Setting Up SSO for Plutora

Plutora supports the following ‘flavors’ of SSO:

  1. SAML.
  2. WS-Federation Services.
  3. WS-Federation Services with SAML.

Set up procedures for all three flavors can be found below.

First, check what kind of SSO you are using.

Plutora and Plutora Test now both support SSO. Logging in or out of Plutora will also log the user in or out of Plutora Test. While logging out, do not close the browser window until the logging out process is complete.   

The minimum requirements to activate SSO are the Use SAML Request checkbox and the SSO Login URL.

Administrators should use the Login Settings Customization to redirect users to the SSO login page every time they log in.

For the other settings on the Login Settings page, see Login Settings.

  1. Go to Settings > Customization.
  2. Click Login Settings.
  3. Click to select the Enable SSO Login checkbox to make the SSO Login button appear under the Plutora login form.
    Plutora login page red arrow
  4. Click to select the following as required:
    Do not select the Auto redirect to SSO login page checkbox until you have confirmed that the connection is working. If the connection is not working, go directly YourCompanyName.plutora.com/login to login.

    1. Auto redirect to SSO login page:
      • Click to select the checkbox to bypass the Plutora login page and always redirect the user to the SSO Login URL.
      • If Auto redirect to SSO login page is selected but the Logout URL is not set, when users log out of Plutora or Plutora Test, they will be immediately logged back in again.
    2. Use SAML Request: Click to select the checkbox to use the SAML settings on this page:
      • If the Auto redirect to SSO login page checkbox is not selected, but Use SAML Request checkbox is selected, users will be directed to the Plutora login page, where they can click the SSO Login button.
      • If the Use SAML Request checkbox is unselected, the system will attempt to log in via a pre-configured WS-Federation module.
    3. Combined Issuer: Click to select the checkbox to enable SSO credentials for both Plutora and Plutora Test:
      • When enabled: the authentication request Issuer will be https://idp-{region}.plutora.com and the AssertionConsumingServiceUrl will be https://idp-{region}.plutora.com/api/Login/ExternalLoginResponse.
      • This will allow customers to use SSO with Plutora and Plutora Test, provided they have updated their SSO server settings.
      • When disabled: the authentication request Issuer will be based on which site is making the request – either https://{subdomain}.plutora.com or https://{subdomain}.plutoratest.com and the AssertionConsumingServiceUrl will also be based on which site is making the request – same as Issuer.
      • This will allow customers to continue to use SSO with Plutora without changing their SSO server settings.
      • If they add https://{subdomain}.plutoratest.com with the right settings to their SSO server, they will also be able to use Plutora Test (however this isn’t the intention. the intention is that they should enable the option and update their SSO server settings to handle the new Issuer above).
    4. Login URL: Type the URL that the user will be sent to when they log in via SSO.
    5. Sign Login Request: Click to select the checkbox:
      • If selected, the authentication request to the SSO server will be signed with Plutora’s private key.
      • Customers should download the public certificate and use it on their SSO server to validate the signature in the login request.
      • If selected, the authentication request will be made using a POST method, otherwise, it will be made using a GET method.
    6. Validate Login Response: Click to select the checkbox:
      • If selected, upon receiving an authentication response from the customer’s SSO server, the Plutora authentication system will check the signature in the response and validate it using the “Response Validation Certificate” setting below.
      • If the response is not signed, the authentication will fail. If the response is signed but the signature is invalid, the authentication will fail.
        Validate Login Response checkbox should be selected. If left unselected, an unauthorized user could forge an authentication response and gain access.
    1. Logout URL: Type the URL that the user will be sent to after they log out as part of the single-logout process (which logs the user out of all the sessions authenticated by their SSO login):
      • This logout request must be processed at the SSO server and a Logout Response MUST be returned. See section 3.7 Single Logout Protocol:
      • If not provided, when a user logs out, they will only be logged out of Plutora and Plutora Test, and not all the sessions authenticated by their SSO login.
      • If provided, and not correctly configured at the SSO server, users will not be able to log out of Plutora and Plutora Test, as when they log out they will immediately be logged back in again.
    2. Sign Logout Request: Click to select the checkbox:
      • If selected, the logout request to the SSO server will be signed with Plutora’s private key.
      • Customers should download the public certificate and use it on their SSO server to validate the signature of the logout request.
      • If selected, the logout request will be made using a POST method, otherwise, it will be made using a GET method.
    3. Validate Logout Response: Click to select the checkbox: 
      • If selected, upon receiving a logout response from the customer’s SSO server, the Plutora authentication system will check the signature in the response and validate it using the “Response Validation Certificate” setting below.
      • If the response is not signed, or the response is signed but the signature is invalid, the authentication system will consider the log out to be “partially successful” as it cannot verify that the single logout competed.
      • Regardless of the verification, the user will be logged out of Plutora and Plutora Test.
    4. Download the public certificate for signature verification on your SSO server: Click to download the certificate:
      • Plutora now has a full certificate embedded to be used for signing SSO authentification requests.
      • Download and load the public certificate and load it into your SSO system so you can validate the signature of the authentification requests.
    5. Upload Certificate For Validating Response Signatures: To upload a certificate:
      1. Click Upload certificate for validating response signatures.
      2. Click to select the certificate file:
        • Customers should upload the PUBLIC CERTIFICATE of their keystore. For example, see https://stackoverflow.com/questions/36133076/how-to-extract-certificate-from-p12-pfx-file-using-keytool-commands.
        • This certificate will be used to validate login and logout responses from the sso server if the corresponding settings are enabled.
        • In Plutora Test, some of the currently uploaded certificate information is shown. If it says “Private Key”, then the user has mistakenly uploaded their private key via Plutora and it has been compromised and should be replaced.
      3. Click Open.
      4. Type the password that was used when generating the certificate.
        If the certificate is public and doesn’t require a password, click OK without typing a password.
      5. Click OK.
        Once the certificate is uploaded, the message will change from There has not been a certificate uploaded yet to Certificate has been uploaded.
  1. Click Submit.
    The yellow Your changes have been saved pop up opens and closes.
    If you click away from the Customization page without clicking Submit, your changes will not save.
    Users who log into Plutora for the first time using SSO are granted access that depends on the Requestor User Role. Administrators must update their account to give them the access they need. The new User Management entity in Email Template Wizard Customization can send administrators notifications when a new SSO account is created.

If you are using WS-Federation Services, please contact our Support Staff so they can create a configuration file.

To set up WS-Federation Services on Plutora, once the configuration file is created:

  1. Go to Settings > Customization.
  2. Click Login Settings.
  3. Click to select the Enable SSO Login checkbox to make the SSO Login button appear under the Plutora login form.
    Plutora login page red arrow
  4. Click Submit.
    The yellow Your changes have been saved pop up opens and closes.
    If you click away from the Customization page without clicking Submit, your changes will not save.
    Users who log into Plutora for the first time using SSO are granted access that depends on the Requestor User Role. Administrators must update their account to give them the access they need. The new User Management entity in Email Template Wizard Customization can send administrators notifications when a new SSO account is created.

If you are using WS-Federation Services, please contact our Support Staff so they can create a configuration file.

To set up WS-Federation Services on Plutora, once the configuration file is created:

  1. Go to Settings > Customization.
  2. Click Login Settings.
  3. Click to select the Enable SSO Login checkbox to make the SSO Login button appear under the Plutora login form.
    Plutora login page red arrow
  4. Click to select the Use SAML Request checkbox.
  5. Click Submit.
    The yellow Your changes have been saved pop up opens and closes.
    If you click away from the Customization page without clicking Submit, your changes will not save.
    Users who log into Plutora for the first time using SSO are granted access that depends on the Requestor User Role. Administrators must update their account to give them the access they need. The new User Management entity in Email Template Wizard Customization can send administrators notifications when a new SSO account is created.

 

 

Back to the top arrow

Was this article helpful?

1 found this helpful.