8/16/2019 SAML_Wikispaces

1/8

21212121

Chapter 85

WikispacesWikispacesWikispacesWikispaces

Wikispaces offers SP-initiated SAML SSO (for SSO access directly through the Wikispacesweb application). The following is an overview of the steps required to configure theWikispaces Web application for single sign-on (SSO) via SAML.

1111 Prepare Wikispaces for single sign-on (see Wikispaces requirements forSSO).

2222 In the Centrify Cloud Manager, add the application and configureapplication settings.

Once the application settings are configured, complete the user account mapping andassign the application to one or more roles. For details, see Configuring Wikispaces inCloud Manager.

3333 Configure the Wikispaces application for single sign-on.

To configure Wikispaces for SSO, contact Wikispaces customer support representativeand give them the downloaded Identity Provider SAML Metadata file available from theCloud Manager Application Settings page. For details, see Contacting Wikispaces toenable SSO.

After you are done configuring the application settings in the Cloud Manager and theWikispaces application, users are ready to authenticate using the Centrify cloud

directory.

8/16/2019 SAML_Wikispaces

2/8

Preparing for Wikispaces Configuration

Chapter 85Chapter 85Chapter 85Chapter 85 • 22222222

Preparing forPreparing forPreparing forPreparing for WikispacesWikispacesWikispacesWikispaces ConfigurationConfigurationConfigurationConfiguration

WikispacesWikispacesWikispacesWikispaces requirements for SSOrequirements for SSOrequirements for SSOrequirements for SSO

Before you configure the Wikispaces web application for SSO, you need the following: Identity Provider SAML Metadata downloaded from the Cloud Manager.

A signed certificate.

You can either download one from Cloud Manager or use your organization’s trustedcertificate.

Setting up the certificates for SSOSetting up the certificates for SSOSetting up the certificates for SSOSetting up the certificates for SSO

To establish a trusted connection between the web application and the cloud service, youneed to have the same signing certificate in both the application and the application settingsin Cloud Manager.

If you use your own certificate, you upload the signing certificate and its private key in a.pfx or .p12 file to the application settings in Cloud Manager. You also upload the publickey certificate in a .cer or .pem file to the web application.

What you need to know aboutWhat you need to know aboutWhat you need to know aboutWhat you need to know about WikispacesWikispacesWikispacesWikispaces

Each SAML application is different. The following table lists features and functionalityspecific to Wikispaces.

 

CapabilityCapabilityCapabilityCapability Supported?Supported?Supported?Supported? Support detailsSupport detailsSupport detailsSupport details

Web browser client Yes

Mobile client No

SAML 2.0 Yes

SP-initiated SSO Yes Users may go directly to a supplied Wikispaces URL and then use

the Centrify identity platform SSO to authenticate.

IdP-initiated SSO No

Force user login via SSO only No Administrators and users can still log in with a user name and

password after SSO is enabled.

Separate administrator login

after SSO is enabled

No

User or Administrator account

lockout risk

No User name and password login is always available.

Automatic user provisioning No

8/16/2019 SAML_Wikispaces

3/8

Configuring Wikispaces in Cloud Manager

 Application Configuration Help 23232323

ConfiguringConfiguringConfiguringConfiguring WikispacesWikispacesWikispacesWikispaces inininin Cloud ManagerCloud ManagerCloud ManagerCloud Manager

To add and configure the Wikispaces application in Cloud Manager:

1111 In Cloud Manager, click Apps.

2222 Click Add Web Apps.

The Add Web Apps screen appears.

3333 On the Search tab, enter the partial or full application name in the Search field and clickthe search icon.

4444 Next to the application, click Add.

5555 In the Add Web App screen, click Yes to confirm.

Cloud Manager adds the application.

6666 Click Close to exit the Application Catalog.

The application that you just added opens to the Application Settings page.

7777 Configure the following:

Self-service password N/A

Access restriction using a

corporate IP range

Yes You can specify an IP Range in the Cloud Manager Policy page to

restrict access to the application.

FieldFieldFieldField Required orRequired orRequired orRequired or

optionaloptionaloptionaloptional

Set it toSet it toSet it toSet it to What you doWhat you doWhat you doWhat you do

Identity Provider Entity ID Required The cloud service

automatically

generates the

content for this field.

This content is automatically included in the

Identity Provider SAML Metadata.

Your Wikispaces Service

Provider Entity ID

Required   https://session.wikisp

aces.net/

[number]/

Enter the Wikispaces Service Provider (SP)

Entity ID you received from Wikispaces. The ID

is part of the Wikispaces Service Provider

metadata URL.

The URL format is https://session.wikispaces.net/[number]/

where [number] represents the entity ID.

For example, https://session.wikispaces.net/1234/

CapabilityCapabilityCapabilityCapability Supported?Supported?Supported?Supported? Support detailsSupport detailsSupport detailsSupport details

8/16/2019 SAML_Wikispaces

4/8

Configuring Wikispaces in Cloud Manager

Chapter 85Chapter 85Chapter 85Chapter 85 • 24242424

8888 On the Application Settings page, expand the Additional Options section andspecify the following settings:

Download Identity Provider

SAML Metadata

Required The cloud service

automatically

generates the

content for this field.

Click the link to download the Metadata file.

Send the metadata file to:

help@wikispaces.com.Provide Wikispaces with the following attribute

mapping information:

• SAML Attribute Username = Display Name

• SAML Attribute Email Address = Email

Address

• SAML Attribute GUID = Email Address

Download Signing

Certificate

Required The cloud service

automatically

generates the

content.

If necessary, click the link to download the

default Signing Certificate. The certificate

content is automatically included as part of the

Identity Provider SAML Metadata.

To use a certificate with a private key (pfx file)

from your local storage, see below.

If you replace the certificate, download the

Identity Provider Metadata again and give the

new file to Wikispaces.

OptionOptionOptionOption DescriptionDescriptionDescriptionDescription

Application ID Configure this field if you are deploying a mobile application that uses

the Centrify mobile SDK, for example mobile applications that are

deployed into a Samsung KNOX version 1 container. The cloud service

uses the Application ID to provide single sign-on to mobile applications.

Note the following:

• The Application ID has to be the same as the text string that is

specified as the target in the code of the mobile application written

using the mobile SDK. If you change the name of the web application

that corresponds to the mobile application, you need to enter the

original application name in the Application ID field.

• There can only be one SAML application deployed with the name used

by the mobile application.

The Application ID is case-sensitive and can be any combination of

letters, numbers, spaces, and special characters up to 256 characters.

FieldFieldFieldField Required orRequired orRequired orRequired or

optionaloptionaloptionaloptional

Set it toSet it toSet it toSet it to What you doWhat you doWhat you doWhat you do

8/16/2019 SAML_Wikispaces

5/8

Configuring Wikispaces in Cloud Manager

 Application Configuration Help 25252525

NoteNoteNoteNote Show in user app list is not set by default for the Wikispaces application.

9999 (Optional) On the Description page, you can change the name, description, and logofor the application. For some applications, the name cannot be modified.

The Category field specifies the default grouping for the application in the user portal.Users have the option to create a tag that overrides the default grouping in the user portal.

10101010 On the User Access page, select the role(s) that represent the users and groups that haveaccess to the application.

When assigning an application to a role, select either Automatic Install or OptionalInstall:

Select Automatic Install for applications that you want to appear automatically forusers.

If you select Optional Install, the application doesn’t automatically appear in theuser portal and users have the option to add the application.

Show in User app list Select Show in User app listShow in User app listShow in User app listShow in User app list to display this web application in the user

portal. (This option is selected by default.)

If this web application is added only to provide SAML for a corresponding

mobile app, deselect this option so the web application won’t display forusers in the user portal.

Security Certificate These settings specify the signing certificate used for secure SSO

authentication between the cloud service and the web application. Just

be sure to use a matching certificate both in the application settings in

the Cloud Manager and in the application itself. Select an option to

change the signing certificate.

• Use existing certificateUse existing certificateUse existing certificateUse existing certificate

When selected the certificate currently in use is displayed. It’s not

necessary to select this option—it’s present to display the current

certificate in use.

• Use the default tenant signing certificateUse the default tenant signing certificateUse the default tenant signing certificateUse the default tenant signing certificate

Select this option to use the cloud service standard certificate. This isthe default setting.

•••• Use a certificate with a private key (pfx file) from your local storageUse a certificate with a private key (pfx file) from your local storageUse a certificate with a private key (pfx file) from your local storageUse a certificate with a private key (pfx file) from your local storage

Select this option to use your organization’s own certificate. To use

your own certificate, you must click BrowseBrowseBrowseBrowse to upload an archive file

(.p12 or .pfx extension) that contains the certificate along with its

private key. If the file has a password, you must enter it when

prompted.

Upload the certificate from your local storage prior to downloading

the IdP metadata or the Signing Certificate from the Applications

Settings page. If the IdP metadata is available from a URL, be sure to

upload the certificate prior to providing the URL to your service

provider.

OptionOptionOptionOption DescriptionDescriptionDescriptionDescription

8/16/2019 SAML_Wikispaces

6/8

Configuring Wikispaces in Cloud Manager

Chapter 85Chapter 85Chapter 85Chapter 85 • 26262626

11111111 (Optional) On the Policy page, specify additional authentication control for thisapplication.You can select one or both of the following settings:

Restrict app to clients within the Corporate IP Range: Select this option to

prevent users outside the company intranet from launching this application. To use thisoption, you must also specify which IP addresses are considered as your intranet byspecifying the Corporate IP range in Settings > Corporate IP Range.

Require Strong Authentication: Select this option to force users to authenticateusing additional, stronger authentication mechanisms when launching an application.Specify these mechanisms in Policy > Add Policy Set > Account Security Policies >Authentication.

You can also include JavaScript code to identify specific circumstances when you wantto block an application or you want to require additional authentication methods. Fordetails, see Application access policies with JavaScript.

12121212 On the Account Mapping page, configure how the login information is mapped to theapplication’s user accounts. The options are as follows:

Use the following Directory Service field to supply the user name: Use thisoption if the user accounts are based on user attributes. For example, specify an ActiveDirectory field such as mail  or userPrincipalName or a similar field from the Centrifycloud directory.

Everybody shares a single user name: Use this option if you want to share accessto an account but not share the user name and password. For example, some peopleshare an application developer account.

Use Account Mapping Script: You can customize the user account mapping here

by supplying a custom JavaScript script. For example, you could use the following lineas a script:LoginUser.Username = LoginUser.Get('mail')+'.ad';

The above script instructs the cloud service to set the login user name to the user’s mailattribute value in Active Directory and add ‘.ad’ to the end. So, if the user’s mailattribute value is Adele.Darwin@acme.com then the cloud service usesAdele.Darwin@acme.com.ad. For more information about writing a script to mapuser accounts, see the SAML application scripting.

13131313 (Optional) On the Advanced page, you can edit the script that generates the SAMLassertion, if needed. In most cases, you don’t need to edit this script. For more

information, see the SAML application scripting.

14141414 (Optional) On the Changelog page, you can see recent changes that have been made tothe application settings, by date, user, and the type of change that was made.

15151515 (Optional) Click Workflow to set up a request and approval work flow for thisapplication.

http://../Docs-Centrify/AppConfig/SourceFiles/Book_Scripthttp://../Docs-Centrify/AppConfig/SourceFiles/Book_Scripthttp://../Docs-Centrify/AppConfig/SourceFiles/Book_Scripthttp://../Docs-Centrify/AppConfig/SourceFiles/Book_Scripthttp://../Docs-Centrify/AppConfig/SourceFiles/Book_Scripthttp://../Docs-Centrify/AppConfig/SourceFiles/Book_Script

8/16/2019 SAML_Wikispaces

7/8

Contacting Wikispaces to enable SSO

 Application Configuration Help 27272727

The Workflow feature is a premium feature and is available only in the Centrify IdentityService App+ Edition. See Configuring Workflow for more information.

16161616 Click Save.

After configuring the application settings (including the role assignment) and theapplication’s web site, you’re ready for users to launch the application from the userportal.

ContactingContactingContactingContacting WikispacesWikispacesWikispacesWikispaces to enable SSOto enable SSOto enable SSOto enable SSO

To configure Wikispaces for SSO:

1111 Email Wikispaces at the following address: help@wikispaces.com and include:

Identity Provider SAML Metadata you downloaded in Step 7 of Configuring

Wikispaces in Cloud Manager. Attribute mapping information:

SAML Attribute Username = Display Name

SAML Attribute Email Address = Email Address

SAML Attribute GUID = Email Address

2222 If you haven’t done so already, get the Service Provider Entity ID from Wikispacesand enter it into the Wikispaces Service Provider Entity ID field in the CloudManager Application Settings page.

For more information aboutFor more information aboutFor more information aboutFor more information about WikispacesWikispacesWikispacesWikispaces

For more information about configuring Wikispaces for SSO, contact Wikispaces support.

http://../Docs-Centrify/AppConfig/SourceFiles/Book_AppsAnhttp://../Docs-Centrify/AppConfig/SourceFiles/Book_AppsAn

8/16/2019 SAML_Wikispaces

8/8

For more information about Wikispaces

Chapter 85Chapter 85Chapter 85Chapter 85 • 28282828