SSO integration

Gfacility offers multiple authentication protocols to authenticate users, including OpenID Connect and SAML 2.0. As identity providers, Gfacility supports OneLogin and Azure Active Directory (AD), which provide a secure and standardized way to manage user access. This ensures that only authorized users can access the application, maintaining a high level of security.

Configure SSO

There are two ways to configure SSO:

• Via OpenID Connect

• Via SAML 2.0

OpenID Connect:

OpenID Connect is an authentication protocol that allows users to authenticate with a third-party identity provider (OP) through a standard set of APIs. To integrate with Gfacility's authentication system via OpenID Connect, you will need to use/provide the following information:

1. Application (Client) ID - This is a unique identifier for your application, which you can obtain by registering your application in the Azure portal.

2. OAuth 2.0 authorization endpoint - This is the URL where the user is directed to authenticate to the identity provider.

3. Directory (tenant) ID - This is the ID of the Azure AD tenant where your application is registered.

4. Client credentials - These are the client ID and client secret that are used to authenticate your application to the OpenID provider (OP).

5. Redirect URI - This is the URL where the OP will send users after authentication. For Gfacility, this should be set to "https://app.gfacility.com/login/sso".

After the above has been set up, users must be assigned to the application so that they can use SSO.

SAML 2.0:

SAML 2.0 is another authentication protocol that allows users to authenticate with a third-party identity provider through XML-based messages. To integrate with Gfacility's authentication system via SAML 2.0, follow the steps below.

1. Go to Home > Applications > Enterprise applications | Overview.

2. Open the Azure AD SAML Toolkit. If not present, click + New Application and add it.

3. Click Single sign-on.

4. Click Edit on Basic SAML Configuration. Add the information below and replace {company name} with the name of your organization.

   1. ID (entity ID) - This is a unique identifier for your application, which should be set to "https://app.gfacility.com/api/sso/{company name}/metadata".

   2. Response URL (URL for Assertion Consumer Service) - This is the URL where the identity provider will send the SAML response after authentication. For Gfacility, this should be set to "https://app.gfacility.com/api/sso/{company name}/acs".

   3. Sign-in URL - This is the URL where the user is sent to start the SAML authentication process. For Gfacility, this should be set to "https://app.gfacility.com/api/sso/{company name}/acs".

5. To configure the SSO, you need to provide some information to your Gfacility contact.

   1. Step 3 - SAML certificates. Please provide us with the app URL for federated metadata .

   2. Step 4 - Azure AD SAML Toolkit. Please provide us with the Login URL, Microsoft Entra Identifier , and Logout URL  .     

Once you have provided the data to us, we can configure SAML authentication for your application. This SAML deployment enables Gfacility to establish a secure connection to your Azure AD tenant and authenticate your users.

Need more information? This Microsoft article describes the procedure for obtaining the above-mentioned items.

Log in with SSO

Once SSO is configured, users can log in with SSO by clicking on "Login with SSO" on the login screen. It is also possible to redirect users to a URL that automatically logs them in. You can choose between two URLs:

• https://app.gfacility.com/login/sso?email=auto

• https://app.gfacility.com/login/sso?email=mailadres@gebruiker.com

The =auto URL asks the user once to enter the email address. The value is stored in the cookies, so that they are automatically logged in when using this link in the future.

The =address URL can be used to enter the user's email address directly into the URL. The user does not have to enter an e-mail address and deleting cookies has no impact.