CAST Highlight SAML/SSO Integration with Identity Providers (IdP)
CAST Highlight supports SAML 2.0 which enables user authentication & role management from your Identity Provider (IdP).
To implement CAST Highlight user authentication using your SAML/SSO solution, please contact your CAST Professional Services representative who will coordinate the different required steps and actions depending on the IdP your organization uses.
| BASIC (User Authentication Management) | FULL (User Authentication & Permission Management) |
|---|---|
| By default, SAML will only manage the authentication of users. The other attributes (First name, Last name, Role) will be managed through CAST Highlight’s interface. |
This mode enables the customer to manage User information, Authentication, CAST Highlight Role, Subdomain from their IdP (Identity Provider).
|
| Pros: The Portfolio Manager can manage the user rights directly in the application (MANAGE PORTFOLIO > Manage Users) | Pros: Nothing needs to be done on CAST Highlight side, and when the user logs for the first time, everything is already configured and is working properly.
This mode is the only way to manage the level of the portfolio (subdomain) where the user will be attached to.
|
| Limitations: In this mode, the user can be created only at the root-level domain of the company portfolio (i.e., users can’t be attached to a subdomain) | Limitations:
|
- Identity provider (IdP) = The service at client-side that manage SAML
- Service provider (SP) = The Highlight application
SAML attributes
| IdP manages | Attribute name | SAML Basic | Value (type) |
|---|---|---|---|
| User Authentication (Claim) | NameID | Mandatory | email@domain.com (String) |
SAML attributes
| IdP manages | Attribute name | SAML Full | Value (type) |
|---|---|---|---|
| User Authentication (Claim) | NameID | Mandatory | email@domain.com (String) |
| User FirstName | hl.firstname | optional | FirstName (String) |
| User LastName | hl.lastname | optional | LastName (String) |
| User Role | hl.role | optional | Must contain one of these value:
|
| Sub-Domain User access rights | hl.subdomain | optional | (integer)
Note: hl.subdomain attribute should not be present if the user is attached to multiple domains for the same portfolio. |
Implementation
| Step #1 | Who | What | Comments |
|---|---|---|---|
| 1 | Customer | The customer must provide to Cast:
|
Most of the time the SAML Entity_ID is the IDP url “sts.company123.com“, but Cast will retrieve it from the IdP Metadata file provided by the customer. Default Claim (Mandatory):
|
| 2 | CAST | Cast integrates the IDP_metadata file and the Company_ID in the system.
Cast will also provide the Service Provider (SP) metadata file to the customer. The customer integrates it in its system to finalize the configuration Technical aspect SAML Secure Hash algorithm = SHA-256 |
Cast will provide these URLS:
Login (Sign on URL) : Assertion Consumer Service (ACS) or Audience: > https://{server}/saml/SSO/alias/<company123> |
| 3 | Customer | The customer can test the access to Highlight using the link provided by Cast (the one that contains “login”): https://{server}/saml/login/alias/<company123> |
Both IDP-initiated and SP-initiated are supported by CAST Highlight |
| Step # | Who | What | Comments |
|---|---|---|---|
| 1 | Customer | The customer must provide to Cast:
|
Most of the time the Entity_ID is the IDP url “sts.company123.com“, but Cast will retrieve it from the IdP Metadata file provided.
Claim:
SAML attributes:
|
| 2 | Customer | The customer must send one of the four Saml value of the attribute hl.role
How our customers manage this value ? Most of the time, our customer creates four AD/LDAP groups that are sent as attribute *. A user MUST be a member of only one role (one AD/LDAP group) |
Role attribute is case sensitive *:
|
| 3 | CAST | Cast integrates the IDP_metadata file and the Company_ID in the system, and provide the Service Provider (SP) metadata file to the customer
The customer integrates it in its system to finalize the configuration (SAML Secure Hash algorithm = SHA-256) |
Cast will provide these URLS:
Login (Sign on URL) : Assertion Consumer Service (ACS) or Audience: > https://{server}/saml/SSO/alias/<company123> |
| 4 | Customer | The customer can test the access to Highlight using the link provided by Cast (the one that contains “login”): https://{server}/saml/login/alias/<company123> |
Both IDP-initiated and SP-initiated are supported by CAST Highlight |
Here is the regex patterns that control the role in the AD group provided to hightlight “^.*(portfolioManager|applicationContributor|domainContributor|resultViewer).*$”
so that the customer can create a group like “gp.security.applicationHighlight.portfolioManager.users”
Each user must be only part of one Highlight_role AD_group
User Workflow
This user will typically get the screen below.
To change a user’s role, follow these steps below:
1. As this user is now created in CAST Highlight, the Portfolio Manager manually changes the role and eventually the domain of this user from MANAGE PORTFOLIO > Users & Apps. To do so, edit the user by clicking on the pencil icon.
2. A modal opens where you can specify the role and domain you want to associate this user to.
3. Click on “Save” to validate the role/domain change. The user is updated.
4. Next time this user will connect through the SAML “login” url (e.g., https://rpa.casthighlight.com/saml/login/alias/<company123>), he will have this new role and will be connected to the right domain.
Notes:
- No email invitation is sent to the user
- The user won’t be able to change his password as this information is managed by your IdP
- The user must already exist on the customer AD/LDAP
- The user must have a CAST Highlight role defined (hl.role)
- Every attributes should be provided by the customer IdP
Nothing more to do here. The IdP will be master of data as the SAML attributes will always overwrite the user data stored in CAST Highlight.