The SSO (Single Sign On) profile for Shibboleth enables you to configure RecTrac to utilize your organization's single sign process, receive confirmation of a valid authentication, and bypass the RecTrac Login prompt. This saves users from logging in twice, once to your network and again into RecTrac, with potentially different usernames and passwords.
Enabling Shibboleth SSO (Single Sign On) integration requires the following steps to be completed:
- Prerequisite: Your organization must have installed Shibboleth on the RecTrac server. See https://www.shibboleth.net.
- In Profile Assignments, create a SSO profile and select a Subtype of Shibboleth. Configure the Logout Destination field and HTTP Header Name fields as is appropriate for your organization.
- In Profile Assignments, Assign the SSO Shibboleth profile to the Default Level.
- In User Management, assign the Single Sign On Cross Reference for each user (i.e., could be an Employee ID that ties a RecTrac user with a single sign on user on your network).
When IT installs Shibboleth for your organization, the HTTP Header Name and Logout Destination will become apparent.
See Also: Topic Doc - Single Sign On.
Making changes to a profile is an Audited Event. Additionally, Linking, Removing, Purging, and Cloning profiles are also Audited Events.
See Also: Topic Doc - RecTrac Profile Assignments Screen, Hierarchy Guide, and Profile Listing.
See Also: Video - Profile Review
SAProfile_SSO_Shibboleth_Tab1
HTTP Header Name (SAProfileDetails_SSOShibbolethHeader)
Identify the attribute to share between RecTrac and Shibboleth to uniquely identify this user on your organization's network. This value usually starts with HTTP_ and will be the attribute that will be sent from the Identity Provider. For instance if the Identity Provider sends the Employee Id as an attribute through the SSO process, that attribute is named employeeId then the HTTP header will be called HTTP_EMPLOYEEID. RecTrac's OpenEdge/Progress environment is not Case Sensitive (either uppercase or lowercase will work).
Note: After configuring your SSO Shibboleth profile you must:
In Profile Assignments assign the SSO Shibboleth profile to the Default Level.
In User Management assign the Single Sign On Cross Reference for each user (could be an Employee ID that ties a RecTrac user with a single sign on user on your network).
Successful Login Interface (SAProfileDetails_SSOShibbolethRedirectDestination)
Enables you to redirect to a different Interface Parameter (and domain) after successfully validating credentials in Shibboleth. A token is passed from the validating server to the second server. This keeps sessions alive within RecTrac, even when the validating server goes offline.
Without Successful Login Interface: The Shibboleth session is stored in memory on the server that initiated the request. If that validating server goes down, then the connection to RecTrac is immediately lost. This might occur during server maintenance or a crash.
With Successful Login Interface set: You can have a single login location that then offloads users to another domain after successfully authentication is completed. In the event the validating server goes down, the sessions stay alive within RecTrac. This enables IT to take down the validating server for maintenance without loosing any RecTrac sessions.
DeleteLogout Destination (SAProfileDetails_SSOShibbolethLogoutDestination)
This field may be one of three (3) different values.
- The first option leaves this field blank/empty. When left blank, the RecTrac session is logged out but the Shibboleth Session will be left open. The user is automatically redirected to a RecTrac screen with a message You have successfully logged out of RecTrac. It is strongly advised that you close your browser to ensure that you complete the logout process."
- The second option uses the SSO Logout URL for this field. For Shibboleth this is usually the domain URL with /Shibboleth.sso/Logout at the end of the URL. This URL logouts the user out of both RecTrac and the Shibboleth session and the user will land on a logout page setup in the Shibboleth configuration. For Example: The user might be redirected to the following URL: https://rectrac.myparks.org/Shibboleth.sso/Logout.
- The third option begins with the URL from option 2 and ends with an additional value return=<RecTracLogoutURL>. As in option 1 you return with the same message and the URL would be different. For Example: https://rectrac.myparks.org/Shibboleth.sso/Logout?return= .
Note: After configuring your SSO Shibboleth profile you must:
In Profile Assignments assign the SSO Shibboleth profile to the Default Level.
In User Management assign the Single Sign On Cross Reference for each user (could be an Employee ID that ties a RecTrac user with a single sign on user on your network).
Your organization must have installed Shibboleth on the RecTrac server. See https://www.shibboleth.net.