{"id":7254,"date":"2022-10-20T23:18:06","date_gmt":"2022-10-20T21:18:06","guid":{"rendered":"https:\/\/center.iobeya.com\/preparing-sso-on-an-iobeya-platform-step-by-step\/"},"modified":"2024-12-16T17:19:37","modified_gmt":"2024-12-16T16:19:37","slug":"preparing-sso-on-an-iobeya-platform-step-by-step","status":"publish","type":"page","link":"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/","title":{"rendered":"Preparing SSO on an iObeya platform &#8211; Step by step"},"content":{"rendered":"<div class=\"vce-row-container\" data-vce-boxed-width=\"true\"><div class=\"vce-row vce-row--col-gap-30 vce-row-equal-height vce-row-content--top\" id=\"el-38ad3371\" data-vce-do-apply=\"all el-38ad3371\"><div class=\"vce-row-content\" data-vce-element-content=\"true\"><div class=\"vce-col vce-col--md-auto vce-col--xs-1 vce-col--xs-last vce-col--xs-first vce-col--sm-last vce-col--sm-first vce-col--md-last vce-col--lg-last vce-col--xl-last vce-col--md-first vce-col--lg-first vce-col--xl-first\" id=\"el-f2e48c36\"><div class=\"vce-col-inner\" data-vce-do-apply=\"border margin background  el-f2e48c36\"><div class=\"vce-col-content\" data-vce-element-content=\"true\" data-vce-do-apply=\"padding el-f2e48c36\"><div class=\"vce-shortcode link-breadcrumb\"><div class=\"vce-shortcode-wrapper vce\" id=\"el-61310680\" data-vce-do-apply=\"all el-61310680\"><span><span><a href=\"https:\/\/center.iobeya.com\/fr\/\">Home<\/a><\/span><\/span><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><div class=\"vce-row-container\" id=\"header-single\" data-vce-boxed-width=\"true\"><div class=\"vce-row vce-row--col-gap-30 vce-row-equal-height vce-row-content--top\" id=\"el-901eb356\" data-vce-do-apply=\"all el-901eb356\"><div class=\"vce-row-content\" data-vce-element-content=\"true\"><div class=\"vce-col vce-col--md-auto vce-col--xs-1 vce-col--xs-last vce-col--xs-first vce-col--sm-last vce-col--sm-first vce-col--md-last vce-col--lg-last vce-col--xl-last vce-col--md-first vce-col--lg-first vce-col--xl-first\" id=\"el-63227f84\"><div class=\"vce-col-inner\" data-vce-do-apply=\"border margin background  el-63227f84\"><div class=\"vce-col-content\" data-vce-element-content=\"true\" data-vce-do-apply=\"padding el-63227f84\"><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-490b0803\" data-vce-do-apply=\"all el-490b0803\"><h1 style=\"text-align: center;\">Preparing SSO on an iObeya platform - Step by step<\/h1><\/div><\/div><div class=\"vce-text-block text-single-training\"><div class=\"vce-text-block-wrapper vce\" id=\"el-7155e8b4\" data-vce-do-apply=\"all el-7155e8b4\"><p><span style=\"font-weight: 400;\">This document describes the streamlined procedure to prepare the SSO configuration on an iObeya platform so the SAML authentication can be performed<\/span><\/p><\/div><\/div><div class=\"vce-single-image-container training-thumbnail vce-single-image--align-center\"><div class=\"vce vce-single-image-wrapper\" id=\"el-d5071872\" data-vce-do-apply=\"all el-d5071872\"><figure><div class=\"vce-single-image-figure-inner\" style=\"width: 1024px;\"><div class=\"vce-single-image-inner vce-single-image--absolute\" style=\"width: 100%; padding-bottom: 64.3555%;\"><img loading=\"lazy\" decoding=\"async\" class=\"vce-single-image\"  width=\"1024\" height=\"659\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h57_25-1024x659.png 1024w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h57_25-320x206.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h57_25-480x309.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h57_25-800x515.png 800w\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h57_25-1024x659.png\" data-img-src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h57_25.png\" data-attachment-id=\"7113\"  alt=\"SSO - Intro\" title=\"SSO - Intro\" \/><\/div><\/div><figcaption hidden=\"\"><\/figcaption><\/figure><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div><div class=\"vce-row-container\" id=\"content-single\" data-vce-boxed-width=\"true\"><div class=\"vce-row vce-row--col-gap-30 vce-row-equal-height vce-row-content--top\" id=\"el-ccd2f4c7\" data-vce-do-apply=\"all el-ccd2f4c7\"><div class=\"vce-row-content\" data-vce-element-content=\"true\"><div class=\"vce-col vce-col--md-auto vce-col--xs-1 vce-col--xs-last vce-col--xs-first vce-col--sm-last vce-col--sm-first vce-col--md-last vce-col--lg-last vce-col--xl-last vce-col--md-first vce-col--lg-first vce-col--xl-first training-article\" id=\"el-1fa1092c\"><div class=\"vce-col-inner\" data-vce-do-apply=\"border margin background  el-1fa1092c\"><div class=\"vce-content-background-container\"><\/div><div class=\"vce-col-content\" data-vce-element-content=\"true\" data-vce-do-apply=\"padding el-1fa1092c\"><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-c910f8ef\" data-vce-do-apply=\"all el-c910f8ef\"><p><a href=\"https:\/\/www.youtube.com\/watch?v=SvppXbpv-5k\"><span style=\"font-weight: 400;\">This video<\/span><\/a><span style=\"font-weight: 400;\"> explains also well how the SAML protocol works.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">In most cases, it will work as is, but it does not cover all the possible configurations, nor does it explain all the parameters that are available. For additional information, please check the SSO parameters that are listed in <\/span><a href=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/doc\/master-administration-guide\/html\/en\/administration-guide\/configuring-platform.html#configuring-authentication\"><span style=\"font-weight: 400;\">iObeya documentation<\/span><\/a><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">All the setup needs to be done through the iObeya Platform Administration graphical user interface.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Here are the basics tasks that needs to be handled between iObeya and the external IDP, though, in some cases, the SAML mechanism can be created on the IDP only once the mechanism has been created on iObeya:<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7115 size-large\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h59_53-1024x877.png\" alt=\"SSO Flow\" width=\"580\" height=\"497\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h59_53-1024x877.png 1024w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h59_53-300x257.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h59_53-768x658.png 768w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h59_53-320x274.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h59_53-480x411.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h59_53-800x685.png 800w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h59_53-420x360.png 420w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h59_53-82x70.png 82w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h59_53-1200x1028.png 1200w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_21h59_53.png 1257w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><\/p>\n<p>&nbsp;<\/p><\/div><\/div><div class=\"vce-text-block\" id=\"prerequisites\"><div class=\"vce-text-block-wrapper vce\" id=\"el-2ab5e830\" data-vce-do-apply=\"all el-2ab5e830\"><h1><span style=\"font-weight: 600;\">1. Authentication policy configuration<\/span><\/h1>\n<table style=\"border-collapse: collapse; border: none!important;\" cellspacing=\"0\" cellpadding=\"0\" border=\"none\">\n<tbody>\n<tr>\n<td style=\"width: 5px; background-color: #ff9900;\">&nbsp;<\/td>\n<td>\n<p><strong>Note<\/strong>&nbsp;<\/p>\n<p>It is mandatory to always connect to the iObeya P<span style=\"font-weight: 400;\">latform Administration <\/span>by using the public URL of the server in order to configure your SSO. Accessing the platform through <em>http:\/\/localhost<\/em> for instance has to be avoided.<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><span style=\"font-weight: 400;\">1.1. Activation of SAML add-on<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">In the iObeya Platform Administration Graphical User Interface, once logged in, enter the \u201cADD-ONS\u201d menu on the left. Find the \u201csaml-auth\u201d add-on and enable it if its status is \u201cInstalled\u201d<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7117 size-medium\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h04_05-300x156.png\" alt=\"Activation of SAML add-on\" width=\"300\" height=\"156\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h04_05-300x156.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h04_05-768x399.png 768w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h04_05-320x166.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h04_05-480x249.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h04_05-588x305.png 588w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h04_05-135x70.png 135w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h04_05.png 792w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<h2><span style=\"font-weight: 400; font-style: normal;\">1.2. Create a new authentication policy with 3 mechanisms<\/span><\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-7119\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h06_16-300x217.png\" alt=\"\" width=\"300\" height=\"217\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h06_16-300x217.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h06_16-320x231.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h06_16-480x347.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h06_16-498x360.png 498w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h06_16-97x70.png 97w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h06_16.png 744w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-7121\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h07_16-1024x384.png\" alt=\"Create a new authentication policy with 3 mechanisms\" width=\"580\" height=\"218\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h07_16-1024x384.png 1024w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h07_16-300x113.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h07_16-768x288.png 768w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h07_16-320x120.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h07_16-480x180.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h07_16-800x300.png 800w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h07_16-588x221.png 588w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h07_16-175x66.png 175w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h07_16.png 1058w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">The <i>Form credential mechanism <\/i>is necessary if you want to keep the iObeya \u201cdefault login\/password\" form. You can use the default values.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The <i>Local user authentication mechanism <\/i>is necessary to use local user accounts (e.g accounts created and managed in iObeya). You can use the default values.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">The <i>SAML credential mechanism i<\/i>s for SSO.<\/span><\/p>\n<table style=\"border-collapse: collapse; border: none!important;\" cellspacing=\"0\" cellpadding=\"0\" border=\"none\">\n<tbody>\n<tr>\n<td style=\"width: 5px; background-color: #ff9900;\">&nbsp;<\/td>\n<td><strong>Note<\/strong> <span style=\"font-weight: 400;\">If you put <i>SAML credential mechanism<\/i> first in the list, the SSO authentication flow will be used by default without showing the iObeya \u201c<\/span>default login\/password<span style=\"font-weight: 400;\">\u201d. However, it would be possible to access the \u201c<\/span>default login\/password<span style=\"font-weight: 400;\">&nbsp;form\u201d by using the direct URL https:\/\/iObeya-server-URL\/login (if you access iObeya using https:\/\/iObeya-server-URL), unless you have deactivated or removed the <i>Form credential mechanism<\/i>&nbsp;from your authentication policy<i>. <\/i><\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2><span style=\"font-weight: 400; font-style: normal;\">1.3. Create a new authentication policy with 3 mechanisms<\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Edit the <\/span><i><span style=\"font-weight: 400;\">SAML credential mechanism<\/span><\/i><\/p>\n<h3><span style=\"font-weight: 400;\">1.3.1. Give a name that will be displayed in the end-user login page and add the logo of your choice<\/span><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7123\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h15_37.png\" alt=\"Give a name that will be displayed in the end-user login page and add the logo of your choice\" width=\"952\" height=\"460\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h15_37.png 952w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h15_37-300x145.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h15_37-768x371.png 768w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h15_37-320x155.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h15_37-480x232.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h15_37-800x387.png 800w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h15_37-588x284.png 588w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h15_37-145x70.png 145w\" sizes=\"auto, (max-width: 952px) 100vw, 952px\" \/><\/p>\n<h3><span style=\"font-weight: 400;\">1.3.2. Import (choose file) the metadata file for the \u201cMetadata for the Identity Provider (IdP)\u201d, and the EntityID<\/span><\/h3>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7125\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h18_06.png\" alt=\"Import (choose file) the metadata file for the \u201cMetadata for the Identity Provider (IdP)\u201d, and the EntityID\" width=\"597\" height=\"447\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h18_06.png 597w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h18_06-300x225.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h18_06-320x240.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h18_06-480x359.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h18_06-481x360.png 481w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h18_06-93x70.png 93w\" sizes=\"auto, (max-width: 597px) 100vw, 597px\" \/><\/p>\n<p><b>You will not be able to save that authentication mechanism if you do not provide a metadata file for the IdP<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">So, if you already have the metadata of the Identity Provider (IdP), import it. But, if you don\u2019t, you can ask us for a temporary dummy metadata file.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Check \u201cGenerate the metadata for iObeya\u201d, and fill in the EntityID. It could be anything. Usually, we put the URL of the iObeya platform.<\/span><\/p>\n<h3><span style=\"font-weight: 400;\">1.3.3. Generate a keystore, using the command in the <a href=\"https:\/\/center.iobeya.com\/fr\/doc\/guide-administrateur-iobeya\/#administration-guide\/configuring-platform.html\">Admin Guide<\/a><\/span><span style=\"font-weight: 400;\"> (search for \"Keystore file\")<\/span><\/h3>\n<p>Here are the basic example provided using the tool <a href=\"https:\/\/docs.oracle.com\/javase\/6\/docs\/technotes\/tools\/solaris\/keytool.html\" target=\"_blank\" rel=\"noopener\">KeyTool<\/a>. Based on these command lines, the keys will have <strong>a validity of 1095 days<\/strong>.<\/p>\n<pre style=\"font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee; font-size: 12px; border: 1px dashed #999999; line-height: 14px; padding: 5px; overflow: auto; width: 100%;\"><code style=\"color: #000000; word-wrap: normal;\">keytool -genkey -keystore <span style=\"color: #3366ff;\">myKeystore.jks<\/span> -alias <span style=\"color: #ff0000;\">myKey<\/span> -keyalg RSA -sigalg SHA256withRSA -keysize 2048 -validity 1095\n<\/code><\/pre>\n<p><span style=\"font-weight: 400;\">In that case, keyTool will ask to type in:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Password for <\/span><span style=\"font-weight: 400; color: #3366ff;\">myKeystore.jk<\/span><span style=\"font-weight: 400;\"><span style=\"color: #3366ff;\">s<\/span> keystore, e.g. <\/span><span style=\"font-weight: 400; color: #339966;\">myKeystorePassword<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Domain name details: name, organizational unit, enterprise, city, state, country code<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The password for the <\/span><span style=\"font-weight: 400; color: #ff0000;\">myKey<\/span><span style=\"font-weight: 400;\"> key, e.g. <\/span><span style=\"font-weight: 400; color: #ff9900;\">myKeyPassword<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Then, in the iObeya \u201cKey management form\u201d, you need to:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">import the keystore file you have just created<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Keystore password: e.g. <\/span><span style=\"font-weight: 400; color: #339966;\">myKeystorePassword<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Passwords for the keys in the keystore (format: json object): {\"<\/span><span style=\"font-weight: 400; color: #ff0000;\">myKey<\/span><span style=\"font-weight: 400;\">\":\"<\/span><span style=\"font-weight: 400; color: #ff9900;\">myKeyPassword<\/span><span style=\"font-weight: 400;\">\"}<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">Name of the default key: <\/span><span style=\"font-weight: 400; color: #ff0000;\">myKey<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-7127\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h28_50.png\" alt=\"\" width=\"674\" height=\"443\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h28_50.png 674w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h28_50-300x197.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h28_50-320x210.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h28_50-480x315.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h28_50-548x360.png 548w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h28_50-107x70.png 107w\" sizes=\"auto, (max-width: 674px) 100vw, 674px\" \/><\/p>\n<h3><span style=\"font-weight: 400;\">1.3.4. Fill out the \u201cAuthentication attributes\u201d<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">During the authentication phase, the user gets authenticated on the IdP, and then the IdP sends a \u201cSAML assertion\u201d to iObeya. That assertion contains some information about the user that iObeya is going to use to compare it with its local accounts.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">For example, the user on the left is defined in the Enterprise Directory with his login, firstname, lastname, email, etc. And you need to configure the IDP so that it is going to send the right information to iObeya through the assertion.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">That information needs to be passed as <\/span><b>attributes<\/b><span style=\"font-weight: 400;\">.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-7129\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h30_45-1024x403.png\" alt=\"Fill out the \u201cAuthentication attributes\u201d\" width=\"580\" height=\"228\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h30_45-1024x403.png 1024w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h30_45-300x118.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h30_45-768x302.png 768w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h30_45-320x126.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h30_45-480x189.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h30_45-800x315.png 800w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h30_45-588x232.png 588w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h30_45-175x70.png 175w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h30_45-1200x473.png 1200w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h30_45.png 1455w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><\/p>\n<p><span style=\"font-weight: 400;\"><u>Here is an example of an assertion (extract)<\/u><\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-7131\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h33_11-1024x264.png\" alt=\"example of an assertion (extract)\" width=\"580\" height=\"150\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h33_11-1024x264.png 1024w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h33_11-300x77.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h33_11-768x198.png 768w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h33_11-320x83.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h33_11-480x124.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h33_11-800x206.png 800w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h33_11-588x152.png 588w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h33_11-175x45.png 175w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h33_11.png 1159w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">In this example, the assertion contains 1 attribute: Its name is \u201cUPN\u201d, and its value is \u201cjdoe\u201d.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">On the iObeya side, you would need to configure the \u201cAuthentication attributes\u201d section accordingly:<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7133 size-medium\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h34_20-300x126.png\" alt=\"\u201cAuthentication attributes\u201d section accordingly\" width=\"300\" height=\"126\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h34_20-300x126.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h34_20-768x323.png 768w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h34_20-320x135.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h34_20-480x202.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h34_20-800x336.png 800w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h34_20-588x247.png 588w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h34_20-167x70.png 167w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h34_20.png 942w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">You specify what attribute name to look for, e.g. \u201cUPN\u201d<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">You specify if iObeya should compare that attribute\u2019s value (e.g. \u201cjdoe\u201d) with the username or email of its local users.<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">In the previous example, if iObeya finds an account in its database that has \u201cjdoe\u201d as username, then it is going to log that user in.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><b>Please note that the \u201cIdP Authentication Attribute Name\u201d needs to be passed as an \u201cattribute\u201d in the assertion. iObeya cannot use the \u201csubject\u201d field passed in the assertion.<\/b><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"color: #ff0000;\"><b>Important \u26a0 : if you use the email address to match the users, a part of (local part is, domain part is not) this authentication process is case-sensitive. Indeed, nobody should interpret the local part as it can only be understood by the domain owner (for example dots are ignored and match is case-insensitive for google accounts, but it might be different for another domain).<\/b><\/span><\/p>\n<p><span style=\"color: #ff0000;\"><b>For example, let say the user John Doe has \u201cJohn.Doe@MyCompany.com\u201d as email address in the Enterprise Directory.<\/b><\/span><\/p>\n<ul>\n<li aria-level=\"1\"><span style=\"color: #ff0000;\"><b>If John Doe is declared in iObeya with \u201cJohn.Doe@MyCoMPany.CoM\u201d, then it would match<\/b><\/span><\/li>\n<\/ul>\n<ul>\n<li aria-level=\"1\"><span style=\"color: #ff0000;\"><b>If John Doe is declared in iObeya with \u201cjohn.doe@MyCompany.com\u201d, then authentication fails and a warning is displayed in logs.<\/b><\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span style=\"font-weight: 400;\">1.3.5. (optional) Activate \u201cAllow account creation\u201d if you want self-registration<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">With that option activated, if a collaborator does not have an account on iObeya, the first time he\/she clicks on the SSO button on the iObeya login page:<\/span><\/p>\n<ol>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">He\/she gets authenticated on the IdP<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The IdP sends all the necessary information to iObeya<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">iObeya creates the account using the information transmitted<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">The user is logged in on iObeya<\/span><\/li>\n<\/ol>\n<p><span style=\"font-weight: 400;\">In that case, you have to map iObeya\u2019s fields to the attributes that are received, because iObeya needs to specify the username, the firstname, the lastname, and the email in order to create an account.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For example, you could configure, in the IdP, the following attributes (which are passed in the assertion):<\/span><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-large wp-image-7135\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h40_34-1024x681.png\" alt=\"IdP, the following attributes\" width=\"580\" height=\"386\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h40_34-1024x681.png 1024w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h40_34-300x200.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h40_34-768x511.png 768w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h40_34-320x213.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h40_34-480x319.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h40_34-800x532.png 800w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h40_34-541x360.png 541w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h40_34-105x70.png 105w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h40_34.png 1201w\" sizes=\"auto, (max-width: 580px) 100vw, 580px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">And you need to specify, in iObeya, what attribute name (yellow) to look for in the assertion, and where to map them (username, email, firstname, lastname).<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">In that example, the following user would be created in iObeya:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Username: jdoe<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Firstname: John<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Lastname: DOE<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Email: john.doe@iobeya.com<\/span><\/li>\n<\/ul>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7137 size-medium\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h42_30-300x259.png\" alt=\"the following user would be created in iObeya\" width=\"300\" height=\"259\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h42_30-300x259.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h42_30-768x664.png 768w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h42_30-320x277.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h42_30-480x415.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h42_30-800x692.png 800w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h42_30-416x360.png 416w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h42_30-81x70.png 81w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h42_30.png 873w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<table style=\"border-collapse: collapse; border: none!important;\" cellspacing=\"0\" cellpadding=\"0\" border=\"none\">\n<tbody>\n<tr>\n<td style=\"width: 5px; background-color: #ff9900;\">&nbsp;<\/td>\n<td>\n<p><strong>Notes<\/strong> <span style=\"font-weight: 400;\">In iObeya, if you want the username to be set as the email address of the IdP, you could use the same attribute name both for username and for the email address, in the iObeya configuration.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">If you are configuring SSO for Azure AD, the usual attribute names that you can configure in your IdP, and that you should declare in iObeya are:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Username -&gt; http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/upn<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Firstname -&gt; http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/givenname<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Lastname -&gt; http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/surname<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Email -&gt; http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/emailaddress<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">If you are using the LDAP\u2019s Object Identifiers - OID -, the usual attribute names that you can configure in your IdP, and that you should declare in iObeya are:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Username (uid) -&gt; urn:oid:0.9.2342.19200300.100.1.1<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Firstname (givenName) -&gt; urn:oid:2.5.4.42<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Lastname (sn) -&gt; urn:oid:2.5.4.4<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Email -&gt; urn:oid:0.9.2342.19200300.100.1.3<\/span><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h3><span style=\"font-weight: 400;\">1.3.6. In the Additional Settings section<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Unless you have a specific configuration (see the SSO parameters that are listed in <\/span><a href=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/doc\/master-administration-guide\/html\/en\/administration-guide\/configuring-platform.html#configuring-authentication\"><span style=\"font-weight: 400;\">iObeya documentation<\/span><\/a><span style=\"font-weight: 400;\">), you can keep most of the default values, but:<\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">You might want to increase the Maximum authentication age, especially if you get this error: \u201cResponse doesn't have any valid assertion which would pass subject validation\u201d. With its default value (\u201c7200\u201d, i.e. 2 hours in version of iObeya &lt; 4.5), if the user got authenticated on the IdP more than 2 hours ago, iObeya would consider that the authentication token is too old, and it would refuse to log that user in.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">\u2192 You could easily increase that value to 10 hours (\u201c36000\u201d) or even 20 hours (\u201c72000\u201d).<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">\u2192 In most of the case, as more and more users use to never close their session, one uses huge figures in this section ; 8640000 is a value commonly used to be peaceful. This is the default value set in version of iObeya &gt; 4.6.<\/span><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li aria-level=\"1\"><b>If you are configuring SSO for Azure AD or ADFS, uncheck the \u201cInclude scoping\u201d<\/b><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span style=\"font-weight: 400;\">1.3.7. Save the configuration<\/span><\/h3>\n<h3><span style=\"font-weight: 400;\">1.3.8. Downloading the iObeya metadata<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Once this is done, reopen the SSO authentication policy you have just created (by clicking on \u201cEdit information), right-click on \u201cDownload configured metadata\u201d in the \u201cMetadata for iObeya (SP)\u201d, and use \u201cSave link as\u2026\u201d option.<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-7139\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h47_21-300x140.png\" alt=\"Downloading the iObeya metadata\" width=\"300\" height=\"140\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h47_21-300x140.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h47_21-320x149.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h47_21-480x224.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h47_21-150x70.png 150w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h47_21.png 521w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p><span style=\"font-weight: 400;\">Then, you need to send the downloaded metadata XML file to the IDP administrator, so that they could import it into their IDP.&nbsp;<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Note:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Set the default RelayState to the iobeya home URL (<\/span><a href=\"https:\/\/home.iobeya.com\/\"><span style=\"font-weight: 400;\">https:\/\/[acme].iobeya.com<\/span><\/a><span style=\"font-weight: 400;\">)<\/span><\/li>\n<li style=\"font-weight: 400;\" aria-level=\"1\"><span style=\"font-weight: 400;\">Be aware that iObeya will not read Subject and NameID from the SAML response, it only reads what is in the attributes section. Therefore the values you want to send to additional parameters will have to be mapped correctly.<\/span><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><span style=\"font-weight: 400;\">1.3.9. Uploading the IDP metadata<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Once the IDP administrator has uploaded the iObeya metadata into the IDP, and configured all the attributes\/claims, the IDP administrator needs to download and send you the IDP metadata that you need to import in iObeya:<\/span><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-7141\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h49_43-300x230.png\" alt=\"metadata that you need to import in iObeya\" width=\"300\" height=\"230\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h49_43-300x230.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h49_43-320x245.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h49_43-91x70.png 91w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_22h49_43.png 462w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Please make sure the attributes \/ claim names declared on the IDP are declared exactly the same on the iObeya side.<\/span><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">Save the Authentication Policy.<\/span><\/p>\n<p>&nbsp;<\/p>\n<h3><span style=\"font-weight: 400;\">1.3.10. Activating the Authentication Policy<\/span><\/h3>\n<p><span style=\"font-weight: 400;\">Once this is done, you just need to activate the Authentication Policy you have just created.<\/span><\/p>\n<table style=\"border-collapse: collapse; border: none!important;\" cellspacing=\"0\" cellpadding=\"0\" border=\"none\">\n<tbody>\n<tr>\n<td style=\"width: 5px; background-color: #ff9900;\">&nbsp;<\/td>\n<td><strong>Note<\/strong> <span style=\"font-weight: 400;\">It will disconnect all the users currently connected, so they will have to reconnect. It is best to plan it during non-business hours, and\/or to inform the users (email, announcement in iObeya).<\/span><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><b>Please note that, when you activate the new policy, a pop-up window will appear with a URL. <\/b><b><span style=\"color: #ff0000;\">PLEASE copy that URL and save i<\/span>t<\/b><b>, as this is the fallback URL, should you need to restore the default authentication policy.<\/b><\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-8b85eeb6\" data-vce-do-apply=\"all el-8b85eeb6\"><h2>2. <span style=\"font-weight: 600;\">Additional resources<\/span><\/h2>\n<h3><span style=\"font-weight: 400;\">2.1. SAML logs on the iObeya server<\/span><\/h3>\n<p><strong>These logs will show you when people manage to log in, and also when they fail.<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p><span style=\"font-weight: 400;\">You should find, in the logs, for each AuthNRequest line, a AuthNResponse.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">For example, when there is a success, you should find the email address in the response:<\/span><\/p>\n<pre style=\"font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee; font-size: 12px; border: 1px dashed #999999; line-height: 14px; padding: 5px; overflow: auto; width: 100%;\"><code style=\"color: #000000; word-wrap: normal;\">INFO [SAMLDefaultLogger] AuthNRequest;SUCCESS\u2026\n\u2026\nINFO [SAMLDefaultLogger] AuthNResponse;SUCCESS... jdoe@mycompany.com...\n<\/code><\/pre>\n<p><span style=\"font-weight: 400;\">For example, when there is a failure:<\/span><\/p>\n<pre style=\"font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee; font-size: 12px; border: 1px dashed #999999; line-height: 14px; padding: 5px; overflow: auto; width: 100%;\"><code style=\"color: #000000; word-wrap: normal;\">INFO [SAMLDefaultLogger] AuthNRequest;SUCCESS...\n...\nINFO [SAMLDefaultLogger] AuthNResponse;FAILURE...\n\n<\/code><\/pre>\n<p><span style=\"font-weight: 400;\">If the file does not exist in the logs, here is how to activate SAML debug information in the log files<\/span><\/p>\n<p><span style=\"font-weight: 400;\">On iObeya platform, log4j2.xml is usually located in the \u201csettings\u201d folder in the iObeya folder.<\/span><\/p>\n<table style=\"border-collapse: collapse; border: none!important;\" cellspacing=\"0\" cellpadding=\"0\" border=\"none\">\n<tbody>\n<tr>\n<td style=\"width: 5px; background-color: #ff9900;\">&nbsp;<\/td>\n<td>\n<p><strong>Note<\/strong><\/p>\n<p><span style=\"font-weight: 400;\">If you cannot find the file, go to the conf\\Catalina\\localhost folder in Tomcat, and open the .xml context file. The log4j2FilePath will give you the path to the file.<\/span><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p><span style=\"font-weight: 400;\">Open that file and uncomment the following part, by deleting the \u201c&lt;!--\u201d and \u201c--&gt;\u201d highlighted in yellow<\/span><\/p>\n<pre style=\"font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee; font-size: 12px; border: 1px dashed #999999; line-height: 14px; padding: 5px; overflow: auto; width: 100%;\"><code style=\"color: #000000; word-wrap: normal;\">INFO [SAMLDefaultLogger] AuthNRequest;SUCCESS\u2026\n\u2026\nINFO [SAMLDefaultLogger] AuthNResponse;SUCCESS... jdoe@mycompany.com...\n<\/code><\/pre>\n<p><span style=\"font-weight: 400;\">For example, when there is a failure:<\/span><\/p>\n<pre style=\"font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee; font-size: 12px; border: 1px dashed #999999; line-height: 14px; padding: 5px; overflow: auto; width: 100%;\"><code style=\"color: #000000; word-wrap: normal;\">&lt;!-- DEBUG FILE LOG Console --&gt;\n&lt;!--\n &lt;RollingFile name=\"debugfile\" fileName=\"\/var\/iobeya\/logs\/appDebug.log\"            filePattern=\"\/var\/iobeya\/logs\/appDebug-%d{yyyy-MM-dd}-%i.log.gz\"&gt;\n  &lt;PatternLayout&gt;\n   &lt;Pattern&gt;%d{yyyy-MM-dd HH:mm:ss} %5p [%c{1}] %m%n&lt;\/Pattern&gt;\n  &lt;\/PatternLayout&gt;\n  &lt;Policies&gt;\n   &lt;TimeBasedTriggeringPolicy \/&gt;\n   &lt;SizeBasedTriggeringPolicy size=\"250 MB\"\/&gt;\n  &lt;\/Policies&gt;\n  &lt;DefaultRolloverStrategy max=\"5\"\/&gt;\n &lt;\/RollingFile&gt;\n--&gt;\n<\/code><\/pre>\n<p><span style=\"font-weight: 400;\">And add after &lt;Loggers&gt;<\/span><\/p>\n<pre style=\"font-family: Andale Mono, Lucida Console, Monaco, fixed, monospace; color: #000000; background-color: #eee; font-size: 12px; border: 1px dashed #999999; line-height: 14px; padding: 5px; overflow: auto; width: 100%;\"><code style=\"color: #000000; word-wrap: normal;\">&lt;!-- SAML --&gt;\n&lt;Logger name=\"org.opensaml\" level=\"DEBUG\" \/&gt;\n&lt;Logger name=\"org.springframework.security.saml\" level=\"DEBUG\" \/&gt;\n&lt;Logger name=\"com.iobeya.auth.saml\" value=\"DEBUG\" \/&gt;\n&lt;Logger name=\"org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler\" value=\"DEBUG\" \/&gt;\n\n<\/code><\/pre>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p><\/div><\/div><div class=\"vce-text-block\"><div class=\"vce-text-block-wrapper vce\" id=\"el-7748cee1\" data-vce-do-apply=\"all el-7748cee1\"><h3><span style=\"font-weight: 400;\">2.2. SAML Tracer<\/span><\/h3><p><span style=\"font-weight: 400;\">Finally, the use of SAML Tracer addon (for firefox or chrome) is highly recommended to troubleshoot the setup of the SAML connexion (to be installed by a person who is supposed to test SSO connexion). With it you will quickly see if there are attributes in the SAML response and the names of the attributes you need to complete the iObeya SAML configuration.<\/span><\/p><p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7143 size-full\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h09_15.png\" alt=\"SAML Tracer\" width=\"862\" height=\"543\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h09_15.png 862w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h09_15-300x189.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h09_15-768x484.png 768w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h09_15-320x202.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h09_15-480x302.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h09_15-800x504.png 800w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h09_15-571x360.png 571w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h09_15-111x70.png 111w\" sizes=\"auto, (max-width: 862px) 100vw, 862px\" \/><\/p><p><span style=\"font-weight: 400;\">Here is an example where the fields are not mapped as it could naturally be (attribute name defines the email) :<\/span><\/p><p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7145 size-full\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39.png\" alt=\"an example where the fields\" width=\"2073\" height=\"800\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39.png 2073w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39-300x116.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39-1024x395.png 1024w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39-768x296.png 768w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39-1536x593.png 1536w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39-2048x790.png 2048w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39-320x123.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39-480x185.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39-800x309.png 800w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39-588x227.png 588w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39-175x68.png 175w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39-1200x463.png 1200w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h10_39-1980x764.png 1980w\" sizes=\"auto, (max-width: 2073px) 100vw, 2073px\" \/><\/p><table style=\"border-collapse: collapse; border: none!important;\" cellspacing=\"0\" cellpadding=\"0\" border=\"none\"><tbody><tr><td style=\"width: 5px; background-color: #ff9900;\">&nbsp;<\/td><td><p><strong>Note<\/strong><\/p><p><span style=\"font-weight: 400;\">If assertion encryption is activated on the IDP, you will not be able to read the attributes that are passed in the assertion in SAML Tracer.<\/span><\/p><\/td><\/tr><\/tbody><\/table><h3><span style=\"font-weight: 400; font-style: normal;\">2.3. How a SSO login is embedded in the workflow of user added in a room<\/span><\/h3><p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-7147 size-full\" src=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h14_25.png\" alt=\"How a SSO login is embedded in the workflow of user added in a room\" width=\"2000\" height=\"1114\" srcset=\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h14_25.png 2000w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h14_25-300x167.png 300w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h14_25-1024x570.png 1024w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h14_25-768x428.png 768w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h14_25-1536x856.png 1536w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h14_25-320x178.png 320w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h14_25-480x267.png 480w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h14_25-800x446.png 800w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h14_25-588x328.png 588w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h14_25-126x70.png 126w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h14_25-1200x668.png 1200w, https:\/\/center.iobeya.com\/wp-content\/uploads\/2022\/10\/2022-10-20_23h14_25-1980x1103.png 1980w\" sizes=\"auto, (max-width: 2000px) 100vw, 2000px\" \/><\/p><\/div><\/div><\/div><\/div><\/div><\/div><\/div><\/div>","protected":false},"excerpt":{"rendered":"<p>This document describes the streamlined procedure to prepare the SSO configuration on an iObeya platform so the SAML authentication can be performedThis video explains also well how the SAML protocol works. In most cases, it will work as is, but it does not cover all the possible configurations, nor does it explain all the parameters [&hellip;]<\/p>\n","protected":false},"author":49,"featured_media":0,"parent":14941,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"inline_featured_image":false,"__cvm_playback_settings":[],"__cvm_video_id":"","iawp_total_views":153,"footnotes":""},"class_list":["post-7254","page","type-page","status-publish","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v21.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Preparing SSO on an iObeya platform - Step by step - Resource Center<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/\" \/>\n<meta property=\"og:locale\" content=\"fr_FR\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Preparing SSO on an iObeya platform - Step by step - Resource Center\" \/>\n<meta property=\"og:description\" content=\"This document describes the streamlined procedure to prepare the SSO configuration on an iObeya platform so the SAML authentication can be performedThis video explains also well how the SAML protocol works. In most cases, it will work as is, but it does not cover all the possible configurations, nor does it explain all the parameters [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/\" \/>\n<meta property=\"og:site_name\" content=\"Resource Center\" \/>\n<meta property=\"article:modified_time\" content=\"2024-12-16T16:19:37+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Dur\u00e9e de lecture estim\u00e9e\" \/>\n\t<meta name=\"twitter:data1\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/\",\"url\":\"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/\",\"name\":\"Preparing SSO on an iObeya platform - Step by step - Resource Center\",\"isPartOf\":{\"@id\":\"https:\/\/center.iobeya.com\/fr\/#website\"},\"datePublished\":\"2022-10-20T21:18:06+00:00\",\"dateModified\":\"2024-12-16T16:19:37+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/#breadcrumb\"},\"inLanguage\":\"fr-FR\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/center.iobeya.com\/fr\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Documentations\",\"item\":\"https:\/\/center.iobeya.com\/fr\/documentations\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Preparing SSO on an iObeya platform &#8211; Step by step\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/center.iobeya.com\/fr\/#website\",\"url\":\"https:\/\/center.iobeya.com\/fr\/\",\"name\":\"Resource Center\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\/\/center.iobeya.com\/fr\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/center.iobeya.com\/fr\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"fr-FR\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/center.iobeya.com\/fr\/#organization\",\"name\":\"Resource Center\",\"url\":\"https:\/\/center.iobeya.com\/fr\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"fr-FR\",\"@id\":\"https:\/\/center.iobeya.com\/fr\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2021\/12\/logo-iobeya-rc-black-1@3x-1.png\",\"contentUrl\":\"https:\/\/center.iobeya.com\/wp-content\/uploads\/2021\/12\/logo-iobeya-rc-black-1@3x-1.png\",\"width\":550,\"height\":150,\"caption\":\"Resource Center\"},\"image\":{\"@id\":\"https:\/\/center.iobeya.com\/fr\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Preparing SSO on an iObeya platform - Step by step - Resource Center","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/","og_locale":"fr_FR","og_type":"article","og_title":"Preparing SSO on an iObeya platform - Step by step - Resource Center","og_description":"This document describes the streamlined procedure to prepare the SSO configuration on an iObeya platform so the SAML authentication can be performedThis video explains also well how the SAML protocol works. In most cases, it will work as is, but it does not cover all the possible configurations, nor does it explain all the parameters [&hellip;]","og_url":"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/","og_site_name":"Resource Center","article_modified_time":"2024-12-16T16:19:37+00:00","twitter_card":"summary_large_image","twitter_misc":{"Dur\u00e9e de lecture estim\u00e9e":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/","url":"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/","name":"Preparing SSO on an iObeya platform - Step by step - Resource Center","isPartOf":{"@id":"https:\/\/center.iobeya.com\/fr\/#website"},"datePublished":"2022-10-20T21:18:06+00:00","dateModified":"2024-12-16T16:19:37+00:00","breadcrumb":{"@id":"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/#breadcrumb"},"inLanguage":"fr-FR","potentialAction":[{"@type":"ReadAction","target":["https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/center.iobeya.com\/fr\/documentations\/preparing-sso-on-an-iobeya-platform-step-by-step\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/center.iobeya.com\/fr\/"},{"@type":"ListItem","position":2,"name":"Documentations","item":"https:\/\/center.iobeya.com\/fr\/documentations\/"},{"@type":"ListItem","position":3,"name":"Preparing SSO on an iObeya platform &#8211; Step by step"}]},{"@type":"WebSite","@id":"https:\/\/center.iobeya.com\/fr\/#website","url":"https:\/\/center.iobeya.com\/fr\/","name":"Resource Center","description":"","publisher":{"@id":"https:\/\/center.iobeya.com\/fr\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/center.iobeya.com\/fr\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"fr-FR"},{"@type":"Organization","@id":"https:\/\/center.iobeya.com\/fr\/#organization","name":"Resource Center","url":"https:\/\/center.iobeya.com\/fr\/","logo":{"@type":"ImageObject","inLanguage":"fr-FR","@id":"https:\/\/center.iobeya.com\/fr\/#\/schema\/logo\/image\/","url":"https:\/\/center.iobeya.com\/wp-content\/uploads\/2021\/12\/logo-iobeya-rc-black-1@3x-1.png","contentUrl":"https:\/\/center.iobeya.com\/wp-content\/uploads\/2021\/12\/logo-iobeya-rc-black-1@3x-1.png","width":550,"height":150,"caption":"Resource Center"},"image":{"@id":"https:\/\/center.iobeya.com\/fr\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/center.iobeya.com\/fr\/wp-json\/wp\/v2\/pages\/7254","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/center.iobeya.com\/fr\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/center.iobeya.com\/fr\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/center.iobeya.com\/fr\/wp-json\/wp\/v2\/users\/49"}],"replies":[{"embeddable":true,"href":"https:\/\/center.iobeya.com\/fr\/wp-json\/wp\/v2\/comments?post=7254"}],"version-history":[{"count":8,"href":"https:\/\/center.iobeya.com\/fr\/wp-json\/wp\/v2\/pages\/7254\/revisions"}],"predecessor-version":[{"id":10867,"href":"https:\/\/center.iobeya.com\/fr\/wp-json\/wp\/v2\/pages\/7254\/revisions\/10867"}],"up":[{"embeddable":true,"href":"https:\/\/center.iobeya.com\/fr\/wp-json\/wp\/v2\/pages\/14941"}],"wp:attachment":[{"href":"https:\/\/center.iobeya.com\/fr\/wp-json\/wp\/v2\/media?parent=7254"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}