Single Sign-On (SSO) via SAML
Last modified by Mark Kohlmann on 2025/05/10 00:45
ShowRunner version 4.0 adds support for Single Sign-On (SSO) using SAML. This capability allows ShowRunner to integrate with 3rd party authentication and authorization systems commonly used to unify access to corporate information systems.
Requirements:
- ShowRunner 4.0 or later
- SSO License enabled in the processor's ShowRunner license
- A 3rd party identity provider that supports SAML 2.0 (Okta, Microsoft EntraID, etc)
Features:
- Authenticate users using 3rd party identity provider which may support Multi-Factor Authentication
- User authorization group mapped to ShowRunner group
- Apply user's PIN code
- Apply user's touchscreen access level: user or technician
- Set how a user can login: username and/or PIN
- Set where a user can login: touchpanel or web
SAML IdP Claim Mapping:
| Function | Attribute Name | Required | Expected Value | Sample Values | Notes | |
|---|---|---|---|---|---|---|
| User Id | http://schemas.microsoft.com/identity/claims/objectidentifier | Y | GUID or unique identifier within the IdP system | 101507cb-90da-473d-bfa7-9967979824e7 00ab9c907defGhIJ1697 | If a GUID is not returned then the value is hashed and converted to a GUID | |
| Username | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier | Y | username or email address | john.doe jane.doe@example.com | ||
| Display Name | http://schemas.microsoft.com/identity/claims/displayname | Y | User's name | Example: John | John Doe | |
| User Group | http://schemas.microsoft.com/ws/2008/06/identity/claims/role | Y | User's Group Name | Administrators End Users General Users | Must match a ShowRunner User Group name | |
| PIN | pin | N | User's passcode/PIN code for touchscreen | 123456 | ||
| Touchscreen Access Level | touchscreenAccessLevel | N | Access level for the user when access a touchscreen | Valid Values: None, Technician, User Example: Technician | ||
| Login Permitted | userLoginPermitted | N | Locations where a user can login. Multiple values are supported | Valid Values: None, Touchpanel, Web Example: Touchpanel,Web | Comma separated listed of valid values | |
| Login Method | userLoginMethod | N | How a user can login | Valid Values: None, Username, PIN Example: Username,PIN | Comma separated listed of valid values |
Notes:
- Value mapping must be done on IdP side
- A successful authentication with the IdP will add the user to ShowRunner's user database if they don't exist
- User matches occurs based on the User Id, ensure that the User Id is unique within your IdP
- All user values will be updated if they change within the IdP system
- Non-Required values that are not sent with the SAML assertion will not update the ShowRunner's users equivalent value