The authentication options module allows users to decide how to access Cavisson product UI. With multiple options to support, these authentication options are integral in terms of organizations' wanting to either have native authentication or integrate it with an existing SSO provider (Okta, PingID, LDAP) to ensure seamless access to Cavisson's platform. Three different authentication options are provided:

1. Native: Allows platform access to users created via Access Management.
2. SAML: Provides access to users using the credentials stored in your organization's identity store that has been configured with a SAML Identity Provider.

Notes:

1. Adding new authentication options requires access to the right set of permissions under the Admin > Access Management module
2. At a time either SAML or LDAP can be enabled.

Native:

Users created from within the Cavisson platform are categorized as Native users. This is enabled by default i.e. even though you may select SAML or LDAP for your authentication option, the Native option stays active and cannot be disabled.

You can create users via the Users tab and assign them the required roles via the Group/Roles capabilities. This section also shows the number of users created from within the Cavisson platform.

SAML:

SAML (Security Assertion Markup Language) is a widely used Single Sign-On (SSO) protocol that allows users to log into applications using their organization's existing identity provider (IdP), such as Okta, PingID etc.

Instead of creating and managing separate login credentials for each tool, SAML enables secure authentication by redirecting users to their organization's login portal. Once authenticated, the user is granted access to the product without needing a separate user to be created.

SAML Configuration

• Authenticate with a SAML 2.0 provider of your choosing: Enable this to implement SAML-based Single Sign-On (SSO).
• Sign On URL :- The Sign On URL is the SSO endpoint provided by your Identity Provider (IdP), where the application will redirect users to log in (e.g., https://10.10.70.57:7901/saml/sso). Follow the below steps to retrieve the Sign on URL from:
  • Okta
    • Log in to the Okta Admin Console.
    • Navigate to Applications > Select your SAML Application.
    • Click on the Sign On tab.
    • Scroll down to the SAML Settings section.
    • Click View Setup Instructions.
    • Look for the field labeled Single Sign-On URL or SSO URL.
  • PingID
    • Log in to the PingOne Admin Console or PingFederate.
    • Navigate to Connections > Applications (or Identity Providers).
    • Select the SAML application you're configuring.
    • Look for the SSO URL, SingleSignOnService, or Sign On Endpoint in the SAML configuration or metadata.
    • Example: https://sso.connect.pingidentity.com/sso/idp/SSO.saml2
• Issuer :- The Issuer, also known as the Entity ID, is a unique identifier that represents your IdP and is used by the application to verify the authenticity of SAML responses. Follow the below steps to retrieve the Issuer ID from:
  • Okta :- Log into Okta Admin Console.
    • Navigate to Applications select your SAML app.
    • Go to the Sign On tab.
    • Click View Setup Instructions (or scroll to the SAML Settings summary).
    • Look for the field labeled Issuer or Identity Provider Issuer.
    • Example :- https://your-okta-domain.okta.com
  • PingID :- Log into your Ping Identity Admin Console (PingOne or PingFederate).
    • Navigate to the SAML Connections or Applications section.
    • Select the specific SAML application you're configuring.
    • Locate the field labeled Issuer, Entity ID, or IdP ID in the SAML metadata or connection details.
    • Example: https://sso.connect.pingidentity.com/sso/idp/SSO.saml2
• Default Group :- The user group that newly authenticated users will be added to. By default, the Standard group is assigned to the imported users. The standard group consists of Read only permission. To change the permission of the imported users, go to Users and select the appropriate group that you want to map to them.
• Metadata Certificate :- The Metadata Certificate is a security certificate (typically in .crt or .pem format) provided by your IdP, used to verify the digital signature in SAML assertions and ensure that the responses are securely signed and trusted. Following are the steps to get the metadata certificate from:
  • Okta
    • Log in to your Okta Admin Console.
    • Go to Applications and select the SAML app you created.
    • Click the Sign On tab.
    • Under Settings, click View Setup Instructions.
    • Find the Identity Provider metadata link (typically near the bottom).
    • Open the link in a browser — this will show the metadata XML.
  • PingID
    • Log in to the PingOne Admin Console or PingFederate.
    • Navigate to Connections > Applications or Identity Providers, depending on setup.
    • Select the relevant SAML connection.
    • Look for a section labeled Metadata or Download Metadata.
    • Download the IdP metadata XML file.
• Upload: Click to browse and upload a new metadata certificate file from your system
• View Icon: Click to preview the contents of the uploaded certificate file.useful for verifying the certificate before saving.
• Save: Save to apply the SAML configuration.
• Cancel: Cancel to discard changes.
• Update: Saves the newly uploaded certificate and applies it to your SAML configuration.