By Clay Li on Friday, 20 March 2020
Category: Feature

How to Setup SAML SSO (Single-Sign-On) in Calem

Customers can choose a single sign on (SSO) solution available in Calem including LDAP; and SAMLThe LDAP authentication is performed behind scenes from Calem to LDAP servers. It is a choice for Calem Services behind firewalls.

SAML performs sign-sign-on from the ID providers. It is a good choice for SSO over the internet.

1. Install SimpleSAMLphp

Calem uses SimpleSAMLphp (https://simplesamlphp.org) to implement a service provider (SP) for SAML SSO. The first step is to download and install SimpleSAML from https://simplesamlphp.org/docs/stable/simplesamlphp-install.

Next, configure the SimpleSAML site. If you work with Apache, set up the "samplesaml" site per instruction below.


2. SP and IdP Setup

Calem acts as a service provider (SP) in the SAML schema. The authentication authority is the Id Provider (IdP). SP and IdP need to be configured so they recognize each other and can work together. See the reference doc of https://simplesamlphp.org/docs/stable/simplesamlphp-sp.

The first step is to obtain the metadata of your IdP. It is an XML file and can be obtained from your IdP organization. Use the file to set up the remote IdP at your server (the SP).

Next, prepare the metadata of your SP and provide to your IdP organization. The first step is to enable a certification for your SP – see "1.1 Enabling a certificate for your Service Provider" at https://simplesamlphp.org/docs/stable/simplesamlphp-sp.

Next, sign into your simplesaml site and view its Federation tab to view your SP metadata in xml. For example, your metadata xml file is at https://acme.calemeam.com/simplesaml/module.php/saml/sp/metadata.php/default-sp?output=xhtml.

3. Calem Setup

Once you have completed the setup of your SP and IdP in the sections above, you may proceed to setting up Calem to use SimpleSAML to perform SAML SSO with your IdP. For example, your simpleSAMlphp is installed at '/srv/www/simplesamlphp', add the following lines to your Calem_Home/server/conf/calem.custom.php to enable SAML SSO and provide the full path of the loader file for SimpleSAMLphp.

You may also configure the attribute name (if different from the default) for username returned by the IdP after a user is authenticated. Its default value is 'UserId':

 4. Login with SAML

When you launch your Calem Ajax Web client, the login screen shows the language option. Click "Login" button to launch SAML authentication.

​The IdP (ID Provider) will show a screen to enter username and password. The following is a sample screen of SSO Circle as the IdP. Enter your user name and password to authenticate with the IdP. Once your account is authenticated, your user name is used to continue the login process into Calem.

For instance, if you have more than one ACL profile configured. Calem will prompt you to pick a profile to complete the login. 


Additional resources