1099Pro.NET SSO-SAML Configuration

Configuration changes needed to configure SSO (Single sign-on)

1099 Pro has successful configurations with SSO identity providers like OKTA and OpenAM.

Web.config changes:

Note: These should be copied from the Admin/default.config file in the application folder.

Add the following keys to the web.config file right after the line <add key="AppMode" value="0"/>
1. Note: See Appendix 1 at the bottom of this page for comments on what each key does.
  
  <!--
  0: Standard 1099Pro.NET login with UserID/ password;
  1: SSO (single sign-on) using Identity Provider
  →
  <add key="AppLogin" value="1"/>
  <!--SSO-related keys: necessary when AppLogin=1 →
  <add key="entityId" value="ServiceProviderEntityID"/>
  <add key="idpID" value="IdentityProviderEntityID"/>
  <add key="nameIDFormat" value="0" />
  <add key="SingleSignonIdProviderUrl" value="https://IdentityProviderURL" />
  <add key="metadatafilename" value="SSO\Docs\IdentityProviderMetadata.xml"/>
  <add key="usemetadata" value="false"/>
  <add key="idp-certificate" value="SSO\Docs\IdentityProviderCertificate Name.crt"/>
  <add key="sp-certificate" value="SSO\Docs\ServiceProviderCertificate Name.crt"/>
  <add key="SingleSignOnServiceBinding" value="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>
  <add key="httpPostEndPoint" value="https://IdentityProviderEndPoint/HttpPost" />
  <add key="httpRedirectEndPoint" value="https://IdentityProviderEndPoint//HttpRedirect" />
  <!-- End of SSO-related keys →
Change the login URL in the authentication section of the web.config file from loginUrl="Security/Login.aspx" to loginUrl="SSO/LoginSSO.aspx".
1. See the following example:
  
  <authentication mode="Forms">
  <forms loginUrl=" SSO/LoginSSO.aspx" defaultUrl="default.aspx" slidingExpiration="true" timeout="30" protection="All"/>
  </authentication>

Database changes:

Set the value in table pro1099.SecPrefs.LoginType=3 (SSO type of Login) for RecID=14 (ASP preferences record).

Appendix 1

The following are comments on what each key that is added to the web-config file does.

<!-- Specifies Service Provider ID as it's identified for IdP →
<add key="entityId" value="ServiceProviderEntityID"/>

<!-- Specifies Identity Provider ID →
<add key="idpID" value="IdentityProviderEntityID"/>

<!-- Specifies UserID format: 0 - UserName/No domain; 1 - Domain\UserName; etc. →
<add key="nameIDFormat" value="0" />

<!-- Specifies Identity Provider URL →
<add key="SingleSignonIdProviderUrl" value="https://IdentityProviderURL" />

<!-- Specifies metadata XML downloaded from Identity Provider App Configuration →
<!-- This file must be in the Application directory\SSO\Docs folder→
<add key="metadatafilename" value="SSO\Docs\IdentityProviderMetadata.xml"/>
<!-- If "true" the application uses the metadata file specified in "metadatafilename" above to extract the certificate; otherwise the certificate file name specified in "idp-certificate" setting is used →
<add key="usemetadata" value="false"/>

<!-- Specifies IdP certificate used to sign the SAML response. If "usemetadata" setting is "true"; this property is not used. →
<!-- This file must be in the Application directory\SSO\Docs folder→
<add key="idp-certificate" value="SSO\Docs\IdentityProviderCertificate Name.crt"/>

<!-- Specifies SP certificate used to sign the SAML response. If "usemetadata" setting is "true"; this property is not used. →
<!-- This file must be in the Application directory\SSO\Docs folder→
<add key="sp-certificate" value="SSO\Docs\ServiceProviderCertificate Name.crt"/>

<!-- HTTP binding type→
<add key="SingleSignOnServiceBinding" value="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"/>

<!-- Specifies SP-initiated POST endpoint. If "usemetadata" setting is "true"; this property is not used. →
<add key="httpPostEndPoint" value="https://IdentityProviderEndPoint/HttpPost" />

<!-- Specifies SP-initiated Redirect endpoint. If "usemetadata" setting is "true"; this property is not used. →
<add key="httpRedirectEndPoint" value="https://IdentityProviderEndPoint//HttpRedirect" />