This feature was added in v1.4, check out the full release notes for this version here.
v1.4, v1.4HF1 - July 2019
An Azure AD Premium subscription is required for this feature.
Create a SAML App in Azure AD
Navigate to Azure portal (https://portal.azure.com/) using an Administrator account.
Select Azure Active Directory from the left navigation panel, then Enterprise applications.
Next click New application, then choose Non-gallery application, fill in an appropriate name, for example, RX SaaS SSO, then click Add.
After adding this new application, navigate to Single sign-on, then choose SAML.
Configure the Entity ID & ACS URL
Click the Edit icon for section 1.
You will be prompted for an Identifier (Entity ID) and a Reply URL (Assertion Consumer Service URL).
The Entity ID will be the root address of your ResourceXpress server, this will be the URL used to access the ResourceXpress admin console via a browser.
Your RX URL is usually https://<company>.rx-cloud.com.
In this example the URL of the ResourceXpress server is https://app.rx.com.
The ACS URL is the same URL as above with /SsoConsumer added to the end.
https:// will be required at the beginning of the URL
Once added click Save found at the top of this pop-up.
Configure User Attributes
Name & Email Address (required)
Next, click the Edit icon for section 2.
From here we will add the required values for ResourceXpress to retrieve user’s names and email addresses.
From this screen, click Add new claim.
Three new claims will need to be added, see the below table for the Name and Source attribute values required.
Name | Source attribute |
|---|---|
user.mail | |
firstname | user.givenname |
lastname | user.surname |
Do not include the full schema address
(i.e. http://schemas.xmlsoap.org/ws/2005/05/identity/claims/<claimname>) in the name.
After clicking Save for each new claim you will see the User Attributes & Claims list updated with the new values and should look similar to the screenshot below.
The default claim names and their values can stay as is and there is no need to delete them.
RFID & Access Code (optional)
This requires Auto create user records from SSO to be enabled.
In addition to syncronising users details, it is also possible to retrieve other attributes from Azure Active Directory which can be used to populate the Access Code and RFID values in the ResourceXpress local user's database.
To configure this you will need to add two more claims, see the table below for the details to use.
Name | Source attribute |
|---|---|
rfid | optional |
accesscode | optional |
These values will be synced with the ResourceXpress database each time a user signs in to ResourceXpress via a browser.
Once the required values have been added click the X found in the top right of this section to return to the SSO configuration.
Download the Federation Metadata XML
The next step is to download the Federation Metadata XML file found in section 3.
This file will be uploaded to ResourceXpress later, see Upload.
User Access
Before any users can access ResourceXpress they will need to be added into the allowed user's list for this SAML application.
To add users/groups select Users and groups from the left menu.
From here click Add user, you will then be able to add individual users or groups.
In this example, we are adding a users group called RXSaaSSSO.
All users of this group will be able to access ResourceXpress using SSO.
After you have added all your required users and groups click Assign.
Be sure to add yourself before moving to the next step.
Configuring SAML App in ResourceXpress
The final step is to upload the XML file we downloaded earlier to ResourceXpress.
You will need an existing Server/Super Admin account in ResourceXpress.
The email address for this account will need to match an allowed user in Azure AD.
Upload
Navigate to the SSO Settings tab, this can be found on the System Settings page, under the Administration Settings menu.
Click Choose file alongside IDP Metadata, find the XML file that was downloaded in the previous step, Download the Federation Metadata XML.
Then click Upload.
You will see the correct details be auto-populated into the URL and Authenticating Authority fields.
Auto-create Users
When using SSO, by default all users will be granted the role User.
This will allow them to view the Booking Manager page only, to allow users access to more features in ResourceXpress they will need to exist as a user in the ResourceXpress local database.
Ticking the option Auto create user records from SSO will automatically add new users into the ResourceXpress user database when they sign-in for the first time, this will then allow these users to be granted more access to the system, as well as assigning them RFID and Access code values.
When a user's account is auto-created in ResourceXpress, an email confirming this will be sent to them. Included in this email will be a randomly generated password that can be used for the upcoming mobile app.
Sync user details
This option has been added in v1.5.1
This option allows for user details such as Access Code and RFID to be synchronized with ResourceXpress user database, this will keep these details up-to-date each time a user signs in using SSO.
Disabling this option will allow for Admin users to modify these details manually in ResourceXpress.
Enabling SSO
Once all the above steps have been completed, click the Save button.
Now any user that has been added to the allowed user's list for the SAML application in Azure Active Directory will be able to sign-in to your ResourceXpress site.