ManualsPro Carrier Carrier Single Sign On SSO Add on Microsoft Personal User Guide

Carrier Single Sign On SSO Add on Microsoft Personal User Guide

July 4, 2024
Carrier

Single Sign On (SSO) Add-on User’s Guide

v1.0 for 9.0 systems and later

Catalog No. 11-808-1066-01
Rev. 6/12/2024

Important changes are listed in Document Revision History at the end of this document.

All rights reserved. All trademarks are the property of their respective owners.

The content of this guide is furnished for informational use only and is subject to change without notice. Carrier assumes no responsibility or liability for any errors or inaccuracies that may appear in the informational content contained in this guide.

replace

What is the Single Sign On (SSO) add-on?

The Single Sign On add-on allows you to use an Identity Provider of your choice to access your BAS system. The Identity Provider’s authentication functions in addition to the traditional BAS sign-in. The SSO addon can be configured to use SAML or OIDC.

Requirements
  • You are running a v9.0 or later (or Cloud) system with the latest cumulative patch applied
  • You have downloaded sso.addon file
  • You have purchased and downloaded the SSO license
  • Your system is backed up regularly to ensure the add-on’s data is also backed up
  • You have adequate disk space available to store the add-on’s data
  • After installing the add-on, you must Configure the SSO add-on in SiteBuilder (page 1)
  • You have configured the add-on to use SAML (page 2)or OIDC (page 4).
  • You have Mapped your Identity Provider email (page 4)

See “Installing an Add-on User Guide” for the following:

  • Installing an add-on
  • Applying a license
  • Running an add-on
  • Upgrading an add-on
Configuring the SSO add-on in SiteBuilder

Before you can use the SSO add-on, you must configure your system in SiteBuilder.

1 Download and install the add-on.
2 In SiteBuilder, go to Configure > Preferences.
3 On the Web Server tab, open Authentication Provider and select ssoauthclient.
4 Click Apply , and then click OK.
5 Log in to your BAS system locally as Administrator to continue setting up the SSO add-on. You can now configure the add-on to use SAML (page 2)or OIDC (page 4).

Configuring the SSO add-on for SAML

Follow the steps below to configure the SSO add-on for use with SAML.

1 Verify required Identity Provider Configurations for SAML (page 2).
2 Set up SSOAuthclient Addon (Service Provider) (page 3)

Verify required Identity Provider Configurations for SAML

The identity provider needs to have the following configurations for the user successfully login through SAML via the SSO addon.

  • Single sign-on URL and Single Logout URL of service provider: Example, http or
    https:///~index
    NOTE If your SAML identity provider only supports HTTPS Single Sign-On and Single Logout URLs, you BAS must be configured to use HTTPS.

  • Audience URI (SP Entity ID)/SP Issuer: This unique identifier should also be passed to the SSO Addon configuration.

  • SAML Authentication Response and Assertion from the Identity Provider must be signed with a SHA256 Signature Algorithm.
    ο Encryption and Signature Certificate: A X509 public certificate and its private key must be generated and maintained by the administrator to encrypt the SAML assertion and sign logout requests. The public certificate must be uploaded to the Identity Provider’s Encryption Certificate and Signature Certificate fields. The public certificate and private key are required for the add-on’s Service Provider Public Certificate and Service Provider Private Key fields.
    ο One method you can use to create the X509 Service Provider Public Certificate and Private key is OpenSSL. The OpenSSL example below generates the X509 certificate and private key. The certificate and key expire in 365 days.
    NOTE The expiration days and name of the public certificate can be modified.
    openssl req -x509 -nodes -days 365 -new -out <your-public-certificate- name>.crt

  • Assertion: The Assertion must be encrypted and the public X.509 certificate (generated by the administrator) must be uploaded to the Identity Provider’s Encryption certificate field.

  • Logout request: If the Identity Provider requires the Logout request to be signed, the same public X.509 certificate used for encryption (generated by the administrator) must be uploaded to the Identity Provider’s Signature Certificate field.
    The identity provider should not Verify Request Signatures since the Authentication Request generated by the SSO addon is not signed.

  • ACS URL/ Single sign-on URL: The ACS URL/ Single sign-on URL configured on the SAML Identity Provider is used for redirecting the Authentication response/assertion back to Service Provider instead of the ACS URL on the Authentication Request.

  • SAML Assertion NameId: The SAML Assertion NameId should return the email address of the user which is mapped in your BAS. (Identity Providers may do this by default, but it can be changed by the Identity Provider administrators).

Set up SSOAuthclient Addon (Service Provider)

1 Log in to your BAS as Administrator.
2 On the System Options tree, select System Settings.
3 Go to the Add-ons tab. Under Details , click Main Page.
4 Select SAML.
5 Enter the required information described below.

In this field… Enter this information…
Identity Provider Issuer Identity Provider Entity ID/ Issuer (provided

by the Identity Provider)
Identity Provider Single Sign-On URL| Provided by the Identity Provider
Also referred to as “SP-Initiated Redirect Endpoint”
Identity Provider Single Logout URL| Provided by the Identity Provider
Identity Provider X.509 Certificate| Copy and paste the contents of your identity provider’s X.509 certificate. (provided by the Identity Provider)
Configure the Identity Provider to sign the SAML response and assertion with SHA256 signature algorithm.
Service Provider Entity ID/ Issuer.| Audience URI (SP Entity ID)
Also referred to as “Audience URI” or “Audience Restriction”
Service Provider Assertion Consumer Service (ACS) URL| http or https:///~index
Also referred to as “Redirect or login” URL
Service Provider Single Logout URL| http or https://<your BAS domain>/~index
Also referred to as “Redirect or logout” URL
Service Provider X.509 Public Certificate| Copy and paste the contents of the X509 public certificate that was generated for the Encryption and Signature Certificate.
 NOTE Authentication requests are not signed by this service provider.
Service Provider Private Key field| The contents of the private key that was generated.
NOTE Authentication requests are not signed by this service provider.

6 Click Apply.
7 You must now Map your Identity Provider e-mail to an Operator (page 4) in your BAS.

Configuring the SSO add-on for OIDC

Verify required Identity Provider Configurations for OIDC
The ID token must include the “email” claim, which is usually part of the standard OIDC claims.

Follow the steps below to configure the SSO add-on for use with OIDC.

1 Log in to your BAS as Administrator.
2 On the System Options tree, select System Settings.
3 Go to the Add-ons tab. Under Details , click Main Page.
4 Select OIDC.
5 Enter the required information described below.

In this field… Enter this information…
Token URL Token endpoint from your Identification Provider
Authorize URL Authorization endpoint from your Identification Provider
Logout URL Logout endpoint from your Identification Provider
Public Keys URL JWKS / Public keys enpdoint from your Identification Provider
Client ID Client ID from your Identification Provider
Client Secret (Optional) Client Secret from your Identification Provider
Redirect on Login http or https:///~index
Redirect on Logout http or https:///~index

6 Click Apply.
7 You must now Map your Identity Provider e-mail to an Operator (page 4) in your BAS.

Mapping Identity Provider e-mail to an Operator

1 On the System Options tree, select Operators.
2 Click Add to add a new Operator.
3 Create a new Operator as described in your BAS User Manual, using your Identity Provided e-mail address in Login Name.
4 Open Sign On Mode and select Single Sign On.
NOTE No password is required for this Operator. Password requirements are handled by your Identity Provider.
5 Click Accept.
6 You are now ready to log in to your BAS (page 5) using your Identity Provider.

Logging in to your BAS using SSO

1 From the Log in page of your BAS, click Log in with Single Sign On.
NOTE Do not enter in your local Login Name or Password. Do not click Log in.
2 Log in using your Identity Provider login process.
3 When prompted to log in using the SSO Operator name, verify the name is correct and then click Yes.

NOTE If desired, you can still log in locally using Login Name and Password. The SSO add-on does not interfere with local log on or existing Operator configurations.

Document revision history

Important changes to this document are listed below. Minor changes such as typographical or formatting errors are not listed.

Date Topic Change description **Code***
No updates yet
  • For internal use only

All trademarks used herein are the property of their respective owners.

Proprietary and Confidential

Single Sign On (SSO) Add-on User’s Guide                © 2024 Carrier. All rights reserved.
Rev. 6/12/2024 A Carrier Company

Read User Manual Online (PDF format)

Loading......

Download This Manual (PDF format)

Download this manual  >>

Carrier User Manuals

Carrier RG10L3 Remote Controller Owner’s Manual
Carrier
Carrier 10105567G1 Supra DirectKey Module User Manual
Carrier
Carrier 58MCA Gas Furnace User Manual
Carrier
Carrier 25SCA5 Single Stage Heat Pumps Instruction Manual
Carrier
Carrier COR TP-WEM01 Smart Thermostat User Manual
Carrier
Carrier FT4B Fan Coil with InteliSense Instruction Manual
Carrier
Carrier CRLVHLGD004A00 Gas Heating-Electric Cooling Electric Cooling and Heat Pump Units Instruction Manual
Carrier
Carrier HAP v6.1 Hourly Analysis Program User Guide
Carrier
Carrier ZP787-3 ZP7 Addressable MCP Red Surface Mount Instructions
Carrier
Carrier ML5 Asset Tracker Telematics Module Instruction Manual
Carrier
Carrier SYSTXXXTRB01 Network Interface Module Instruction Manual
Carrier
Carrier 25SCA5 Single Stage Heat Pumps with Puron Refrigerant Instruction Manual
Carrier
Carrier 24SCA4 Comfort Series Air Conditioner Instruction Manual
Carrier
Carrier 38MURA-18K Residential Single Zone Heat Pump System Installation Guide
Carrier
Carrier 30RB-30RQ AquaSnap Scroll Chiller Instruction Manual
Carrier
Carrier BAYECON103AA-AB-AC Down Discharge Economizer and Rain Hood Installation Guide
Carrier
Carrier CA13R-RG10 Remote Controller Instruction Manual
Carrier
Carrier PY4G Single Packaged Air Conditioner and Gas Furnace System Instruction Manual
Carrier
Carrier 42NC Fan Coil Unit Instruction Manual
Carrier
Carrier 42KY Coanda Effect Cassette Instruction Manual
Carrier

Related Manuals

HPZ Rover Run Jogger Stroller Owner’s Manual
HPZ
dji Quadrocopter, FPV Goggles V2 User Guide
DJi
XProUSA DB-Z011 40cc Pocket Bike User Guide
XPROUSA
SAMSUNG HW-Q930D Sub Woofer and Rear Speaker User Guide
Samsung
Amico Lily Series Baby Bassinets User Guide
Amico
PRAMAC PBI 50K Battery Inverter User Manual
PRAMAC
STARWAVE LW-13 Fashion Wireless Silent Mouse User Manual
STARWAVE
beeloom 1300121 Mini Golf Game Set Instruction Manual
beeloom
ALDI 709610 20V LI-ION Cordless Blower Skin Instruction Manual
ALDI
Micron PA30B Rescue Device with Voice Function User Manual
Micron
Petromax CP750 Cooking Pot Instruction Manual
Petromax
sifam tinsley TT30-P38F75F2DRZ00 Theta 30P Transducer Instruction Manual
sifam tinsley
COLOR Logic Process Metalic Color System Software Installation Guide
COLOR Logic
SECOMP 1000BaseSX Series Media Converter Installation Guide
SECOMP
Plastica SSW PUMP 05 Clever Pool Energy Save Inverter Instructions
Plastica
vtech 198659 Myla Blush and Bloom Unicorn User Guide
vtech
LASER NAVC-AREC-101 Add on Reverse Camera User Manual
Laser
KETTLER 0797313-4470 Harlow Carr 110cm Dining Table Instruction Manual
KETTLER
UNITEK P1225A 60W 6 Port USB-C Charging Station User Manual
UNITEK
ETEKCITY EK4150 Digital Kitchen Scale User Guide
ETEKCITY
metabo Basic 250-24 W Compressor Instruction Manual
metabo
Art Century Led Light 2A4ZHARTLEDLIGHT Interior Car Lights with Smart App Control Instruction Manual
Art Century Led Light
WINGS Phantom 1100 Gaming Neckband with ENC User Manual
WINGS
PSA Products 6000THL Lifesaver Smoke Alarm Remote Control User Guide
PSA Products
MAVERICK LT-04 Infrared Laser Thermometer Instruction Manual
Maverick
ALMOST HEAVEN SAUNAS IR Panel Retrofit Installation Guide
ALMOST HEAVEN SAUNAS
resideo Braukmann MV300 Installation Guide
resideo
JONATHAN Y JYL6010A Glam Black Table Lamp with Glass Shade Instruction Manual
JONATHAN Y
CYRUS i9-XR Integrated Amplifier User Guide
CYRUS
View or change cellular data settings on iPad (Wi-Fi + Cellular models)
Apple
Contact Us   Privacy Policy   19.32ms