Single Sign-on (SSO) Setup
Part 1: Use Schedule Xpress to enter IdP Metadata
For this step, you will need the URL for your IdP's metadata XML. This depends on which IdP you are using. Below is an explanation of where to find the metadata URL for various IdP's.
- Log in to Schedule Xpress as a user with admin privileges
- Go to Settings → Single sign on (if you don't see this option, your user id does not have admin privileges; Contact your admin or Celayix Support support@celayix.com)
- Paste your IdP metadata URL into the Metadata URL field
- Copy the URL in the Celayix metadata URL field; you will need this to set up your IdP with Celayix SSO
- Click save.
- After a success message, check that the information in the additional fields that have appeared is correct
- If you get an error while saving, try pasting your metadata URL into your browsers URL bar. If it doesn't display/download an XML file, you might have the wrong url; Here's a sample URL
https://ssodev.celayix.com/federationmetadata/2007-06/federationmetadata.xml from a Celayix Test IdP
Part 2: Specific instructions for an IdP Vendor
Microsoft Active Directory Federation Services (ADFS)
A. Locating your IdP federation metadata
Your metadata URL should be something like: https://your-domain.example.com/federationmetadata/2007-06/federationmetadata.xml
Replace your-domain.example.com with the actual domain name where Active Directory (either Azure or Windows AD) is publicly accessible on the Internet.
If you have placed access restrictions by ip address, please contact Celayix Support for the ip address specific to your instance.
B. Create an entry in your IdP for Celayix
- Go to your ADFS configuration window, select "Add Relying Party Trust..." in the Actions panel
- On the first page of the Wizard, ensure
Claims aware
is selected and click Start - Paste the Celayix metadata URL from step 4 of Part 1 above into the
Federation metadata address
field and click next - Click Next
- Give your entity a suitable Display Name, like "Celayix Workforce Management" and click Next
- Choose an appropriate Access Control Policy for your use case
- If all Active Directory users in your domain have accounts in Celayix platform, you can use the
Permit everyone
rule - For more control over who will have access to the Celayix platform portal, use
Permit specific group
and select a group that only contains users with accounts in all Celayix applications - Schedule Xpress, Time Xpress, Team Xpress.
- If all Active Directory users in your domain have accounts in Celayix platform, you can use the
- Once an Access Control Policy has been chosen, click Next
- Review the information in the Ready to Add Trust page and click Next
- On the finish page, click Close
C. Configure Claim Issuance Policy rules for Celayix
- Right click the Relying Party Trust that was created above and select Edit Claim Issuance Policy...
- Click Add Rule...
- Select Transform an Incoming Claim from the dropdown and click Next
- Give your claim rule a name
- From the Incoming claim type dropdown select
UPN
, from the Outgoing claim type dropdown selectName ID
- The Outgoing name ID format dropdown should become enabled, select
Email
from this dropdown - Click Finish
- Click Apply to save your Claim Issuance Policy rules
OneLogin
A. Locating your IdP federation metadata
The metadata URL changes for every app configured in OneLogin. Compete the below step (Create an entry in your IdP for Schedule Xpress), then return here.
- Log in to OneLogin as an administrator
- Click
Administration
in the title bar - Click
Apps
in the title bar - Select the app you configured below
- Select the
SSO
tab for this app - The metadata for your app is in the
Issuer URL
field, copy it to paste into Schedule Xpress
B. Create an entry in your IdP for Celayix
- Log in to OneLogin as an administrator
- Click
Administration
in the title bar - Click
Apps
in the title bar - Click the
ADD APP
button just below the title bar - In the search bar type SAML Test Connector
- Click the option
SAML Test Connector (IdP)
- In the
Display Name
field give your entry a descriptive name - Click
Save
in the top right - If you haven't already done so, you can now perform step A. Locating your IdP federation metadata