SAML SSO Configuration

This process configures VoiceConsole On Prem deployment to use SAML-based single sign on.

SAML (Security Assertion Markup Language) is an open source format for authentication and authorization between an Identity Provider and a Service Provider which is used to offer a single sign on service.

Service Provider - In this instance, it is VoiceConsole On Prem deployment.
Identity Provider - The identity provider creates, maintains, and manages the identity information for users and provides user authentication to service providers.

SAML is the only supported SSO type. Other types such as federation are not currently supported.

Enable SAML SSO During Installation

This option must be selected during VoiceConsole On Prem deployment installation.

This option is only available during new installations of VoiceConsole On Prem deployment. SAML cannot be configured during an upgrade installation.

Configure SAML

The following process builds the trust between the Identity Provider (IDP) server and VoiceConsole On Prem deployment.

Configure the IDP as follows:
1. SSO URL: https://<hostname>:<port>/VoiceConsole/j_spring_security_check
  - Use http rather than https if appropriate
2. entityID: com:honeywell:voiceconsole:sp (By default)
3. Attributes: The SAML Response should include a custom SAML Attribute named UserID (case specific). This attribute may be unique or mapped to any other user profile value such as email address, username, etc.
  This must match the users created in VoiceConsole as they are mapped and managed by the VoiceConsole application and are not restricted by any other SAML attributes.
  New installations may require a database query to update a default user to match accordingly.
  Disabling a user in VoiceConsole does not prevent them from logging into the application. Remember to delete them to remove the mapping or temporarily modify the username to prevent the SAML mapping from occurring.
  SQL Query
```
UPDATE "VOC_USER" SET password = '$2a$12$LJaP0jW9V5l4upx30k/46uOTimYTfQYEkxkO7bfcJAA78y2W1Qk/O', enabled = 1, changePwd = 0, currentSite = -1, failedLoginAttempt = 0, failedLoginAttemptTime = NULL WHERE name = 'vocollect';

UPDATE "VOC_USER" SET NAME='talkman@honeywell.com' WHERE NAME='vocollect';
```
  - The initial query resets the default ‘vocollect’ account to the desired state for a clean remap. Update the talkman@honeywell.com with the desired UserID value.
  - If desired, after additional accounts are created, this vocollect account can be remapped back to default to allow for both admin and vocollect to be used with the Talkman Startup Tool. Otherwise, only the default ‘admin’ user can be used for profile loading.
Copy the SAML metadata file from the IDP server to the VoiceConsole On Prem deployment installation directory as follows:
1. Create a directory named idp-meta at <VoiceConsole installation directory>\Vocollect\VoiceConsole\tomcat\webapps\VoiceConsole.
2. Copy the SAML metadata file of the IDP server to the directory created above.
3. Rename file to idp-meta.xml.
4. Restart the VoiceConsole On Prem deployment service.
Generate the VoiceConsole On Prem deployment SAML metadata file.
1. Download by going to the following URL: <protocol>://<VoiceConsole DNS>/VoiceConsole/saml/metadata/meta.action
Configure the VoiceConsole On Prem deployment SAML metadata file in the IDP server.
Ensure that UserID is configured to send as an attribute in assertion.

Talkman Startup Tool and REST API authentication is available using only the default users (admin and vocollect) with the default passwords.

If the admin or vocollect account password needs to be reset to default value, use the appropriate SQL command:

UPDATE VOC_USER SET PASSWORD = '21232f297a57a5a743894a0e4a801fc3' WHERE NAME = 'admin';
                                                                

UPDATE VOC_USER SET PASSWORD = 'e741639850633f3359b6ab2dab3158a5' WHERE NAME = 'vocollect';
                                                                