Configure an authentication method

Use the Authentication page to select and configure an authentication method to verify the identity of anyone who wants to connect to Calabrio ONE. Calabrio ONE supports three methods of authentication: Default Calabrio ONE Authentication, SAML Authentication, and Active Directory Authentication. On the Authentication page, you can configure and enable the default authentication method and the SAML authentication method. You can enable and configure the Active Directory authentication method only for on-premises deployments of Calabrio ONE on the Active Directory Configuration page, located under Application Management > Global > System Configuration > Active Directory Configuration.

NOTE   Both the system administrator and the tenant administrator can configure SAML authentication for a particular tenant. If both administrators configure tenant-level SAML authentication for a particular tenant, Calabrio ONE uses the most recent configuration.
If your system administrator enables system-wide SAML authentication, the tenant-level SAML authentication settings are overridden.

Calabrio ONE allows for mixed-mode authentication. This means you can enable multiple user-authentication methods simultaneously.

Prerequisites

You must have tenant permissions to configure and enable authentication.

Before you configure SAML authentication, configure an identity provider (IdP) that supports SAML 2.0. When you configure the IdP, make sure you record the Issuer ID, the Single Sign On URL, and the Identity Provider Certificate and then store this data in an easy-to-access location. You use this information when you configure SAML authentication.

NOTE   Select and configure Okta or Active Directory Federation Services (ADFS) as your identity provider to authenticate user names and passwords for Calabrio ONE (the service provider).

Page location

Application Management > Global > Administration > Authentication

Procedures

You can use the Authentication page to enable/disable Calabrio ONE authentication or to enable/disable and configure SAML authentication.

Enable authentication

Calabrio ONE authentication is enabled by default.

  1. Select the authentication method you want to enable.
    With Calabrio ONE you can enable multiple user-authentication methods simultaneously.
  2. Click Save.

Disable authentication

  1. Select the authentication method you want to disable.
    One authentication method must be enabled before you can click Save. To disable Calabrio ONE Authentication, you must first select SAML Authentication.
  2. Click Save.

Configure SAML authentication using Okta as the IdP

Before performing this procedure, verify that you have configured Okta as the IdP. See.

  1. Select Enable SAML Authentication.
  2. In the Identity Provider section, use the data you collected when you configured Okta as your IdP to configure the following fields.
    1. Enter a unique name for this IdP configuration in the NAME field.
    2. Enter the ISSUER ID. Paste the URL from the Identity Provider Issuer field in Okta.

    3. Enter the SINGLE SIGN ON URL. Paste the URL from the Identity Provider Single Sign-On URL field on Okta.

      NOTE   This URL is provided by the IdP and is not the same as the Single Sign On URL supplied by Calabrio ONE under Service Provider.

    4. Import the IDENTITY PROVIDER CERTIFICATE.
      • Click Import the certificate that you downloaded from the X.509 Certificate field in Okta.
      • (Optional) Click Export to export an existing certificate.
      • (Optional) Click View Details to view the details of the certificate.
  3. (Optional) In the Service Provider section, the following steps are optional. Okta does not require a service provider certificate or private key.

    4. NOTE   Calabrio ONE is the service provider, and the Authentication URL, Entity ID, and Single Sign On URL are read-only fields.

    1. Select Use Tenant Name in Entity ID to prepend the name of the tenant to the tenant’s public host name in the Entity ID.
    2. Select the SAML Signature Algorithm.
    3. Select the SAML Digest Algorithm.
    4. (Optional) To opt out of signing the SAML token, clear the Sign SAML Response check box.
    5. Import the SERVICE PROVIDER CERTIFICATE. You can use the default global certificate provided by Calabrio ONE (cloud deployments only) or upload a self-managed certificate and private key.
      • Import — Navigate to the self-managed service provider certificate that you want to import into Calabrio ONE.
      • Export — Exports your current service provider certificate.
      • View Details — Shows the details of the current service provider certificate: Issuer, Subject, Start Date, and End Date.
      • Export Metadata — Exports the metadata for the current service.
    7. Import the PRIVATE KEY. The private key for a self-managed service provider certificate.

  4. Click Save.

Configure SAML Authentication using ADFS as the IdP

Before performing this procedure, verify that you have configured ADFS as the IdP.

  1. Select Enable SAML Authentication.
  2. In the Identity Provider section, use the data you collected when you configured ADFS as your IdP to configure the following fields.
    1. Enter a unique name for this IdP configuration in the NAME field.
    2. Enter the ISSUER ID. This is normally structured in the following way: https://<Active Directory domain name>/adfs/services/trust

    3. Enter the SINGLE SIGN ON URL. This is normally structured in the following way: https://<Active Directory domain name>/adfs/ls

      NOTE   This URL is provided by the IdP and is not the same as the Single Sign On URL supplied by Calabrio ONE under Service Provider.

    4. Import the IDENTITY PROVIDER CERTIFICATE.
      • Under Identity Provider Certificate, click Import.
      • Navigate to the identity provider certificate you exported when you configured ADFS, and then select it.
      • Click Open.
      • (Optional) Click Export to export an existing certificate.
      • (Optional) Click View Details to view the details of the certificate.
  3. In the Service Provider section, perform the following steps:

    4. NOTE   Calabrio ONE is the service provider, and the Authentication URL, Entity ID, and Single Sign On URL are read-only fields.

    1. (Optional) Select Use Tenant Name in Entity ID to prepend the name of the tenant to the tenant’s public host name in the Entity ID.
    2. Select the SAML Signature Algorithm.
    3. Select the SAML Digest Algorithm.
    4. (Optional) To opt out of signing the SAML token, clear the Sign SAML Response check box.
    5. Import the SERVICE PROVIDER CERTIFICATE. You can use the default global certificate provided by Calabrio ONE (cloud deployments only) or upload a self-managed certificate and private key.
      • Import — Navigate to the self-managed service provider certificate that you want to import into Calabrio ONE.
      • Export — Exports your current service provider certificate.
      • View Details — Shows the details of the current service provider certificate: Issuer, Subject, Start Date, and End Date.
      • Export Metadata — Exports the metadata for the current service.
    6. Import the PRIVATE KEY. The private key for a self-managed service provider certificate.

  1. Click Save.