AWS Single Sign-On (AWS SSO) Integration Guide for N2F Expense reports
Introduction
This document helps you configure AWS SSO to facilitate single sign-on (SSO) for N2F Expense reports using SAML.
Topics
Prerequisites
You’ll need the following to set up SSO access to N2F Expense reports:
-
Access to the AWS SSO console with permissions to manage applications.
-
An N2F Expense reports account with admin permissions to configure SAML SSO.
Setup instructions
- On the Configure page, in the Details section, fill in the Display name and the Description (optional) of the application.
Note
We suggest that you choose a unique display name if you plan to have more than one of the same application.
-
Login to your N2F Expense reports account as an administrator.
-
Click on the Settings and choose Advanced Settings from the top of the screen.
-
Select Account Settings option from the left side menu.
-
Under Account Settings choose Authentication and add new authentication method by Add authentication method.
-
For the field Name, provide a friendly name, which help you identify the ientity provider.
-
For the field Entity ID paste the AWS SSO sign-in URL.
-
Click Create to save the SAML configuration of Identity provider.
-
For field Metadata URL paste AWS SSO SAML Metadata.
-
Click save to add the authentication mechanism.
-
Go back to the AWS SSO console page where you are configuring the Application.
-
Under Application metadata, choose If you don't have a metadata file, you can manually type your metadata values. to display the application metadata settings.
-
Insert the following values:
Field | Value of the N2F Expense reports property |
---|---|
Application ACS URL | https://www.n2f.com/app/Saml2/Acs |
Application SAML audience | https://www.n2f.com/app/ |
-
Choose Save Changes.
-
Assign a user to the application in AWS SSO.
Verification
Use the following sections to verify the SSO integration.
Note
Ensure that the user performing the verification is logged out of both AWS SSO and the application before performing the steps in each section.
Verifying SSO from AWS SSO
-
Access the AWS SSO end user portal using the credentials of a user assigned to the N2F Expense reports application.
-
In the list of applications, choose N2F Expense reports to initiate a login to N2F Expense reports.
-
If login was successful you will be signed-in to the N2F Expense reports account.
Troubleshooting
If sign in was not successful, please see the troubleshooting steps.
Verifying Service Provider Initiated SSO from N2F Expense reports
-
Access https://www.n2f.com/app/.
-
Choose login with SAML / SSO login. You will be redirected to SSO user portal.
-
Type the credentials of a user assigned to the application in the AWS SSO console.
-
Choose Sign In.
-
On the N2F Expense reports home page, verify that both N2F Expense reports and AWS SSO are logged in with the same user.
Troubleshooting
If sign in was not successful, please see the troubleshooting steps.
Troubleshooting
Error | Issue | Solution |
---|---|---|
Other | When AWS SSO creates a SAML Assertion for a user, it uses the value of the 'email' field (if they are present) from the connected directory to populate the 'Email' in the SAML assertion. Many service providers expect these attributes to contain the user’s email address. By default your directory is configured to send 'windowsUPN' in both fields. | Your directory may be configured to contain the users email in the 'Email' attribute instead. If so, you may need to change this in your Connected directory settings. |
For general troubleshooting problems, please refer to Troubleshooting Guide.
User Provisioning Types
There are two user provisioning you need to aware of:
-
Preprovisioned users
Preprovisioned users, means users must already exist in the downstream SaaS application. For instance, you may need to create SaaS users with the same subject as the AD users.
-
JIT users
JIT (or Just-In-Time) users, means users do not necessarily exist in the downstream SaaS application, and will be provisioned/created/registered the first time the user federates. You may need to enable JIT option in your SaaS application for the AD domain.