What it's about
SAML is an acronym used to describe the Security Assertion Markup Language (SAML). Its primary role in online security is that it enables you to access multiple web applications using one set of login credentials. It works by passing authentication information in a particular format between two parties, usually an identity provider (IDP) and a web application (in our case, XCALLY).
The technology industry created SAML to simplify the authentication process where users needed to access multiple, independent web applications across domains. Prior to SAML, single sign-on (SSO) was achievable but relied on cookies that were only viable within the same domain. It achieves this objective by centralizing user authentication with an identity provider. Web applications can then leverage SAML via the identity provider to grant access to their users. This SAML authentication approach means users do not need to remember multiple usernames and passwords. It also benefits service providers as it increases security of their own platform, primarily by avoiding the need to store (often weak and insecure) passwords and not having to address forgotten password issues.
How to set up
To activate the login with SAML on XCALLY, you need to:
A. Configure XCALLY Server
B. Enable SAML XCALLY connection in XCALLYIDP
C. Enable SAML login for Administrator, Users and Agents
Join XCALLY server to the xdomain
As requirement of the integration, the XCALLY server must be added in the Active Directory domain.
Configure XCALLY Server
Follow these steps to configure the XCALLY server:
Use SSH to connect to your XCALLY server
Login with root user
Install required packages for joining to Active Directory (AD) domain
Code Block language bash apt -y install realmd libnss-sss libpam-sss sssd sssd-tools adcli samba-common-bin oddjob oddjob-mkhomedir packagekitAfter a successful installation can you proceed to discover Active Directory: the realm discover command returns complete domain configuration and a list of packages that must be installed for the system to be enrolled in the domain
Code Block language bash realm discover <domain name>An Active Directory administrative user account is required for integrating your XCALLY machine with Windows Active Directory domain. Check and confirm Active Directory admin account and the password
Code Block language bash Set SAML strings for activating the connection between XCALLY and the IDP:
Code Block XC_SAML_ENTRYPOINT -> Identity Provider (IDP) entrypoint XC_SAML_CERT -> IDP's public signing certificate XC_SAML_ISSUER -> Issuer string to retrieve from the IDP XC_SAML_LOGOUT_URL (optional) -> IDP Single Logout
Enable Active Directory connection in XCALLY
To use Active Directory login, you need to add Active Directory settings on XCALLY.
Retrieve Active Directory configuration
Ask to Active Directory Administrator the following properties:
Property | Description |
|---|---|
url | Active Directory server to connect to, e.g. ldap://ad.example.com |
baseDN | The root DN from which all searches will be performed, e.g. dc=example,dc=com. |
domain | Domain of email address, e.g. example.com |
Configure Active Directory in XCALLY
Follow these steps to configure the Active Directory:
Use SSH to connect to your XCALLY server
Login with motion user
Code Block language bash su - motion
Open /var/opt/motion2/.env and edit the following properties (add it if not existing)
Code Block language bash XC_ACTIVEDIRECTORY_BASE_DN='<baseDN>' XC_ACTIVEDIRECTORY_URL='<url>' XC_ACTIVEDIRECTORY_DOMAIN='<domain>'
Stop motion application (with root privileges)
Code Block language bash service motion stop
Initialize environment variables
Code Block language bash cd /var/opt/motion2 npm run initialize
Enable SAML login for Administrator, Users and Agents
Enable login in General Settings
The Login with SAML must be enabled under Settings → General:
Users and Agents will be able to connect to XCALLY using SAML identity provider credentials.
| Info |
|---|
Staff emails on XCALLY must be equal to the Staff emails registered on SAML the identity provider. |
Login for XCALLY users
On the Login page, the button Login with SAML is available:
Clicking on Login with SAML, XCALLY Users will be redirected on the identity provider portal.
After entering the provider credentials on the provider portal, XCALLY Interface will be opened as usual.
If configured, from the second login on, each time Users click on Login with SAML, they will directly access to XCALLY, without entering credentials again.