Single Sign-On (SSO) via SAML
ShowRunner version 4.0 adds support for Single Sign-On (SSO) using SAML. This capability allows ShowRunner to integrate with 3rd party authentication and authorization systems commonly used to unify access to corporate information systems.
Requirements:
- ShowRunner 4.0 or later
- SSO License enabled in the processor's ShowRunner license
- A 3rd party identity provider that supports SAML 2.0 (Okta, Microsoft EntraID, etc)
Features:
- Authenticate users using 3rd party identity provider which may support Multi-Factor Authentication
- User authorization group mapped to ShowRunner group
- Apply user's PIN code
- Apply user's touchscreen access level: user or technician
- Set how a user can login: username and/or PIN
- Set where a user can login: touchpanel or web
SAML IdP Claim Mapping:
| Function | Attribute Name | Required | Expected Value | Sample Values | Notes |
|---|---|---|---|---|---|
| User Id |
http://schemas.microsoft.com/identity/claims/objectidentifier|Y|GUID or unique identifier within the IdP system|
101507cb-90da-473d-bfa7-9967979824e7 00ab9c907defGhIJ1697|If a GUID is not returned then the value is hashed and converted to a GUID
| Username |
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier|Y|username or email address|
john.doe jane.doe@example.com|
| Display Name |
http://schemas.microsoft.com/identity/claims/displayname|Y|User's name
Example: John|
John Doe|
| User Group |
http://schemas.microsoft.com/ws/2008/06/identity/claims/role|Y|User's Group Name|
Administrators End Users General Users|Must match a ShowRunner User Group name
| PIN | pin | N | User's passcode/PIN code for touchscreen |
123456|
| Touchscreen Access Level | touchscreenAccessLevel | N | Access level for the user when access a touchscreen |
Valid Values: None, Technician, User Example: Technician|
| Login Permitted | userLoginPermitted | N | Locations where a user can login. Multiple values are supported |
Valid Values: None, Touchpanel, Web Example: Touchpanel,Web|Comma separated listed of valid values
| Login Method | userLoginMethod | N | How a user can login |
Valid Values: None, Username, PIN Example: Username,PIN|Comma separated listed of valid values
Notes:
- Value mapping must be done on IdP side
- A successful authentication with the IdP will add the user to ShowRunner's user database if they don't exist
- User matches occurs based on the User Id, ensure that the User Id is unique within your IdP
- All user values will be updated if they change within the IdP system
- Non-Required values that are not sent with the SAML assertion will not update the ShowRunner's users