Wiki source code of Single Sign-On (SSO) via SAML

Version 2.1 by Mark Kohlmann on 2025/05/09 19:59

version	line-number	content
1.1	1	ShowRunner version 4.0 adds support for Single Sign-On (SSO) using SAML. This capability allows ShowRunner to integrate with 3rd party authentication and authorization systems commonly used to unify access to corporate information systems.
	2
	3	==== Requirements: ====
	4
	5	* ShowRunner 4.0 or later
	6	* SSO License enabled in the processor's ShowRunner license
	7	* A 3rd party identity provider that supports SAML 2.0 (Okta, Microsoft EntraID, etc)
	8
	9	==== Features: ====
	10
	11	* Authenticate users using 3rd party identity provider which may support Multi-Factor Authentication
	12	* User authorization group mapped to ShowRunner group
	13	* Apply user's PIN code
	14	* Apply user's touchscreen access level: user or technician
	15	* Set how a user can login: username and/or PIN
	16	* Set where a user can login: touchpanel or web
	17
	18	==== SAML IdP Claim Mapping: ====
	19
	20	\|=Function\|=Attribute Name\|=Required\|=Expected Value\|=Sample Values\|=Notes
	21	\|User Id\|
	22
	23	{{{http://schemas.microsoft.com/identity/claims/objectidentifier}}}\|Y\|GUID or unique identifier within the IdP system\|
	24
	25	{{{101507cb-90da-473d-bfa7-9967979824e7
	26	00ab9c907defGhIJ1697}}}\|If a GUID is not returned then the value is hashed and converted to a GUID
	27	\|Username\|
	28
	29	{{{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier}}}\|Y\|username or email address\|
	30
	31	{{{john.doe
	32	jane.doe@example.com}}}\|
	33	\|Display Name\|
	34
	35	{{{http://schemas.microsoft.com/identity/claims/displayname}}}\|Y\|User's name
	36	Example: John\|
	37
	38	{{{John Doe}}}\|
	39	\|User Group\|
	40
	41	{{{http://schemas.microsoft.com/ws/2008/06/identity/claims/role}}}\|Y\|User's Group Name\|
	42
	43	{{{Administrators
	44
	45	End Users
	46
	47	General Users}}}\|Must match a ShowRunner User Group name
	48	\|PIN\|pin\|N\|User's passcode/PIN code for touchscreen\|
	49
	50	{{{123456}}}\|
	51	\|Touchscreen Access Level\|touchscreenAccessLevel\|N\|Access level for the user when access a touchscreen\|
	52
	53	{{{Valid Values:
	54	None, Technician, User
	55
	56	Example:
	57	Technician}}}\|
	58	\|Login Permitted\|userLoginPermitted\|N\|Locations where a user can login. Multiple values are supported\|
	59
	60	{{{Valid Values:
	61	None, Touchpanel, Web
	62
	63	Example:
	64	Touchpanel,Web}}}\|Comma separated listed of valid values
	65	\|Login Method\|userLoginMethod\|N\|How a user can login\|
	66
	67	{{{Valid Values:
	68	None, Username, PIN
	69
	70	Example:
	71	Username,PIN}}}\|Comma separated listed of valid values
	72
	73	==== Notes: ====
	74
	75	* Value mapping must be done on IdP side
	76	* A successful authentication with the IdP will add the user to ShowRunner's user database if they don't exist
	77	* User matches occurs based on the User Id, ensure that the User Id is unique within your IdP
	78	* All user values will be updated if they change within the IdP system
2.1	79	* Non-Required values that are not sent with the SAML assertion will not update the ShowRunner's users equivalent value
1.1	80
	81	==== Example Integrations: ====
	82
	83	* [[Microsoft Entra ID>>xwiki:SHOWRUNNER™ User Guide & Wiki.SHOWRUNNER™ Appendix.Single Sign-On (SSO) via SAML.Microsoft Entra ID.WebHome]]
	84	* [[Okta>>xwiki:SHOWRUNNER™ User Guide & Wiki.SHOWRUNNER™ Appendix.Single Sign-On (SSO) via SAML.Okta.WebHome]]