This manual shows you how to setup SSO to Raet Youforce using the OpenIDConnect protocol. The configuration takes place in HelloID and in the Raet Youforce admin center.
- HelloID environment
- Raet Youforce environment
Create or Import a Certificate
If there is no certificate yet, a certificate must be imported or created. This can be done in the HelloID Administrator Portal under Settings > Certificates. For this tutorial, we will use a self-signed certificate. Learn more about certificates here.
Add the Raet Youforce Application
Create a new application in HelloID by navigating to Applications > Applications. Open the Application Catalog and search for "Raet Youforce". Find the Visma - Raet Youforce OpenIDConnect template, and click Add. Learn more about managing applications here.
On the General tab, fill the default login URL with the Raet Youforce environment SSO URL. Normally this URL is supplied by Raet when you request the SSO setup. If you do not know the correct url yet please change it afterwards. This URL is case sensitive and requires a trailing / .Optionally, you may also add a description. Click Next.
Single Sign-on tab
On the Single Sign-On tab, perform the following steps:
- For the secret field, change the pre-filled secret if required.
- In the X509 Certificate dropdown, select the certificate that you created or imported previously.
- The Redirect Uri has to be the SSO url provided by Raet. Raet will provide the url when setting up their side of the connection.
- Click Next.
Self service tab
On the Self Service tab, choose whether to automatically create a Self Service product, which makes the application requestable. This is optional. Click Next.
On the Finish tab, click Save to add the application to HelloID.
Configuring the Mapping Set
By default, the 'matching identifier' is set to the user's username. This is, assuming the username matches the user's UserPrincipalName, because Raet recommends the UserPrincipalName to use for the matching identifier. If you wish to use another attribute, click here to learn more about attribute mappings. The configured subject attribute is required. If another identifier attribute is required this has to be discussed with Visma - Raet and can be changed in the mapping set if needed.
Application configuration data
After saving the Visma Raet Youforce application, click its Edit link on the applications overview. This will bring you to its properties page.
Provide data to Visma - Raet
On the richt corner you can click View discovery document and copy the URL of the newly opened document. This URL has to be supplied to Visma - Raet and contains all required information.
Next open the Configuration tab and provide Visma - Raet with the following information when requesting the single-sign-on connection:
Visma - Raet Youforce Configuration
In order to make the connection, Raet needs to add the connection on their side. This can be requested by phone or in Youforce.
In Youforce go to Serviceplein > Support. In response to your request, a Raet employee will contact you.
In order to successfully set up the connection, they will need the following data:
- OpenID discovery document can be found found at the steps before.
- Issuer URL to find the issuer url open the OpenID discovery document. The issuer url is placed on the second line after "issuer":
- ClientID can be found at the steps before
- Client Secret can be found at the steps before
- Identity provider your current emaildomain e.g. customer.com
Once you receive word that the connection between Raet Youforce and HelloID is successfully set up at the Visma - Raet side, you have to setup the provided redirect URI in the Application in HelloID.
You can go back to the Visma Raet Youforce application, click its Edit link on the applications overview. This will bring you to its properties page. On the general tab please enter the provided SSO url e.g. https://youforce.raet.com/sso/helloid/
On the configuration tab please enter the provided Redirect URI.
After setting up the correct URL's you can finish the configuration in Youforce.
User identities in Youforce
The internal network names of the users in your organization have to be linked to a Youforce user. Perform the steps below to realize this:
- Go to Portaalbeheer > Portaalbeheer > Single Sign On >Groepsgewijs Netwerknamen Opvoeren.
- Click Voltooien and download the .txt file to a local directory of your choice.
- The downloaded file contains a column Identity. Enter a value here for every user. This can be the same as the Netwerknaam. The value of the Identity field is freely selectable, but it must be unique within your organization
- Go to Zenden en Ontvangen > Zenden and choose Gebruikersbeheer. Enter the location of the file to send and click Zenden. If there are any double identities in the file, the import will abort when it reaches a double value. We advise to check the file, correct it and resend it.
- Check in Beheer > Portaal Beheer > Rapportages via Logboek Groepsgewijs Gebruikersbeheer if the import was successful.
It is also possible to enter or change an identity via Individueel Gebruikersbeheer. Go to Portaalbeheer > Portaalbeheer > Gebruikersbeheer > Individueel Gebruikersbeheer and change the value of the Identity field for the specific user.