Security Assertion Markup Language version 2 (SAML2) protocol.

After the configurable IDP has been set up in Portal, that IDP will appear in the list of available IDPs that is presented to users when they log on to Portal as described in Signing in. To register one or more identity providers for the same user account, see Managing user accounts.

Configuring a SAML IDP requires:

• SP initiated (Meridian Cloud outbound) authentication. Meridian Cloud does not support IDP initiated (Meridian Cloud inbound) authentication.
• You must be assigned to the Tenant Administrator role to perform this task

This task also requires that information from both systems (IDP and SP) be entered into each other in order to establish a secure trust relationship between the two systems. Configuring only one of the providers is not enough to make it work. Therefore, both systems should be configured at approximately the same time.

Some of the information that you need to configure in Meridian Cloud is automatically generated by the IDP when you configure the IDP for Meridian Cloud and is unique to the trust between the two systems. Other information that needs to be configured is common definitions for the user name and email address attributes that uniquely identify users in both systems. These attributes are passed back and forth between the systems during the authentication process and so they need to agree on the format of the attributes.

The exact procedure for configuring an IDP is different for each IDP but the names of the configuration settings are typically similar. Therefore, these instructions should work in general for any IDP. For more detailed help with configuring your chosen IDP, refer to the their documentation and support. Accruent does not provide further support for how to configure the IDP.

The following instructions begin this task in Meridian Portal but the task can also be started in the IDP. The order in which the information is entered into the two systems is not critical, only that it is done correctly.

To enable a standard identity provider:

1. On the Meridian Portal Landing page, in the navigation bar, click the Account Settings icon . The Account Settings page appears.
2. In the menu, click Authentication. The Authentication page appears and lists the current status of all IDPs.
3. Click the toggle icon of the provider that you want to use to switch it to its enabled state .

To configure email verification:

1. On the Meridian Portal Landing page, in the navigation bar, click the Account Settings icon . The Account Settings page appears.
2. In the menu, click Authentication. The Authentication page appears and lists the current status of all IDPs.
3. In the Email Verification group, select an option for which email addresses you will allow users to register with. If you select the Deny tenant user to register with other email address than invitation address option and a user attempts register with a different email address, they will prompted to provide additional information before they can complete registration.

To configure a custom third-party identity provider in Meridian Portal:

1. On the Meridian PortalLanding page, in the navigation bar, click the Account Settings icon . The Account Settings page appears.
2. In the menu, click Authentication. The Authentication page appears and lists the current status of all IDPs.
3. In the SAML Settings group, hover the mouse pointer over the URL that is shown for Audience and then click the Copy icon to copy the URL to the clipboard.
4. Log on to administration tool of the IDP and navigate to the list of applications that are registered to use that IDP.
5. Open the application registration that represents Meridian Cloud or create a new application registration entry.
6. Find the SAML configuration area of the application registration. For example, in Okta, the settings look similar to this. The settings that you will configure in this task are outlined.

   

7. Paste the clipboard contents into the audience setting. For example, Audience URI in the preceding picture.
8. Return to the Meridian PortalAuthentication page and copy the URL in Single Sign-On URL to the clipboard like you did in step 4.
9. Return to the IDP configuration page and paste the contents of the clipboard into the corresponding setting. For example, Single sign on URL in the preceding picture.
10. In the IDP configuration page, find the attribute definition settings. For example, ATTRIBUTE STATEMENTS in the preceding picture.

11. Ensure that the following attributes are defined correctly. Create them if necessary. They define the name and email address that will be used for each user in Meridian Cloud since they do not have accounts there.

    Users who attempt to log on to Meridian Cloud when these attributes are not properly configured will cause error messages like: We don't have an account for...

    Attribute options

    Value	Name
    user.name	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
    user.emailaddress	http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

12. In the IDP configuration page, find and click the download button or link (Download certificate in the following picture. To avoid an error, the certificate must be signed with the stronger SHA256 encryption, not SHA1A). The certificate file downloads to your PC. You will upload this file to the Meridian Portal Authentication page in step 20.

    

     

13. Find the single sign-on URL text (not the setting in step 10) and copy it to the clipboard. For example, Identity Provider Single Sign-On URL in the preceding picture.
14. Return to the Meridian PortalAuthentication page and in the SAML Settings group, click the toggle icon to enable and configure SAML authentication. The SAML Authentication dialog box appears.
15. Type a descriptive name  in Name as you want it to appear to users on the logon page described in Signing in.
16. Paste the contents of the clipboard into Single Sign-On URL.
17. Return to the IDP configuration page and find the issuer text and copy it to the clipboard. For example, Identity Provider Issuer in the preceding picture.
18. Return to the Meridian PortalSAML Authentication dialog box and paste the contents of the clipboard into Issuer (Entity ID).
19. Click Upload next to X.509 Certificate and select the certificate file that you downloaded in step 13.
20. Next to SO Request Binding Type, select the option that best meets your organization's standard. If you are unsure, select POST.
21. Click Save. The SAML Authentication dialog box disappears.
22. In the SAML toolbar, click Test to test the current settings. You must resolve any discrepancies before the single sign-on will work.