The Journyx SaaS application can be configured to use to provide SAML-based single sign-on authentication. Journyx is considered a Service Provider (SP) in SAML terminology. Your portal script functions as the Identity Provider (IdP).
The Journyx setup process is generally described below.
- Journyx gives you a few key bits of information discussed below; mainly the SSO endpoint URL and Audience value, and tells you the Attributes to send, mainly 'login' and 'email'.
- a. Your endpoint / ACS URL will be:
https://<your_journyx_site_name>.apps.journyx.com/Journyx.sso/SAML2/POST - b. Your audience URI / Entity ID will be:
https://<your_journyx_site_name>.apps.journyx.com/Journyx.sso
In the above examples, "<your_journyx_site_name>" would be replaced with the actual name of your Journyx SaaS site.
- a. Your endpoint / ACS URL will be:
- Your identity management software (e.g. Okta, Azure, PingOne) accepts these values at a configuration screen and produces an XML file called the Identity Provider (IdP) SSO Metadata. Your signing certificate is embedded in this file.
- You send the IdP SSO Metadata XML file to us at Journyx, and we install it on our server. This describes you (the Identity Provider) to our server so we know how to validate incoming assertions.
- Once we have this file and install the necessary SSO tools and configuration to your Journyx site, the SSO connection will be active.
Please note that the creation of the application within your SSO portal and the creation of the metadata file is controlled by you, the customer, and not by Journyx. Each identity provider procedure will vary. If you are unfamiliar with registering an application and creating the associated metadata, please contact your IT staff or your identity provider support.
The following example instructions are for setting up a SAML Single Sign-On (SSO) connection between an Okta identity provider and a Journyx SaaS site. These steps must be performed by your identity provider administrator. Again, other idP software configuration should be similar, but Journyx cannot advise on specific idP interfaces for generating the metadata file.
Before you begin, please note that the 'login' value must exactly match the corresponding 'User Login' field in Journyx; this is case-sensitive and must uniquely identify each user. This can be different from what the user actually types to sign in on your side, as long as you can extract/obtain the correct value to match the information in Journyx.
Okta: Setting up a SAML Application in Okta
Azure: Configuring SAML2 SSO
PingOne: Export Metadata for Service Provider Configuration
Okta
- Sign in to the Okta admin dashboard and go to the Applications section.
- Click Add Application.
- From the directory screen, click Create New App.
- Set "Sign on method" to SAML 2.0
- General settings:
- These settings are up to you, you can put any values you want. You have to at least assign a name here. We suggest <your_journyx_site_name>.apps.journyx.com.
- Logo is optional; it's up to you. This will only appear on the Okta side.
- SAML Settings - see screenshot below.
- SAML Endpoint:
https://<your_journyx_site_name>.apps.journyx.com/Journyx.sso/SAML2/POST - Audience URI:
https://<your_journyx_site_name>.apps.journyx.com/Journyx.sso - Default RelayState: leave blank
- Name ID Format: use "Unspecified"
- Application Username: depends, but possibly Okta username prefix
- This pertains to the requirement that the username that Okta sends over must exactly match the Journyx username.
- This is somewhat configurable by setting and/or use Okta's custom rule feature.
- Open the "Advanced Settings", and change only this:
- Request Compression: Yes
- Under "Attribute Statements", at minimum you need these two:
- login - user.login
- email - user.email
- See screenshot below. These are based on my Okta test site.
- Click "Next" to save and move to the next screen.
- SAML Endpoint:
- Answer the next questions with "I'm an Okta customer..."
- You can then leave the remaining questions blank, or check "it's an internal app"
- You should now be at the application dashboard page for your new app, <your_journyx_site_name>.apps.journyx.com.
- Click the link "Identity Provider Metadata". This will prompt you to save a file to disk.
- Attach the file to an email [email protected] with a subject that is something like: "<Your company name> single sign on metadata"
- Click the link "Identity Provider Metadata". This will prompt you to save a file to disk.
- We will then handle the setup process on our end and notify you when it's complete. Depending on when we receive the file, and if we run into any issues on our end, it could be up to a day before it becomes active, but most likely less. We will notify you if there's any delays or other issues.
- If you need to access the Journyx web app directly without SSO, you can use this URL:
- https://<your_journyx_site_name>.apps.journyx.com/jtcgi/wte.pyc?nosso=1
The important part is the “?nosso=1” at the end of the URL.
This checks the password against the Journyx password database. - Access to this SSO bypass is controlled by a User field named "SSO Authentication". Each user can be set to "SSO Only", "Journyx Only", or "Both".
- Accountlink, Reportlink and other tools don't need to use the special URL above, but they DO need to use the Journyx password, not whatever's in Okta/ActiveDirectory, though they could be the same.
- https://<your_journyx_site_name>.apps.journyx.com/jtcgi/wte.pyc?nosso=1