SAML Configuration

This topic covers the steps to configure SAML in EMS for use with EMS Web App and Direct Spaces.

EMS supports SP initiated SAML SSO, and requires a single attribute to be returned in the SAML assertion to authenticate users. That attribute must exist in EMS as one of the following fields of the Everyday User record:

  • Email Address

  • External Reference

  • Network ID

Signed requests can be configured and require SP service provider keys to be created. Encrypted assertions/responses are currently not supported.

ClosedImport Identity Provider Metadata into Platform

  1. Navigate to the EMS Platform admin page and sign in using Everyday User credentials assigned with the web administrator role:

    • On Prem customers: http(s)://servername/EMSPlatform/admin

    • Cloud customers: https://<customer>.emscloudservice.com/platform/admin

  2. Click the SAML pane.

  3. Enter your identity provider metadata URL in URL, or to upload XML, click Choose file.

  4. Click Save Changes.

    This registers the metadata and generates the Auth Keys on the AUTH KEYS pane.

  5. The EMS SAML SP metadata should now be available at:

    • On Prem customers: http(s)://servername/EMSPlatform/api/v1/authentication/saml/metadata/sp

    • Cloud customers: https:<customer>.emscloudservice.com/platform/api/v1/authentication/saml/metadata/sp

If you are using a metadata URL, there is a daily metadata sync that regenerates new auth keys dynamically when they expire. This does not apply if imported via XML. Auth keys must be manually regenerated if you are using the XML file upload.

If you modify any fields on this page such as sign auth requests to a value different than what is supplied by the metadata, the value in EMS reverts to match the metadata during the daily metadata sync when using the metadata URL.

EMS defaults to using the Name ID attribute in the SAML response as set in the User Identity field. For Azure AD, the Name ID attribute is http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name.

Change the Name ID attribute:

  1. From the User Identity dropdown, select Attribute.

  2. In Identity Attribute Name, enter the name of the attribute included in the SAML response to use for authentication.

  3. Click Save Changes.

ClosedCreate Service Provider Keys

You must follow optional steps if signed SAML requests are received.

  1. Navigate to the EMS Platform admin page and sign in using Web Administrator Everyday User credentials.

  2. Click the AUTH KEYS pane.

  3. Click New Auth Key.

  4. Set Purpose to SAML Service Provider.

  5. Enable Auto-Generate Keys.

  6. Click Save Auth Key.

ClosedAuto-Create Users

Optionally, on the SAML pane in EMS Platform, you can enable Allow user to auto-create. When this is enabled, if a user successfully authenticates with your identity provider via SAML in EMS Web App but an everyday user account with their email address does not exist in EMS, one is automatically created using the default security template and status for new users parameter settings and process templates enabled as available for new users.

If you are using HR Toolkit to manage your everyday users, you must not enable this. Once you enable this setting, you can map SAML Attributes from your IDP to the following fields in EMS:

  • Name – required

  • Email Address – required

  • Network ID – optional

  • Phone – optional

  • Fax – optional

The format and names of the SAML Attributes depend on your IDP, for example, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress for email address.

ClosedConfigure EMS Web App

You can enable SAML sign in from the EMS Web App home page.

  1. Navigate to the EMS Platform admin page and sign in using Web Administrator Everyday User credentials.

  2. Click the Integrations pane.

  3. Click EMS Web Application in the Clients page.

  4. Set Everyday User Authentication Method to SAML.

  5. Click Save Changes.

  6. Sign in to the EMS Desktop Client as an admin user.

  7. Navigate to System Administration > Settings > Parameters.

  8. Select Everyday User Applications tab.

  9. Set Use SAML 2.0 Authentication for User Authentication Web App Only parameter to Yes.

  10. On Prem customers must recycle IIS app pool.

Cloud customers might have to wait up to 24 hours for this change to take effect.