Last Updated/Verified : 1st September 2021
Download the ResourceXpress MetaData file
Before downloading the Metadata file ensure you are accessing ResourceXpress via a routable URL. Do not download the file if you are browsing the application from its host server using “localhost”.
If your end-users will be accessing ResourceXpress via a public/external URL ensure you generate the file when browsing this URL not the internal FQDN.
Login to ResourceXpress as an application administrator
Navigate to the SSO Settings tab found on the System Settings page, under the Administration Settings menu header, download the SPMetadata.xml.
Keep hold of this file for a later step.
Configure an Application in PingOne
Login to your PingOne admin console using your unique environment URL
In the desired environment navigate to Connections - Applications and click the
icon to add a new Application.
Under New Application select WEB APP
Select Configure for the SAML connection type
Under Create App Profile provide an Application Name e.g. RX SaaS and optionally add a description and logo file.
Under Configure SAML select the option Import Metadata then click Choose File. Upload the SPMetaData.xml file obtained in Step 1.
ACS URL’s
The initial ACS URL will be populated automatically when the SPMetaData file is uploaded. This will be in the format https://rxserver.domain.com/SsoConsumer
PingOne also requires some additional ACS URL’s in order to accept the redirects to features such as Kiosk, Maps, and Mobile App use. The below table lists the required ACS URL’s with the expected format.
Table 1.0 - ACS URL’s
The below URL’s are case sensitive and should be added exactly as formatted replacing only the RX URL and the ID number where applicable
Feature | ACS URL Required | Examples |
---|---|---|
Admin Console | https://<RXurl>/SsoConsumer?r=%2f | https://company.rx-cloud.com/SsoConsumer?r=%2f |
Kiosk | https://<RXurl>/SsoConsumer?r=%2fkiosk%2f%3fID%3d1 | For a system with 3x Kiosk profiles with ID numbers 1 to 3, the below additional ACS URL’s would be required
|
Maps | https://<RXurl>/SsoConsumer?r=%2fMaps%2f%3fID%3d1 | For a system with 3x Map profiles with ID numbers 1 to 3, the below additional ACS URL’s would be required
|
Mobile App | https://<RXurl>/SsoConsumer?r=%2f%3fma%3d1 | https://company.rx-cloud.com/SsoConsumer?r=%2f%3fma%3d1 |
The remaining options in the Configure SAML section can be left with the default values.
SAML Attributes
The below shows the required attribute mappings that must be added before enabling SSO in RX.
The below table details all available attributes including optional values that can be mapped to user accounts during an SSO event.
To continue with the setup please ensure that the Required attributes are mapped, once verified click Save and Close
Table 1.1 - Attribute Mappings
PingOne User Attribute | Application Attribute | Required |
---|---|---|
Given Name |
| Required |
Family Name |
| Required |
Email Address |
| Required |
RFID Must be created and populated in PingOne |
| Optional |
Access Code Must be created and populated in PingOne |
| Optional |
RX Default Location Must be created and populated in PingOne |
The ID number for the Location that the user will have default access to. This requires a single Location ID value. To get the Location ID number, navigate to the location edit screen. Administration Settings → System Settings → Locations Then select the Edit Button ( ) for the correct location. | Optional |
RX Allowed Location Must be created and populated in PingOne |
A comma separated list of Location ID numbers that the user has access to. If more than 1 location is required, separate the ID values with a comma ( , ). To get the location ID number, navigate to the location edit screen. Administration Settings → System Settings → Locations Then select the Edit Button ( ) for the correct location. | Optional |
Date Format Must be created and populated in PingOne |
The date format for the user.
| Optional |
RX Roles Must be created and populated in PingOne |
A comma separated list of Role ID numbers. If more than 1 role is required, separate the ID values with a comma ( , ). The default role ID values are as below
To get the Role ID number for any custom Roles, navigate to the Role edit screen. User Management → Roles Then select the Edit Button ( ) for the correct role. | Optional |
The Ping One application has now been configured.
User Access
By default, PingOne will grant access to the application to all users in the environment. To restrict access to specific users and groups you will need to edit the applications Access settings.
Once you add specific users and/or groups, access to RX will be restricted to only those users.
The application is not enabled by default. To enable access via SSO toggle the button at the top of the application settings page which is highlighted in the above image.
Download the SP Metadata File
Under the Configuration section click the Download button to download the PingOne SP Metadata file. This file is required for the next step.
Configuring SAML App in ResourceXpress
The final step is to upload the XML file we downloaded earlier to ResourceXpress.
You will need an existing Server/Super Admin account in ResourceXpress.
The email address for this account will need to match an allowed user in PingOne.
Upload
Navigate to the SSO Settings tab, this can be found on the System Settings page, under the Administration Settings menu.
Click Choose file alongside IDP Metadata, find the saml2-metadata-idp.xml file that was downloaded previously.
Then click Upload.
You will see the correct details be auto-populated into the URL and Authenticating Authority fields.
Auto-create Users
When using SSO, by default all users will be granted the role User.
This will allow them to view the Booking Manager page only, to allow users access to more features in ResourceXpress they will need to exist as a user in the ResourceXpress local database.
Ticking the option Auto create user records from SSO will automatically add new users into the ResourceXpress user database when they sign-in for the first time, this will then allow these users to be granted more access to the system, as well as assigning them RFID and Access code values.
When a user's account is auto-created in ResourceXpress, an email confirming this will be sent to them. Included in this email will be a randomly generated password that can be used for the upcoming mobile app.
Sync user details
This option was added in v1.5.1
This option allows for user details such as Access Code and RFID to be synchronized with ResourceXpress’s user's database, this will keep these details up-to-date each time a user signs in.
Disabling this option will allow for Admin users to modify these details manually in ResourceXpress.
Enabling SSO
Once all the above steps have been completed, click the Save button.