Managing multiple login credentials can be a frustrating experience. After logging into your EA SaaS portal, requiring an additional login for accessing Enterprise Architect models can disrupt workflows and create unnecessary delays, impacting collaboration and efficiency.
This guide introduces a streamlined solution: Single Sign-On (SSO). With SSO, users can securely access their models with a single click. By simplifying user management and enhancing security, SSO ensures seamless collaboration and boosts productivity in your EA SaaS environment.
Objective
This document is designed to empower users with comprehensive knowledge and practical guidance for the implementation of Single Sign-On (SSO) in their Sparx EA Cloud environment. The primary objectives are to:
- Provide a concise overview of Single Sign-On (SSO) in EA SaaS.
- Explain the two distinct types of OpenID configurations within EA, offering users the flexibility to tailor SSO authentication according to their specific needs.
- Offer a detailed, step-by-step procedure for configuring Unified SSO, facilitating a streamlined and efficient setup process.
- Provide a brief explanation and references for configuring OpenID using the standard process, along with the necessary whitelisting steps in EA SaaS instances, ensuring seamless access for users.
Single Sign-On in Sparx EA Cloud
For streamlined model authentication, users with SAML Single Sign-on (SSO) configured in the EA SaaS Portal can effortlessly integrate it with their EA models. This offers a simplified approach to authentication.
Alternatively, users desiring individual model authentication configurations can follow the standard steps in the Enterprise Architect, tailoring the process based on their specific needs and usage patterns. Choose the method that aligns with your preferences for a seamless and secure Single Sign-On experience.
Configure OpenID in Sparx EA Cloud
Users can set up OpenID in their models following the standard method in Enterprise Architect. Depending on usage scenarios, users have two distinct approaches:
- Unified SSO Integration: For exclusive EA SaaS users, seamlessly integrate the EA SaaS Portal’s SSO authentication with the EA Models, streamlining access across platforms.
- Independent SSO Configuration: If users engage with both EA SaaS and the EA thick client, configure Single Sign-On (SSO) for the EA models independent from the EA SaaS Portal.
Unified SSO Integration
Users can seamlessly authenticate their existing login with EA models, eliminating the need to re-enter credentials by following the steps below.
Prerequisites
To establish unified Single Sign-On (SSO) in EA within the Sparx EA Cloud environment, users must satisfy the following requirements:
- Have SAML Single Sign-On configured in the EA SaaS Portal. Learn more here about the configuration process.
- Configure Access Control Profiles and User Groups.
- Super Admin credentials for accessing the EA SaaS Portal.
Model Admin Privileges for the specific models intended for configuration within EA SaaS. Sparx EA Cloud
Configuring OpenID
As soon as the requirements are satisfied, administrators can proceed with configuring SSO by following the steps below.
Step 1: Login to the EA SaaS Portal with Super Admin credentials and click on “User Management”.
Step 2: Navigate to the Menu icon and choose “Integrated Applications – Access Management.”
In case the menu cannot be located or not visible, easily access it by appending “/Applications/Admin” to the URL of the EA SaaS Portal. For instance, use https://<domain_name>.com/Applications/Admin.
Step 3: Click on “Add Application”.
Step 4: Add the application using the following information.
| Name | Desired Name. E.g. “ea-client” |
| Authorization | Enable all parameters |
| Application ID | Desired Name. E.g. “ea-client” |
| Scope | Select Email, Profile, Groups, Open ID |
| Generate Security Token | Enable |
| Enhance Security using PKCE | Disable |
| Redirect URLs | http://localhost:8888/openid/callback |
| Post Logout URLs | (Not Required) |
After completing the above-mentioned configurations, click on “Save”.
Step 5: On saving the application, a pop-up will display containing the Application ID and Security Token. Securely store the Application ID and security token and return to the EA SaaS portal page to launch the instance.
Step 6: Click “Open Repository” in the EA SaaS portal.
Step 7: Access the model using the Model Administrator’s credentials.
Step 8: Navigate to Settings > Users > Configure OpenID.
Step 9: Enable “Accept OpenID Authentication”, uncheck the “Accept Windows Authentication” option and enable “Automatically create or modify Windows or OpenID users”.
Step 10: Configure the following information in the appearing pop-up.
| Open ID URL | Enter the EA SaaS Portal’s URL. E.g. https://<domain_name>.com |
| Discovery URL | Will be appended automatically to the OpenID URL. |
| Client ID | Paste the Application ID acquired in Step 5. |
| Client Secret | Paste the Security Token acquired in Step 5. |
| Scope | Enter “OpenID profile email” |
| Claim to Match to Local User | Enter “username” |
| Claim to Match to Local Groups | Enter “groups” |
Please note that all details are case-sensitive. Enter them accurately to ensure proper functionality.
Step 11: After completing the configurations above, click on “Test” to validate the configuration. If the test connection is successful, proceed to save the configuration.
Step 12: Navigate to Settings > Groups > Configure Open ID.
Step 13: Configure the following information in the Security Groups.
| Group Name | Enter the exact name of the user group from the EA SaaS Portal. |
| OpenID Group | Enter the exact name of the user group from the EA SaaS Portal. |
| Group Permissions | Grant the necessary group permissions. |
The Groups’ name must be entered precisely as they appear in the EA SaaS Portal. Click here to learn more about the SAML best practices.
Step 14: Following the completion of all the above-mentioned configurations, sign out of the model. Now, log in to the model again using OpenID authentication within EA SaaS, where seamless access will be granted without any issues.
Independent SSO Configuration
For users transitioning between Sparx EA Cloud and the EA thick client, configuring Single Sign-On (SSO) for EA models independently ensures a seamless experience. This approach aligns with existing workflows and mirrors the familiar configuration steps of the standard Enterprise Architect thick client.
Click here to learn more about Single Sign-On in Enterprise Architect.