Guided Configuration - SSO

The Guided Configuration screen allows an Administrator to configure LiveCompare for its first use, and to maintain an essential set of LiveCompare resources. LiveCompare displays the screen when an Administrator signs in to LiveCompare. Administrators can also access it using the Guided Configuration tool button. tool button in the Dashboard screen, or the tool button in the LiveCompare studio.

The SSO tab allows you to use your chosen internal identity provider for user access management, and provides support for single sign-on.

Prerequisites

Before you configure LiveCompare for single sign-on, check the following:

Your internal identity provider must use the SAML 2.0 protocol.
You must configure LiveCompare to run using HTTPS/SSL.

Set up single sign on

After you have met the prerequisites above, follow these steps to set up single sign-on.

Allocate LiveCompare roles

You must allocate a role to each LiveCompare user in your identity provider. To do so, create a group for each role, and assign users to each group. The instructions for doing this will vary depending on your identity provider.

LiveCompare recognizes the following groups:

Group	Description
LIVECOMPARE_EDITOR	Users in this group can create and edit workflows, and import workflow templates into workspaces. They can also run workflows, and manage RFC Destinations, Test Repositories and other LiveCompare resources in the LiveCompare studio.
LIVECOMPARE_CONSUMER	Users in this group can access apps from the Apps screen. They can create and run app variants, monitor their execution, and view their results. However, they can’t access the LiveCompare studio.

Create user information attributes in your identity provider

A SAML assertion is an XML document that an identity provider sends to a service provider to confirm a user's authentication and authorization status. You must create the following attributes in your identity provider:

Attribute	SAML assertion value
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	The SSO user’s username.
http://schemas.microsoft.com/ws/2008/06/identity/claims/role	The SSO user’s role, either LIVECOMPARE_EDITOR or LIVECOMPARE_CONSUMER.
http://schemas.microsoft.com/identity/claims/displayname	The SSO user’s full name or display name.

The SAML assertion created during single sign-on uses these attributes.

Complete the fields in the SSO tab

After you have assigned users to LiveCompare groups, sign in to LiveCompare as an Administrator. Select the SSO tab, and complete the screen fields as follows:

Field	What to do
Enable SSO	Switch this on.
Client ID	Enter the client ID for your application. You can get this from your identity provider.
SignIn Url	Enter the URL that points to the sign in page for your application. You can get this from your identity provider.
SignOut Url	Enter the URL that LiveCompare redirects users to after you sign out. You can get this from your identity provider.
IdP Issuer	Enter your identity provider’s issuer URL, for example, https://sts.windows.net/<your tenant ID>.
IdP Signing Certificate	Paste your identity provider’s X.509 signing certificate here.

Callback Url is a read-only field, set to https://<server name>/livecompare/apps/auth/sso. Your network administrator may request this value to configure LiveCompare’s identity in your identity provider.

Find SSO field values

Your identity provider may name the SSO fields differently, as described below.

Field	Also known as
Client ID	Application ID, Entity ID, Audience URI
SignIn Url	Login URL, SSO URL, Identity Provider Login URL
SignOut Url	Logout URL, SLO Endpoint
IdP Issuer	Identity Provider Entity ID
IdP Signing Certificate	X.509 Certificate

This table shows where to find the field values in Azure AD and Okta.

Field	Location
Client ID	Azure AD: Azure AD: App registrations > Your app > Application (client) ID Okta: Applications > Your App > General > SAML Settings > Audience URI (SP Entity ID)
SignIn Url	Azure AD: Enterprise applications > Your app > Single sign-on > Login URL Okta: Applications > Your app > Sign On > Identity Provider metadata (find under `<SingleSignOnService>`)
SignOut Url	Azure AD: Enterprise applications > Your app > SSO > Logout URL Okta: Applications > Your app > Sign On > Single Logout URL (or in the metadata XML under `<SingleLogoutService>`)
IdP Issuer	Azure AD: Enterprise applications > SSO > Identifier (Entity ID) Okta: Identity Provider Metadata > `<EntityDescriptor entityID="...">`
IdP Signing Certificate	Azure AD: Enterprise Applications > Your app > SSO > Federation Metadata XML (download). Inside `<ds:X509Certificate>`. Okta: Application > Sign On > Identity Provider metadata. Inside `<ds:X509Certificate>`.

You should also check with your company's identity provider administrator.

Sign in to LiveCompare

To sign in to LiveCompare using single sign-on, navigate to the LiveCompare URL and select SSO.

If you don’t have an account on the LiveCompare server, LiveCompare creates an SSO account for you.
If you have a standard account on the LiveCompare server, LiveCompare converts it to an SSO account.

To sign in to LiveCompare using a standard account, navigate to the LiveCompare URL, enter your username and password, and select Login.