Surpass SSO - IdP and Surpass Configuration v1.3.1

This article will focus on the configuration that needs to be done on both Surpass and your Idp before you can successfully use the SSO functionality. This includes the required information in your Active Directory setup and the centre configuration process. 

When setting up claims rules in the relying party we had to identity the following rule:

Token-Groups - Unqualified Names => CentreReferences

To create a user in Surpass they must have at least one centre association. What the above rule means is that when a user tries to login to Surpass using the SSO login page for the first time, the Groups they are assigned to in Active Directory (such as Administrators, Domain Admins etc...) are passed as part of the SAML response as an attribute. If that Active Directory group exists in Surpass then that user will be associated to that centre, if a centre is not present this will fail. This is only the case the first time the user accesses the SSO login page when the user is being created, permissions are then managed manually within Surpass. So before a user can login using this method Active Directory will need to be setup with a group that matches a centre reference in Surpass. The users will then need to be assigned to that group in Active Directory.

For a user to be successfully registered in Surpass they will also need to have the relevant user details added in Active Directory, below we have mapped the Active Directory attributes to the Surpass attributes:

SurpassActive Directory
User Name (Mandatory)User Principal Name/User Logon Name
First Name (Mandatory)First Name
Surname (Mandatory)Last Name
Email (Mandatory)E-mail
Job TitleJob Title
Associated Centres (Centre Reference, Mandatory)Member of

Logging into Surpass using ADFS

Once the centres and users have been configured in Active Directory, users will be able to login to Surpass using their Active Directory credentials. To do this they would need to browse to the client specific SSO login page:

https://[ClientName].surpass.com/Saml/Login

When accessing this address for the first time a user is created in Surpass and is granted basic access at all of the centre/groups they have permission to, from then on all permissions are managed from within Surpass. Since this process only grants the user basic centre permissions a Site Administrator will have to login and grant the new user any relevant permissions.


Next Article

Feedback and Knowledge Base