ProActive SpendCloud SAML application setup
Introduction
This manual shows you how to set up SSO to ProActive SpendCloud using the SAML protocol. The configuration takes place in HelloID and requires you to send information to ProActive.
Requirements:
HelloID environment
ProActive Spend Cloud environment
SSO has to be requested at ProActive, this might come with additional costs.
Create or Import a Certificate
If there is no certificate yet, a certificate must be imported or created. This can be done in the HelloID Administrator Portal under Settings > Certificates. For this tutorial, we will use a self-signed certificate. Learn more about certificates here.
Application Setup
Add the Spend Cloud Application
Create a new application in HelloID by navigating to Applications > Applications. Open the Application Catalog and search for "SpendCloud". Find the SAML template, and click Add. Learn more about managing applications here.
General tab
On the General tab, perform the following steps:
For the Default Login URL, enter your Spend Cloud URL in the format
https://{customer}.spend.cloud, and replace{customer}with your ProActive customer ID.Click Next.
Single Sign-on tab
On the Single Sign-On tab, perform the following steps:
For the Issuer field, provide your HelloID domain in the format
{customer}.helloid.com, and replace{customer}with your HelloID customer ID.For the Endpoint URL field, enter
https://spend.cloud/api/sso/saml/clients/{customer}/acs, and replace{customer}with your ProActive customer ID.In the X509 Certificate dropdown, select the certificate that you created or imported previously.
For the SP-initiated URL, enter the same URL you entered for the Default Login URL.
For the Extra Audience, enter
https://spend.cloud/api/sso/saml/clients/{customer}/metadata, and replace{customer}with your ProActive customer ID.Click Next.
Self service tab
On the Self Service tab, choose whether to automatically create a Self Service product, which makes the application requestable. This is optional. Click Next.
Finish tab
On the Finish tab, click Save to add the application to HelloID.
Configuring the Mapping Set
By default, the 'matching identifier' is set to the user's contact email. This is assuming the email address known in HelloID matches the Spend Cloud user's email address.
If you wish to use another attribute, click here to learn more about attribute mappings.
Application metadata
After saving the Spend Cloud application, click its Edit link on the applications overview. This will bring you to its properties page.
You now have the option to obtain the application metadata.
Dynamic Metadata (URL)
You can simply right-click Download metadata and copy the link address (something along the lines of https://enyoi.helloid.com/metadata/download?ApplicationGUID=e6e741f5-a469-4849-93f7-fe2e259a339f) at the right top of the screen.
Replace the word 'download' with 'index' in the URL to view the metadata. This URL is the Dynamix Metadata URL.
Please provide this dynamic Metadata URL to ProActive.
The configuration of the HelloID application is finished.
ProActive Configuration
Request SAML
In order to make the connection, ProActive needs to add the connection on their side. This can be requested at ProActive, this might come with additional costs.
To configure the SSO on the ProActive side, they will need the following information:
Metadata URLPlease provide the dynamic Metadata URL to ProActive.
The metadata can be sent to ProActive Support:
023-5422299
They will generally enable SAML on their side within a few days.
Finishing Up
The Spend Cloud application has now been added to HelloID, and a trust has been configured between ProActive and HelloID. You are now free to assign the application to users within your organization and begin testing it and using it. You can learn more about managing applications and assigning permissions here.