CAST Highlight SAML/SSO Integration with Identity Providers (IdP)

CAST Highlight supports SAML 2.0 which enables user authentication & role management from your Identity Provider (IdP).

To implement CAST Highlight user authentication using your SAML/SSO solution, please contact your CAST Professional Services representative who will coordinate the different required steps and actions depending on the IdP your organization uses.

 

 

 

CAST Highlight currently supports two deployment modes for SAML/SSO.

 

BASIC (User Authentication Management) FULL (User Authentication & Permission Management)
By default, SAML will only manage the authentication of users.
The other attributes (First name, Last name, Role) will be managed through CAST Highlight’s interface.
This mode enables the customer to manage User information, Authentication, CAST Highlight Role, Subdomain from their IdP (Identity Provider).

 

Pros: The Portfolio Manager can manage the user rights directly in the application (MANAGE PORTFOLIO > Manage Users) Pros: Nothing needs to be done on CAST Highlight side, and when the user logs for the first time, everything is already configured and is working properly.

This mode is the only way to manage the level of the portfolio (subdomain) where the user will be attached to.

 

Limitations: In this mode, the user can be created only at the root-level domain of the company portfolio (i.e., users can’t be attached to a subdomain) Limitations:

  • The modification must be done customer side in the IdP (most of the time by customer’s IT team) to add/change attributes values.
  • The user role “applicationContributor” cannot be directly managed through SAML but must be managed through the CAST Highlight portal

SAML Glossary

  • Identity provider (IdP) = The service at client-side that manage SAML
  • Service provider (SP) = The Highlight application

SAML attributes

IdP manages Attribute name SAML Basic Value (type)
User Authentication (Claim) NameID Mandatory email@domain.com (String)

SAML attributes

IdP manages Attribute name SAML Full Value (type)
User Authentication (Claim) NameID Mandatory email@domain.com (String)
User FirstName hl.firstname optional FirstName (String)
User LastName hl.lastname optional LastName (String)
User Role hl.role optional Must contain one of these value:

  • portfolioManager
  • applicationContributor
  • domainContributor
  • resultViewer
Sub-Domain User access rights hl.subdomain optional (integer)

Note: hl.subdomain attribute should not be present if the user is attached to multiple domains for the same portfolio.

Implementation

Step #1 Who What Comments
1 Customer The customer must provide to Cast:

  • Their IDP (SAML Identity Provider) metadata file
  • Their Highlight root Company/Domain ID
Most of the time the SAML Entity_ID is the IDP url “sts.company123.com“, but Cast will retrieve it from the IdP Metadata file provided by the customer.

Default Claim (Mandatory):

  •      NameID   (required in the SAML subject response message, must be the email)
2 CAST Cast integrates the IDP_metadata file and the Company_ID in the system.

Cast will also provide the Service Provider (SP) metadata file to the customer.

The customer integrates it in its system to finalize the configuration

Technical aspect

SAML Secure Hash algorithm = SHA-256

Cast will provide these URLS:

Login (Sign on URL) :
> https://{server}/saml/login/alias/<company123>

Assertion Consumer Service (ACS) or Audience:

> https://{server}/saml/SSO/alias/<company123>

3 Customer The customer can test the access to Highlight using the link provided by Cast (the one that contains “login”):
https://{server}/saml/login/alias/<company123>
Both IDP-initiated and SP-initiated are supported by CAST Highlight

Step # Who What Comments
1 Customer The customer must provide to Cast:

  • Their IDP (SAML Identity Provider) metadata file
  • Their Highlight root Company/Domain ID
Most of the time the Entity_ID is the IDP url “sts.company123.com“, but Cast will retrieve it from the IdP Metadata file provided.

Claim:

  •      NameID
    (required in the SAML subject response message, most of the time an email)

SAML attributes:

  • hl.firstname
  • hl.lastname
  • hl.role
  • hl.subdomain (the optional subdomain integer, otherwise all operations are root domain wise)
2 Customer The customer must send one of the four Saml value of the attribute hl.role

How our customers manage this value ?

Most of the time, our customer creates four AD/LDAP groups that are sent as attribute *.

A user MUST be a member of only one role (one AD/LDAP group)

Role attribute is case sensitive *:

  • portfolioManager
  • applicationContributor
  • domainContributor
  • resultViewer
3 CAST Cast integrates the IDP_metadata file and the Company_ID in the system, and provide the Service Provider (SP) metadata file to the customer

The customer integrates it in its system to finalize the configuration (SAML Secure Hash algorithm = SHA-256)

Cast will provide these URLS:

Login (Sign on URL) :
> https://{server}/saml/login/alias/<company123>

Assertion Consumer Service (ACS) or Audience:

> https://{server}/saml/SSO/alias/<company123>

4 Customer The customer can test the access to Highlight using the link provided by Cast (the one that contains “login”):
https://{server}/saml/login/alias/<company123>
Both IDP-initiated and SP-initiated are supported by CAST Highlight

* AD groups must contain the Highlight role (case sensitive):

Here is the regex patterns that control the role in the AD group provided to hightlight   “^.*(portfolioManager|applicationContributor|domainContributor|resultViewer).*$”
so that the customer can create a group like “gp.security.applicationHighlight.portfolioManager.users”

Each user must be only part of one Highlight_role AD_group

User Workflow

IMPORTANT: Prior to connecting your user through SAML, please make sure this user (email address) is not attached to any portfolio on CAST Highlight’s server (e.g., already existing as classic user in your current portfolio, or already existing in a sandbox environment, etc.).
As soon as a user connects to CAST Highlight by using the a company SAML “login” url (e.g., https://rpa.casthighlight.com/saml/login/alias/<company123>), the corresponding user is created in CAST Highlight with a “Connect Only” role as no role is defined in the IdP.

This user will typically get the screen below.

image2022-4-14_20-49-51.png

To change a user’s role, follow these steps below:

1. As this user is now created in CAST Highlight, the Portfolio Manager manually changes the role and eventually the domain of this user from MANAGE PORTFOLIO > Manage Users. To do so, check the box on the left side of the user name, then click on the highlighted user icon (in yellow) of a domain.

image2022-4-14_20-51-47.pngimage2022-4-14_20-54-42.png

2. A modal opens where you can specify the role you want to associate to this user.

image2022-4-14_20-55-9.png

3. Click on “Invite Users” to validate the role/domain change. The user is updated.

image2022-4-14_20-56-22.png

4. Next time this user will connect through the SAML “login” url (e.g., https://rpa.casthighlight.com/saml/login/alias/<company123>), he will have this new role and will be connected to the right domain.

image2022-4-14_21-0-9.png

Notes:

  • No email invitation is sent to the user
  • The user won’t be able to change his password as this information is managed by your IdP

  • The user must already exist on the customer AD/LDAP
  • The user must have a CAST Highlight role defined (hl.role)
  • Every attributes should be provided by the customer IdP

Nothing more to do here. The IdP will be master of data as the SAML attributes will always overwrite the user data stored in CAST Highlight.