Wiki source code of Single Sign-On (SSO) via SAML

Version 3.1 by Mark Kohlmann on 2025/05/10 00:25

version	line-number	content
1.1	1	ShowRunner version 4.0 adds support for Single Sign-On (SSO) using SAML. This capability allows ShowRunner to integrate with 3rd party authentication and authorization systems commonly used to unify access to corporate information systems.
	2
	3	==== Requirements: ====
	4
	5	* ShowRunner 4.0 or later
	6	* SSO License enabled in the processor's ShowRunner license
	7	* A 3rd party identity provider that supports SAML 2.0 (Okta, Microsoft EntraID, etc)
	8
	9	==== Features: ====
	10
	11	* Authenticate users using 3rd party identity provider which may support Multi-Factor Authentication
	12	* User authorization group mapped to ShowRunner group
	13	* Apply user's PIN code
	14	* Apply user's touchscreen access level: user or technician
	15	* Set how a user can login: username and/or PIN
	16	* Set where a user can login: touchpanel or web
	17
	18	==== SAML IdP Claim Mapping: ====
	19
	20	\|=Function\|=Attribute Name\|=Required\|=Expected Value\|=Sample Values\|=Notes
3.1	21	\|User Id\|
1.1	22
	23	{{{http://schemas.microsoft.com/identity/claims/objectidentifier}}}\|Y\|GUID or unique identifier within the IdP system\|
	24
3.1	25	{{{101507cb-90da-473d-bfa7-9967979824e7 00ab9c907defGhIJ1697}}}\|If a GUID is not returned then the value is hashed and converted to a GUID
1.1	26
3.1	27	\|Username\|
	28
1.1	29	{{{http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier}}}\|Y\|username or email address\|
	30
3.1	31	{{{john.doe jane.doe@example.com}}}\|
1.1	32
3.1	33	\|Display Name\|
	34
1.1	35	{{{http://schemas.microsoft.com/identity/claims/displayname}}}\|Y\|User's name
	36	Example: John\|
	37
	38	{{{John Doe}}}\|
	39
3.1	40	\|User Group\|
	41
1.1	42	{{{http://schemas.microsoft.com/ws/2008/06/identity/claims/role}}}\|Y\|User's Group Name\|
	43
3.1	44	{{{Administrators End Users General Users}}}\|Must match a ShowRunner User Group name
1.1	45
3.1	46	\|PIN\|pin\|N\|User's passcode/PIN code for touchscreen\|
1.1	47
	48	{{{123456}}}\|
	49
3.1	50	\|Touchscreen Access Level\|touchscreenAccessLevel\|N\|Access level for the user when access a touchscreen\|
1.1	51
3.1	52	{{{Valid Values: None, Technician, User Example: Technician}}}\|
1.1	53
3.1	54	\|Login Permitted\|userLoginPermitted\|N\|Locations where a user can login. Multiple values are supported\|
1.1	55
3.1	56	{{{Valid Values: None, Touchpanel, Web Example: Touchpanel,Web}}}\|Comma separated listed of valid values
1.1	57
3.1	58	\|Login Method\|userLoginMethod\|N\|How a user can login\|
1.1	59
3.1	60	{{{Valid Values: None, Username, PIN Example: Username,PIN}}}\|Comma separated listed of valid values
1.1	61
	62	==== Notes: ====
	63
	64	* Value mapping must be done on IdP side
	65	* A successful authentication with the IdP will add the user to ShowRunner's user database if they don't exist
	66	* User matches occurs based on the User Id, ensure that the User Id is unique within your IdP
	67	* All user values will be updated if they change within the IdP system
2.1	68	* Non-Required values that are not sent with the SAML assertion will not update the ShowRunner's users equivalent value
1.1	69
	70	==== Example Integrations: ====
	71
	72	* [[Microsoft Entra ID>>xwiki:SHOWRUNNER™ User Guide & Wiki.SHOWRUNNER™ Appendix.Single Sign-On (SSO) via SAML.Microsoft Entra ID.WebHome]]
	73	* [[Okta>>xwiki:SHOWRUNNER™ User Guide & Wiki.SHOWRUNNER™ Appendix.Single Sign-On (SSO) via SAML.Okta.WebHome]]