Single Sign-On Customer Side

Configuration
Manual

Author Vecos R&D

Date 24-03-2022
Version 8.0
Status Qualified
Content
Document history ..................................................................................................................................... 3
Terms and abbreviations ......................................................................................................................... 3
1. Introduction ...................................................................................................................................... 4
1.1. Single Sign-on ......................................................................................................................... 4
1.2. Disclaimer ................................................................................................................................ 4
1.3. Company Code ........................................................................................................................ 4
1.4. URL’s ....................................................................................................................................... 4
1.5. Releezme SAML2 metadata address ...................................................................................... 5
1.6. Customer metadata address ................................................................................................... 5
1.7. Releezme Roles ...................................................................................................................... 5
1.8. Serving multiple companies with one ADFS/Azure AD Server ............................................... 6
2. Windows Server based ADFS ......................................................................................................... 6
2.1. Pre-conditions .......................................................................................................................... 6
2.2. Windows Server 2012R2/2016/2019 ....................................................................................... 6
2.3. Windows Server Global Authentication policy ....................................................................... 11
2.4. Multiple companies with one ADFS service .......................................................................... 11
3. Azure Active Directory ................................................................................................................... 14
3.1. Disclaimer .............................................................................................................................. 14
3.2. Pre-conditions ........................................................................................................................ 14
3.3. Enterprise Application ............................................................................................................ 14
3.4. App Registration .................................................................................................................... 18
3.5. Registered Application Manifest Roles .................................................................................. 20
3.6. App Roles (Preview) UI ......................................................................................................... 21
3.7. Multiple companies with one Azure AD ................................................................................. 22
4. Okta SAML2 .................................................................................................................................. 25
4.1. Introduction ............................................................................................................................ 25
4.2. Pre-conditions ........................................................................................................................ 25
4.3. App Registration .................................................................................................................... 25
4.4. Releezme role configuration .................................................................................................. 28
5. SURFconext .................................................................................................................................. 30
5.1. Introduction ............................................................................................................................ 30
5.2. Company Settings in Releezme ............................................................................................ 30
5.3. Required Attributes ................................................................................................................ 30
6. Troubleshooting ............................................................................................................................. 31
6.1. Errors in the ADFS login page ............................................................................................... 31
6.2. Redirected back to login page ............................................................................................... 31

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 2 of 31

Document history
Date Version Author Description
16-05-2017 0.1 Vecos R&D Initial version
16-06-2017 0.2 Vecos R&D Added Global Authentication Policy
16-08-2017 0.3 Vecos R&D Added new R1.6 roles
24-08-2017 0.4 Vecos R&D Added Azure AD
20-12-2017 0.5 Vecos R&D Added multiple company solution (R1.7)
22-02-2018 0.6 Vecos R&D Qualified
28-08-2018 0.7 Vecos R&D Updated
19-09-2018 0.8 Vecos R&D Updated
26-10-2018 0.9 Vecos R&D Updated
02-05-2019 0.10 Vecos R&D Added SAML2
08-05-2019 0.11 Vecos R&D Added SURFconext
08-10-2019 1.0 Vecos R&D Updated Azure AD
02-12-2019 1.1 Vecos R&D Include AU
02-12-2019 2.0 Vecos R&D Qualified after review
20-02-2020 2.1 Vecos R&D Added Okta SAML2
24-02-2020 3.0 Vecos R&D Qualified after review
25-02-2020 3.1 Vecos R&D Additional Okta info
05-03-2020 4.0 Vecos R&D Qualified after review
27-03-2020 4.1 Vecos R&D Add Enterprise Azure AD application configuration
09-04-2020 5.0 Vecos R&D Qualified
18-05-2020 5.1 Vecos R&D Update Okta screenshot
18-05-2020 6.0 Vecos R&D Added On-Premises. Qualified
25-09-2020 6.1 Vecos R&D Update
17-11-2020 6.2 Vecos R&D Updated Azure AD. Use generic URL throughout the
doc.
07-11-2020 7.0 Vecos R&D Qualified
18-03-2022 7.1 Vecos R&D Updated OKTA screenshots
24-03-2022 8.0 Vecos R&D Qualified after review.

Terms and abbreviations

AD : Active Directory
ADFS : Active Directory Federation Services
JSON : JavaScript Object Notation (ref: www.json.org)

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 3 of 31

1. Introduction
1.1. Single Sign-on
Releezme allows system users to use single sign-on to login in the Releezme website via the main
website. Note SSO only applies to company system users, such as facility managers and service desk
employees. Locker users are not able to login into the website.

Releezme allows the following types of federated login types:

• The WS-Federation protocol (see http://docs.oasis-open.org/wsfed/federation/v1.2/os/ws-

federation-1.2-spec-os.html or https://msdn.microsoft.com/en-us/library/bb498017.aspx).
• The SAML2.0 protocol (see http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-
overview-2.0.html). Note: only available from R1.12 and newer.
o SAML2.0 is also supported for the Okta SSO service
o SAML2.0 is also supported for Azure AD via app registration or Enterprise Application.
o SAML2.0 is also supported for SURFconext and Vecos is registered as a service
provider.

SSO can be configured with identity provider which support mentioned technologies, but this
document details how to configure it with the following systems:

1) ADFS in Windows Server 2012R2 and Windows Server 2016

2) Azure Active Directory via app registration or Enterprise Application
3) SURFconext.
4) Okta SSO service

1.2. Disclaimer
User interfaces evolve constantly with cloud providers, so all screenshots shown here are as the
services looked at the time of writing this document. It may look different at the moment this manual is
applied, but the basic functionality remains the same:

• Setup your SAML 2.0 (or WS-Federation) Identity Provider with the Vecos Locker
Management System as an “application”.
• Setup the groups as required by Releezme.
• Setup access of authorised users to the application with one of the required roles.

Note: only people who manage the locker system need access, do not let normal locker users access
the Releezme website.

1.3. Company Code

Each company using SSO in Releezme is assigned a company code. Usually this is similar to your
company name, but without spaces or special characters. For example: YourCompany or
CompanyNL, etc.

1.4. URL’s
For each environment of Releezme there are different URL’s used.

Environment URL
Europe https://www.releezme.net
Australia https://au.releezme.net
North America https://na.releezme.net
On-premises https://<CustomerDefined>/configuration

Only the Releezme SaaS URL’s are pre-defined, but for on-premises the URL depends on the

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 4 of 31

customer. Note that if an external identity provider is used, e.g., Azure AD or okta, then the URL for
the Releezme website must be open to the internet.

The rest of this document mentions only https://<ReleezmeURL>. It is left up to the reader to
replace the ReleezmeURL with the appropriate URL for their environment.

The above mentioned URL’s will bring you directly to the Releezme website in those environments,
but when using SSO, it will require you to select the link at the bottom of the page for SSO. So there is
a short-cut:

Environment URL
Europe https://sso.releezme.net
Australia https://sso-au.releezme.net
North America https://sso-na.releezme.net
On-premises https://<CustomerDefined>/configuration/sso

Additionally you can add your company code to the URL directly by adding query parameter:
&companycode=YourCompanyCode

For example: https://sso.releezme.net?companycode=YourCompanyCode

1.5. Releezme SAML2 metadata address

The Releezme SAML2 meta data for automatic configuration can be downloaded from the above
mentioned URL’s and then adding “/saml2”. E.g. https://<ReleezmeURL>/saml2.

1.6. Customer metadata address

Within Releezme it is required to configure an SSO company with the identity provider’s (IdP)
metadata address, which looks something like: https://<Your Company
URL>/federationmetadata/2007-06/federationmetadata.xml

Note that for SAML2 the EntityId of the customer’s IdP must be configured in Releezme. Vecos can
simply download the metadata and use the EntityId as mentioned in there.

1.7. Releezme Roles

Releezme is role based system, which means that each system user is assigned a role and based on
the role, the user has certain rights. It is up to the customer to assign the users who need to login the
correct role.

Releezme has the following roles available:

Name
CompanyServiceDesk
CompanyServiceDeskPlus
CompanyFacilityManager
CompanyFacilityManagerPlus
CompanyAdmin
Description
This role has limited read-only rights and should be used for
read-only Service desk employees only.
This role has read and write rights and should be used for
Service desk employees only
This role has more rights than a service desk employee and is
used for a normal facility manager
Extended facility manager, this role can manipulate more
settings within the company and should be given only to facility
managers trained by VECOS specifically for this task
this role has full rights on the company for administration
purposes.
Table 1. Releezme Roles

Note that the “Plus” roles are only available from Releezme Release 1.6 and higher. For SaaS
customers this is always the case, for on-premises customers please check your Releezme
configuration before configuring your identity provider.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 5 of 31

 The company administrator role has rights to everything within the company and should only
be used when needed.

1.8. Serving multiple companies with one ADFS/Azure AD Server

In some cases it is required to use one ADFS or Azure AD source to allow login on multiple companies
within Releezme.

An example: a large corporation which has branches in The Netherlands and in Belgium. Both
branches have their own company in the Releezme system, but the corporation has one Azure AD
environment which manages all their employees.

In the Releezme configuration both companies have a different company code, e.g. BigCorpNL and
BigCorpBE.

Releezme is created as one application within their AzureAD and all employees from the NL and the
BE branches are configured to have access to Releezme via the Azure AD.

Without any special configuration, then all authorized people have access to both companies in
Releezme, by simply using the different company codes. This is not a situation that is wanted, since
the facility managers in one country are not authorized for the other country.

Section 3.6 details the configuration of this situation.

2. Windows Server based ADFS

2.1. Pre-conditions
The company has already following configured:

• Active Directory with users and groups. It is advised to create groups for each Releezme role and
assign users to the group corresponding to their Releezme role. See 0 for the available roles.
• Active Directory Federation Services (ADFS)
o Must be accessible through the internet (in case of connecting to Releezme SaaS).
o Must use a valid SSL certificate and must be accessible through HTTPS.
o Must have defined a metadata address URL:
https://<your url>/FederationMetadata/2007-06/FederationMetadata.xml

2.2. Windows Server 2012R2/2016/2019

The following steps are specific for Windows Server 2012R2, Windows Server 2016 and Windows
Server 2019. All Windows Server versions look very similar and differences are pointed out in the flow.

2.2.1. Configure Relying Party Trust

1) Open AD FS Management from System Administrative Tools.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 6 of 31

2) Select “Add Relying Party Trust” from the Actions menu.

3) Windows Server 2012R2: Press “Start” in the “Add Relying Party Trust Wizard”

4) Windows Server 2016/2019. Press “Start” in the “Add Relying Party Trust Wizard” and keep
setting on “Claims aware”.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 7 of 31

5) Download the Releezme metadata XML from https://<ReleezmeURL>/saml2 and use the second
option to select the XML.

6) Enter a display name of choice. Suggestion: “Releezme Locker Management System”.

Press “Next”.

7) Windows Server 2012R2. When requested to configure Multi-Factor Authentication, you can
choose to do that now or later. For this guide we assume that it will not be configured or later.
Press “Next”.

Press Next.
8) Windows Server 2012R2. You can select to either allow or deny all users access to Releezme. If
deny access is chosen then later on additional configuration is needed with the issuance
authorization rules. For this manual it is assumed that “allow all users” is selected.
Press “Next”.

9) Windows Server 2016/2019: You can select the permissions here. For this document we keep
permit everyone without MFA.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 8 of 31

 Press “Next”.

10) On this page you can check the settings. Usually it is correct and no action is needed.
Press “Next”.

11) Keep the check-mark in case you want to configure the claim rules immediately.
Press “Close”.

2.2.2. Configure Relying Party Trust Claim Rules

12) Open the Edit Claim Rules for Releezme Locker Management System dialog (if not opened after
following the guide in section 2.2.1). Select “Edit Claim Rules” after selecting the correct Relying
Party.

13) Press “Add Rule”.

14) Select “Send LDAP Attributes as Claims”. Press “Next”

15) Enter a claim rule name. Select “attribute store” value “Active Directory” and create the following
mappings (note that any other mappings should not be configured):

LDAP Attribute Claim Attribute Description

Given-Name Given Name Optional. If not set then
no first name will be
displayed

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 9 of 31

 Surname Surname Optional. If not set then
no last name will be
displayed
User-Principle-Name Name Mandatory, this is the
Username as shown in
Releezme. Note: if
User-Principle-Name is
not present in the AD,
then use another unique
(always present)
alternative such as E-
mail-Addresses or
Employee-ID
User-Principle-Name Name ID Mandatory. Note: if
User-Principle-Name is
not present in the AD,
then use another unique
(always present)
alternative such as E-
mail-Addresses or
Employee-ID
16) Press “Finish” when done.

17) Press “Add Rule” again. Now select “Send Group Membership as a Claim”. Press Next.

18) For each role within Releezme a mapping from your company’s groups must be made to the
Releezme roles.

19) Press “Finish”. If done then press “Apply”.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 10 of 31

2.3. Windows Server Global Authentication policy
Within ADFS it is possible to set the global authentication methods. While most of these can remain
default, there is one choice for the customer that needs to be made.

Especially in case Internet Explorer is used (note that it could also be useful when other browsers are
used within an organization to set this up), the browser is recognized by ADFS as being on the intranet
in a lot of cases. This causes ADFS to allow “Windows Authentication” to be used by default. Instead
of being routed to the ADFS webpage, the user instead is presented a windows login popup. The
consequence however is that at Releezme logout the user is not actually logged out of ADFS and
simply entering the company code is sufficient to be logged in again. This might be a security risk.
To disable Windows Authentication click “Edit” on the Global in ADFS configuration application:

Then disable “Windows Authentication”:

2.4. Multiple companies with one ADFS service

There are 2 supported mechanisms to have multiple companies with one ADFS service accessing
Releezme by SSO:

• Create multiple Relying Party Trusts

• Use claim values

2.4.1. Multiple Relying Party Trusts

In 2.2.1 Configure Relying Party Trust an import was done of the Releezme metadata xml from
https://<ReleezmeURL>/saml2. One of the settings that was imported, was the Identifier, which is set
to https://<ReleezmeURL>/.

Now we will override that value and give it a value to uniquely identify a single Releezme company
within the ADFS environment. This allows the use of multiple Relying Party Trust with almost the same
settings, only a different Identifier. Each one corresponding to one company in Releezme.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 11 of 31

1. First go to the Relying Party Trust created previously, and go to the Identifiers page. This should
look something like

2. Select and remove https://<ReleezmeURL>. Create a new identifier that can be used to identify
this Relying Party Trust for a Releezme company against others. The original
https://<ReleezmeURL> value must be removed to prevent issues later when we create the next
Relying Party Trust.
Example for a new Relying party identifier: https://your.company/region=uk. Note that although the
Identifier has the format of a Url, it does not have to resolve to a working address.

3. One setting that was done in 2.2.1 (step 9), was to set the permissions with access for everyone.
This means that every user in ADFS has access to each of the Releezme companies.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 12 of 31

 You can limit this to only allow people that are member of a certain group access to a specific
company. Go to Edit Access Control Policy and select Permit specific group. Select the group(s)
that should have access.

You can repeat the steps in 2.2.1 and 2.2.2 with the steps described above for each of the Releezme
companies. Making a 1 to 1 where each company in Releezme is using a Relying Party Trust. Note
that you must remove the original https://<ReleezmeURL>/ as identifier each time, or the next import
will be blocked (ADFS does not allow duplicate identifiers).

You must inform Vecos with the information of which Relying party identifier should be used for what
Releezme company.

2.4.2. Use claim values

In case multiple companies in Releezme are served with the same ADFS service, then it is possible to
encode the company code into the role, so it is possible to directly assign a specific user to a role and
company. This will prevent Releezme users to be able to access companies to which they have no
right.

As previously shown a customer’s group membership is mapped onto a Releezme role by modifying
the “Send Group Membership as a Claim” rule and changing the outgoing claim value to include the
company code by using the role name plus the company code with both separated by a semi-colon,
e.g. “CompanyFacilityManager;YourCompanyCodeA”. It is advised to also modify the claim rule name
to show for which company it is used.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 13 of 31

Note: if your organization has two companies in Releezme, then this will double the number of claim
rules, as for each company a claim rule must be created.

3. Azure Active Directory

It is also possible to use Azure Active Directory for Releezme Single Sign-on. This is differently
configured than Windows Server’s ADFS.

There are two ways of adding Releezme for SSO in Azure AD:

1. Use an Enterprise Applications. This would be the preferred way. See section 3.3
2. Use an App registration only. See section 3.4.

Note that provisioning locker users via Azure AD through the SCIM API from Releezme is possible,
but it advised to make another Azure AD Enterprise Application for that due to configuration storage
limits in Azure AD.

3.1. Disclaimer
The Azure portal is constantly updated, which can result in the following screenshots to not look
exactly the same as the current portal, however the flow normally should not differ much from this
document.

3.2. Pre-conditions
The company has already configured an Azure Active Directory with users and groups. It is advised to
create groups for each Releezme role and assign the correct users to the correct Releezme roles (see
0), but it is also possible to assign users directly to the application.

3.3. Enterprise Application

The preferred method of adding Releezme for SSO is via an enterprise application. Note that
configuring the manifest on the app registration is still required.

1) Create an Enterprise Application from your Azure Active Directory by clicking “New application”.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 14 of 31

2) Click “Create your own application”.

3) Enter a name for your application, e.g. “Vecos Releezme Locker Management System”. Ensure
that “Integrate any other application you don’t find in the gallery” is selected to create a non-gallery
application. Press “Create” to create the application.

4) In your newly created application first select “Set up single sign on”.

5) Choose SAML as the type.

6) Download the SAML2 configuration from Releezme by navigating in your browser to

https://<ReleezmeURL>/saml2. This will download the XML file.
7) Select “Upload metadata file” from the SAML-based Sign-on page.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 15 of 31

8) Select the downloaded XML file and press “Add”.

9) Leave all settings to what is automatically set in the Basic SAML configuration page and press
Save.

a) Identifier should be https://<ReleezmeURL>/:

b) Reply URL should be https://<ReleezmeURL>/saml2/acs
10) Optionally edit the Basic SAML configuration to add the Sign on URL:
i) https://<ReleezmeURL>/sso?companycode=YourCompanyCode
ii) “YourCompanyCode” must be replaced with the company assigned to you by Vecos. It is
also possible to leave out “?CompanyCode=” altogether.
11) Press “Save” to store the configuration. Select “I’ll test later” if the question pops-up.
12) Now open “User Attributes & Claims”.

13) Click “Add new Claim” and enter a claim as shown here.

a) Name: role
b) Namespace: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
c) Source: attribute
d) Source attribute: user.assignedroles
14) While the Enterprise application is open copy some information to be send to Vecos:

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 16 of 31

 a) Copy the App Federation Metadata Url.

b) Copy the Azure AD Identifier.

c) Both the app federation metadata URL and the Azure AD identifier have to be send to Vecos
so they can add them to your Company in Releezme.
15) Now the roles assigned to this Enterprise application have to be configured. This is done by going
back to the root of your Azure AD and selecting “App registrations”.

16) Select the application that was just created and open the Manifest.

17) Edit the manifest as described in section 3.5. Note that Azure might not allow you to delete the
default roles as they are in there, but then just add the Releezme roles to the existing ones. Save
the updated manifest.
18) Now go back to the Enterprise application to assign users and groups.

19) Click “Add user”.

20) Select the user and role that you want to let the user have. Note: we use user level role binding. It
is left up to the customer to configure groups to a role.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 17 of 31

3.4. App Registration
It is also possible to configure SSO via an App registration, however it is advised to use the Enterprise
Application instead.

1) Login to the Azure Portal navigate to your Azure Active Directory.

2) Select “App Registrations”

3) Press “New application registration”.

4) Fill in the information for Releezme.

a) The name must be at least 4 characters long and can be a name which makes sense within
your organization.
b) The redirect URI must be of type Web and with https://<ReleezmeURL>/sso/logincallback as
the URL.
5) Press “Register”.
6) The newly created application should be shown:

7) Select “Endpoints” and copy the value of “Federation Metadata Document”. This should be given
to VECOS to configure Single Sign-on at the Releezme side.

8) From the registered application click “Add an Application ID”.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 18 of 31

 a) Set the Application ID URI to: https://<ReleezmeURL>

9) Now we must manually add the Releezme roles as mentioned in section 0.

a) Go to Manage -> Manifest.
b) Edit the manifest as described in section 3.3.
10) Go back to the app overview and click “Managed application in local directory”.

11) Click “Assign users and groups”:

12) Click “Add user”

13) Depending on your Azure AD pricing tier, you can have either select only users or also groups.
Group assignments allows you to use your internal groups and map these on a Releezme role.
This allows for easier administration, since you only need to keep your internal AD groups correct
without having to change the Releezme app registration. The example below assumes the a user
is selected.
14) Select a User (or group if available) and then select the Role:

15) Press “Select” to confirm the assignment. Then press “Assign” to create the assignment.
16) Optional:
a) Go to Manage -> Branding in the registered application
b) Fill in any information as you like.
17) Other optional configuration settings which can be done:
a) Properties:
i) upload a logo for the application to make it easier identifiable.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 19 of 31

 b) Set “User assignment required?” to “Yes” (recommended). Although not strictly needed for a
WS-Federation application, if this changes in the future this setting is already in place.

c) Self-service. Set these settings to what the company policy is: Keep “allow users to request
access to this application” on “No” (recommended) or set to “Yes” if you want your users to
gain access to this application by themselves. If set to “Yes” further configuration is required.

3.5. Registered Application Manifest Roles

The manifest of the registered app must be manually modified to include the Releezme roles (see
section 1.7). The manifest is a JSON formatted text file. It is possible to download the complete
manifest and edit it in your editor of choice or edit it directly online in the Azure Portal.

Azure AD Application Registration page has a new feature in preview, which allows for easy
editing the app roles. If possible use this interface.

The only thing that needs to be changed is the list of appRoles. Locate the default empty list of
appRoles and replace the contents of the list (the part between the square brackets []). See also:
https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

3.5.1. Application Role Properties

• DisplayName: the name as displayed in the Azure AD environment. We suggest to use something
similar to “Releezme Service Desk”

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 20 of 31

• Id: this should be filled with a unique GUID. You should generate these with a dedicated tool, this
can be done through https://www.guidgenerator.com/ or other tools.
• Description: Put a useful description in here is needed.

Value: this must be exactly one of the values are mentioned in section 0.

3.5.2. Example
An example is given below. With this configuration only the service desk and facility manager roles are
used, but the other roles can be added.

"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Releezme Service Desk Role",
"displayName": "Releezme Service Desk",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "CompanyServiceDesk"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Releezme Facility Manager Role",
"displayName": " Releezme Facility Manager",
"id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "CompanyFacilityManager"
}
],

3.6. App Roles (Preview) UI

• Open the Application Registration for the SSO Releezme app.
• Open App Roles | Preview

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 21 of 31

• Create the request app roles via “+ Create app role”.

• Example Facility Manager:

3.7. Multiple companies with one Azure AD

There are two supported mechanisms to have multiple Releezme companies in one Azure AD
environment accessing Releezme by SSO:

• Create separate application for each company

• Use application role to specify the company

3.7.1. Create separate application for each company

When creating an Enterprise application in Azure AD, an Identifier (Entity ID) is specified. When
Releezme uses that Entity ID when attempting to login for a Releezme company, Azure AD can see
for which application the login is performed.

This allows using an Enterprise application per Releezme company. Each identifies using the Identifier
so Azure AD can check if the user that is logging in, is allowed access to a specific Enterprise
application.

To set this up, the following steps must be taken.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 22 of 31

 1. We must first change the Enterprise application created in 3.3 Enterprise Application. Go to
the Single sign-on settings and look at the Basic SAML Configuration. It currently shows the
value entered in step 9. Edit the Basic SAML Configuration and change the Identifier. For
instance something like https://your.company/region=uk.
The Identifier must be unique in your Azure AD environment (otherwise Azure AD will prevent
you from using it). This also means that you must change the Identifier before creating the
next Enterprise application as the Identifier is one of the values taken from the XML file
imported in step 8 of creating the Enterprise application.
The identifier looks like an Url, but does not have to resolve into a working address.

Do not forget to save when you change the value.

Note that the Reply URL must remain unchanged from what it was.
2. Following the steps described in 3.3 Enterprise Application, create a 2nd Enterprise
application with corresponding App Registration (as described in 3.4).

Repeat the steps from 3.3, 3.4 and above for each of the Releezme companies. Use a unique
identifier for each Enterprise Application.

The Identifier values for all Enterprise applications have to be sent to Vecos so they can be used
to configure the different companies in Releezme. Make it clear which Identifier belongs to what
company to ensure this is configured correctly.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 23 of 31

3.7.2. Use application role to specify the company
In case multiple companies in Releezme are served with the same Azure AD, then it is possible to
encode the company code into the role, so it is possible to directly assign a specific user to a role and
company. This will prevent Releezme users to be able to access companies to which they have no
right.

Azure AD Application Registration page has a new feature in preview, which allows for easy
editing the app roles. If possible use this interface.

In the manifest the appRoles can include the company code by using the role name plus the company
code with both separated by a semi-colon. Example:

"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Releezme Service Desk Role Company A",
"displayName": " Company A Releezme Service Desk",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "CompanyServiceDesk;YourCompanyA"
},
{
"allowedMemberTypes": [
"User"
],
"description": " Releezme Service Desk Role Company B",
"displayName": " Company B Releezme Service Desk ",
"id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "CompanyServiceDesk;YourCompanyB"
}
],

Note: if your organization has two companies in Releezme, then this will double the number
app roles in the manifest.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 24 of 31

4. Okta SAML2
4.1. Introduction
Okta (www.okta.com) provides cloud software that helps companies to manage and secure user
authentication. They also offer a SSO service that can be integrated with Releezme via SAML2.

4.2. Pre-conditions
The company has already configured Okta with their users and groups. It is needed to create groups
for each Releezme role and assign the correct users to the correct Releezme roles (see 4.4).

4.3. App Registration

1. Log in to Okta. By default, you are logged in in your company’s page.
2. Make sure you have sufficient rights to create applications and to assign people to
applications in specific roles.

Note: this manual was made with a developer account, but this is similar to the normal
administrator account.
3. From the left side-bar select “Applications” and create a new application via “Create App
Integration”.
4. Select sign-in method “SAML 2.0” and click Next.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 25 of 31

 5. Fill in a application name and press Next. (Optionally add an icon)

6. Fill in the SAML settings. Use the following table.

Setting Value
Single sign https://<ReleezmeURL>/saml2/acs (see 1.4)
on URL
Audience https://<ReleezmeURL> (see 1.4)
URI (SP
Entity ID)
Attribute Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Statement Name URI Reference
format
Value user.email
Group Name http://schemas.microsoft.com/ws/2008/06/identity/claims/role
Attribute Name URI Reference
Statement format
Filter Starts with: ‘Company’

7. Fill in the general SAML Settings (Note: screenshots below shows the URL for the Releezme
European environment. See 1.4 for the exact URL for your situation).

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 26 of 31

 8. Setup the attributes. Click Next to complete the changes.

9. Fill in the feedback and click Finish to complete the application creations.

10. The newly created application is shown.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 27 of 31

 11. Select “Sign On” and click the ‘Identity Provider metadata’ link”.

12. An XML file will be shown. The URL of this XML document should be given to VECOS to
configure Single Sign-on at the Releezme side. This URL will typically be in the form of
https://your_company.okta.com/app/*********/sso/saml/metadata

13. Assign your users to the application. Click ‘Assignments’ and assign users and/or groups.
Adding the Releezme groups should be sufficient. Click ‘Assign’ for the appropriate groups
and then click ‘Done':

4.4. Releezme role configuration

1. From the home page click ‘Directory’ and then ‘Groups’.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 28 of 31

 2. Click ‘Add Group’, fill in one of the Releezme role names and click ‘Add Group’:

3. The group is now created. Repeat this for all roles listed in 1.7.
4. When all groups are created, select the group you want to assign users to.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 29 of 31

 5. The group will be shown. Click ‘Assign People’:

6. Add the users for this group and click ‘Save’.

7. The user(s) are now added to the group and have the appropriate role when signing in to
Releezme

5. SURFconext
5.1. Introduction
SURF is an collaborative organization for ICT in Dutch education and research. One of their products
is SURFconext, which allows global access with 1 set of credentials via their services. Releezme by
VECOS is one of the service providers available to be used. However some configuration is required.

5.2. Company Settings in Releezme

Within Releezme the company for your organization must be configured for use with SURFconext:

• The company code is the same as your organisation’s name (SAML2 attribute
“urn:oid:1.3.6.1.4.1.25178.1.2.9”)
• Federation Metadata address for SURFconext is:
https://metadata.surfconext.nl/idp-metadata.xml
• The SAML2 Entity Identifier for SURFconext is:
https://engine.surfconext.nl/authentication/idp/metadata

5.3. Required Attributes

Releezme users several SAML2 attributes from your organization:

• Given Name (optional): urn:oid:2.5.4.42

• Surname (optional): urn:oid:2.5.4.4
• Preferred language (optional): urn:oid:2.16.840.1.113730.3.1.39
o Will be used to set the language of the Releezme website if the language is available.
• Organisation name (mandatory): urn:oid:1.3.6.1.4.1.25178.1.2.9

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 30 of 31

 o Note that the organisation name must be the same as your company code.
• Entitlement/eduPersonEntitlement (mandatory): urn:oid:1.3.6.1.4.1.5923.1.1.1.7
The value of the entitlement must be one of the Releezme roles as defined in 1.7 prefixed by
“urn:mace:surfnet.nl:surfconext.nl:vecos.com:role:”.
For example:
urn:mace:surfnet.nl:surfconext.nl:vecos.com:role:companyservicedesk

6. Troubleshooting
6.1. Errors in the ADFS login page
Scenario:

1. User navigates with their browser to https://<ReleezmeURL>/sso and enters the correct
company code.
2. Releezme redirects user to the ADFS page of the company.
3. Company ADFS login page displays an error.

Likely causes:

• Customer side configuration uses incorrect relying party trust identifier or uses incorrect
endpoint definition (https://<ReleezmeURL>/).
• Access control has not setup correctly or user is not authorized to use the Releezme
application by the ADFS service.

6.2. Redirected back to login page

Scenario:

1. User navigates with their browser to https://<ReleezmeURL>/sso and enters the correct
company code.
2. Releezme redirects user to the ADFS page of the company.
3. User enters their company credentials in their own company’s ADFS page or ADFS page
directly redirects back to Releezme.
4. Releezme does not login the user and again shows the SSO login page from Releezme and
user has to enter company code again.

Likely causes:

• Customer side claim configuration is incorrect:

o Missing Role.
o Missing Name ID, which must be present.
o Or no claim configuration defined at all.

RZM_102.MAN_SSO_CUSTOMERSIDE_CONFIGURATION.SSO Customer Side Configuration Manual.docx 31 of 31