HomeEAMVSMSMPProduct UpdatesProduct Roadmap
Website

Single sign-on (SSO)

Here we describe how to set-up single sign-on with LeanIX

Suggest Edits

πŸ‘

Request an SSO setup

Follow this link to directly request an SSO setup for your workspace(s): https://leanix.zendesk.com/hc/en-us/requests/new?ticket_form_id=5897099761948

Overview

LeanIX implements single sign-on (SSO) using the SAML protocol. LeanIX can be configured to work with two kinds of Identity Providers (IDPs).

  • internal IDP: the one you see when log in to eu.leanix.net
  • external IDP: Companies provide their own IDP

πŸ“˜

Transient users with SSO

A great benefit of SSO integration with your (external) Identity Provider is the ability to enable Transient user roles. This allows users within your organisation to access a lightweight version of LeanIX via our Self-service Portals or Catalogs.

You can then embed these portals in your existing intranet, wiki or any other system sitting behind your SSO. You now have a great way to showcase data from within LeanIX directly, all without having to invite or create specific user accounts in LeanIX.

For more details, and to enable the Transient User setting, please reach out to your Customer Success Manager!

Basic Authentication Flow

When the user tries to access the LeanIX application in the browser, the Service Provider (SP) checks if the user if already authenticated. If not, then the user is redirected to the Identify Provider, which initiates the authentication (e.g. via username and password). After successful authentication, the user is redirected back to the Service Provider which grants access to the LeanIX application. The IDP provides attributes, e.g. email address, to the Service Provider which are used to properly identify the user within LeanIX.

2016

SSO Authentication Flow

Supported IDPs

LeanIX is tested and works with IDPs which support the SAML 2.0 protocol, e.g.

IDP NameIDP Documentation
Shibboleth IDPhttps://wiki.shibboleth.net/confluence/display/SHIB2/
Microsoft Active Directory Federation Services (AD FS)https://msdn.microsoft.com/en-us/library/bb897402.aspx
Microsoft Azure ADhttps://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp
CA Single Sign Onhttp://www.ca.com/de/securecenter/ca-single-sign-on.aspx
Google IDPhttps://support.google.com/a/answer/6087519?hl=en
Oktahttps://www.okta.com/topic/saml/
LemonLDAP::NGhttps://lemonldap-ng.org/documentation/latest/idpsaml.html

Checklist external IDP

Prerequisites:

  • IDP must support SAML 2.0
  • client browser needs network access to IDP

Required decision:
Is the role of a user maintained in LeanIX or IDP? (most customers choose LeanIX here)

  • Managed by LeanIX: Roles can be set during invite of a new user and can later be changed in the user administration. A default role (e.g. VIEWER) can be configured to be assigned to new users automatically on first access of a workspace. This means users can be provided with the link to LeanIX and they will be able to successfully login and be assigned the default role, for example VIEWER. All of this without having to "Invite" them to the workspace. In addition, the default role may be left blank. This means that ALL users would need to be "Invited" to the workspace via User Administration. In short authentication is done by the IDP and LeanIX handles authorization.

  • Externally managed: The IDP determines the role of a user and transfers it to LeanIX during the login process. Most customers map the membership in a Active Directory Security Group to one of the LeanIX roles. In short authentication and authorization is managed by the IDP.

Setup steps

  1. Customer provides metadata-idp.xml (exported from their IDP)

πŸ“˜

Guideline

Please make sure to send either a link to the metadata, or the XML in a Zip (in order to avoid problems with spam filter.

Please make sure to send the entire metadata, not only the certificate.

  1. LeanIX sets up a domain and configures it to use the customer's IDP. Once setup, the metadata of LeanIX is available at https://.leanix.net/Shibboleth.sso/Metadata
  2. Customer imports the LeanIX metadata and configures SAML attributes that LeanIX SP requires (see below).

πŸ“˜

Guideline

Please ensure that the name of every SAML 2.0 attribute exactly matches the name LeanIX SP expects.

  1. Customer tests the access to https://.leanix.net/

🚧

Troubleshooting

Make sure to test access only via https://.leanix.net/, not e.g. via https://app.leanix.net/; or https://us.leanix.net/; . We support login via SSO and username / password in parallel for the implementation stage. This will be deactivated in step 5.

We provide you a link with information on the current SAML session here: https://.leanix.net/Shibboleth.sso/Session . Please send us the result of this page in case something does not work.

Access via Internet Explorer can have problems, if the customer's IDP and LeanIX are in different zones, i.e. the IDP is in the zone "Intranet" while LeanIX is in the zone "Internet". It is then required to put the URL to your LeanIX instance, e.g. https://app.leanix.net into the list of trusted addresses in your Internet Explorer. In enterprises this is often controlled centrally, so please approach the team who define and manage the client configurations.

  1. Once successful, the login via LeanIX will be disabled (default IDP). For example prior to setting up SSO, you might be logging into LeanIX via us-2.leanix.net. Once SSO is successfully configured, login via the default IDP will be disabled. At which point login will only be possible via https://.leanix.net/

πŸ“˜

Hint

The uid needs to be unique within the LeanIX user base. Typically, it is possible that the IDP sends a uid that contains a customer suffix, e.g. [email protected] If this is not possible, we can also set this to "Managed By LeanIX". In this case, uids like uid=123456 are ok as well. Please inform us during configuration.

For Microsoft ADFS we provide a sample custom rule mappings, see https://dev.leanix.net/docs/sso-with-adfs.

Attribute Mapping

Please ensure that the name of every SAML 2.0 attribute exactly matches the name LeanIX SP expects.

NameFormatExampleComment
firstnameurn:oasis:names:tc:SAML:2.0:attrname-format:uriPeter
lastnameurn:oasis:names:tc:SAML:2.0:attrname-format:uriSchmidt
uidurn:oasis:names:tc:SAML:2.0:attrname-format:uri[email protected]Unique ID of user, stays stable even if Name is changed. Must be in e-mail format
mailurn:oasis:names:tc:SAML:2.0:attrname-format:uri[email protected]
roleurn:oasis:names:tc:SAML:2.0:attrname-format:uriMEMBEROne of ADMIN, MEMBER, VIEWER. In case multiple roles are submitted comma-separated, then the highest role is taken. This attribute can be omitted if the role of a user is managed by LeanIX.
For the SMP make sure to check the SMP user role mapping.
customerRolesurn:oasis:names:tc:SAML:2.0:attrname-format:uriMANAGERThis attribute is only relevant for customers who have designed and implemented their own custom roles. Please omit, if custom roles are not being utilized.
For the SMP make sure to check the SMP user role mapping.

As Admin, you can view and interact with workspaces under assumed user roles with Switch user roles feature.
entryACIurn:oasis:names:tc:SAML:2.0:attrname-format:urimember-orgunit1The passed value must match the configured ACE in the workspace.

This attribute is only relevant for Virtual Workspace and can be omitted otherwise.

Example SAML Message

<saml2:AttributeStatement>
   <saml2:Attribute FriendlyName="firstname" Name="firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
      Peter
      </saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="lastname" Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
      Schmidt
      </saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="uid" Name="uid" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
      [email protected]
      </saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="mail" Name="mail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
      [email protected]
      </saml2:AttributeValue>
   </saml2:Attribute>
   <saml2:Attribute FriendlyName="role" Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
      <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
      MEMBER
      </saml2:AttributeValue>
   </saml2:Attribute>
</saml2:AttributeStatement>

SMP user role mapping

Note that ADMIN, MEMBER, and VIEWER roles will be mapped to different roles in the SMP.
In the SMP, the roles will be interpreted as the following mapping table shows:

Role in EAM/VSMRole in SMP
ADMINadmin
MEMBERuser
VIEWERuser
ANY CUSTOM ROLEuser

This applies for both cases when user roles are managed by LeanIX or when user roles are externally managed.

πŸ“˜

Information

SMP currently doesn’t support customer roles with external role management.
The β€œcustomerRoles” attribute will be ignored.

Updated 22 days ago