Professional Documents
Culture Documents
SSO Trouble
SSO Trouble
Configuration
Manual
SSO can be configured with identity provider which support mentioned technologies, but this
document details how to configure it with the following systems:
1.2. Disclaimer
User interfaces evolve constantly with cloud providers, so all screenshots shown here are as the
services looked at the time of writing this document. It may look different at the moment this manual is
applied, but the basic functionality remains the same:
• Setup your SAML 2.0 (or WS-Federation) Identity Provider with the Vecos Locker
Management System as an “application”.
• Setup the groups as required by Releezme.
• Setup access of authorised users to the application with one of the required roles.
Note: only people who manage the locker system need access, do not let normal locker users access
the Releezme website.
1.4. URL’s
For each environment of Releezme there are different URL’s used.
Environment URL
Europe https://www.releezme.net
Australia https://au.releezme.net
North America https://na.releezme.net
On-premises https://<CustomerDefined>/configuration
Only the Releezme SaaS URL’s are pre-defined, but for on-premises the URL depends on the
The rest of this document mentions only https://<ReleezmeURL>. It is left up to the reader to
replace the ReleezmeURL with the appropriate URL for their environment.
The above mentioned URL’s will bring you directly to the Releezme website in those environments,
but when using SSO, it will require you to select the link at the bottom of the page for SSO. So there is
a short-cut:
Environment URL
Europe https://sso.releezme.net
Australia https://sso-au.releezme.net
North America https://sso-na.releezme.net
On-premises https://<CustomerDefined>/configuration/sso
Additionally you can add your company code to the URL directly by adding query parameter:
&companycode=YourCompanyCode
Note that for SAML2 the EntityId of the customer’s IdP must be configured in Releezme. Vecos can
simply download the metadata and use the EntityId as mentioned in there.
Name Description
CompanyServiceDesk This role has limited read-only rights and should be used for
read-only Service desk employees only.
CompanyServiceDeskPlus This role has read and write rights and should be used for
Service desk employees only
CompanyFacilityManager This role has more rights than a service desk employee and is
used for a normal facility manager
CompanyFacilityManagerPlus Extended facility manager, this role can manipulate more
settings within the company and should be given only to facility
managers trained by VECOS specifically for this task
CompanyAdmin this role has full rights on the company for administration
purposes.
Table 1. Releezme Roles
Note that the “Plus” roles are only available from Releezme Release 1.6 and higher. For SaaS
customers this is always the case, for on-premises customers please check your Releezme
configuration before configuring your identity provider.
An example: a large corporation which has branches in The Netherlands and in Belgium. Both
branches have their own company in the Releezme system, but the corporation has one Azure AD
environment which manages all their employees.
In the Releezme configuration both companies have a different company code, e.g. BigCorpNL and
BigCorpBE.
Releezme is created as one application within their AzureAD and all employees from the NL and the
BE branches are configured to have access to Releezme via the Azure AD.
Without any special configuration, then all authorized people have access to both companies in
Releezme, by simply using the different company codes. This is not a situation that is wanted, since
the facility managers in one country are not authorized for the other country.
• Active Directory with users and groups. It is advised to create groups for each Releezme role and
assign users to the group corresponding to their Releezme role. See 0 for the available roles.
• Active Directory Federation Services (ADFS)
o Must be accessible through the internet (in case of connecting to Releezme SaaS).
o Must use a valid SSL certificate and must be accessible through HTTPS.
o Must have defined a metadata address URL:
https://<your url>/FederationMetadata/2007-06/FederationMetadata.xml
3) Windows Server 2012R2: Press “Start” in the “Add Relying Party Trust Wizard”
4) Windows Server 2016/2019. Press “Start” in the “Add Relying Party Trust Wizard” and keep
setting on “Claims aware”.
7) Windows Server 2012R2. When requested to configure Multi-Factor Authentication, you can
choose to do that now or later. For this guide we assume that it will not be configured or later.
Press “Next”.
Press Next.
8) Windows Server 2012R2. You can select to either allow or deny all users access to Releezme. If
deny access is chosen then later on additional configuration is needed with the issuance
authorization rules. For this manual it is assumed that “allow all users” is selected.
Press “Next”.
9) Windows Server 2016/2019: You can select the permissions here. For this document we keep
permit everyone without MFA.
10) On this page you can check the settings. Usually it is correct and no action is needed.
Press “Next”.
11) Keep the check-mark in case you want to configure the claim rules immediately.
Press “Close”.
15) Enter a claim rule name. Select “attribute store” value “Active Directory” and create the following
mappings (note that any other mappings should not be configured):
17) Press “Add Rule” again. Now select “Send Group Membership as a Claim”. Press Next.
18) For each role within Releezme a mapping from your company’s groups must be made to the
Releezme roles.
Especially in case Internet Explorer is used (note that it could also be useful when other browsers are
used within an organization to set this up), the browser is recognized by ADFS as being on the intranet
in a lot of cases. This causes ADFS to allow “Windows Authentication” to be used by default. Instead
of being routed to the ADFS webpage, the user instead is presented a windows login popup. The
consequence however is that at Releezme logout the user is not actually logged out of ADFS and
simply entering the company code is sufficient to be logged in again. This might be a security risk.
To disable Windows Authentication click “Edit” on the Global in ADFS configuration application:
Now we will override that value and give it a value to uniquely identify a single Releezme company
within the ADFS environment. This allows the use of multiple Relying Party Trust with almost the same
settings, only a different Identifier. Each one corresponding to one company in Releezme.
2. Select and remove https://<ReleezmeURL>. Create a new identifier that can be used to identify
this Relying Party Trust for a Releezme company against others. The original
https://<ReleezmeURL> value must be removed to prevent issues later when we create the next
Relying Party Trust.
Example for a new Relying party identifier: https://your.company/region=uk. Note that although the
Identifier has the format of a Url, it does not have to resolve to a working address.
3. One setting that was done in 2.2.1 (step 9), was to set the permissions with access for everyone.
This means that every user in ADFS has access to each of the Releezme companies.
You can repeat the steps in 2.2.1 and 2.2.2 with the steps described above for each of the Releezme
companies. Making a 1 to 1 where each company in Releezme is using a Relying Party Trust. Note
that you must remove the original https://<ReleezmeURL>/ as identifier each time, or the next import
will be blocked (ADFS does not allow duplicate identifiers).
You must inform Vecos with the information of which Relying party identifier should be used for what
Releezme company.
As previously shown a customer’s group membership is mapped onto a Releezme role by modifying
the “Send Group Membership as a Claim” rule and changing the outgoing claim value to include the
company code by using the role name plus the company code with both separated by a semi-colon,
e.g. “CompanyFacilityManager;YourCompanyCodeA”. It is advised to also modify the claim rule name
to show for which company it is used.
There are two ways of adding Releezme for SSO in Azure AD:
1. Use an Enterprise Applications. This would be the preferred way. See section 3.3
2. Use an App registration only. See section 3.4.
Note that provisioning locker users via Azure AD through the SCIM API from Releezme is possible,
but it advised to make another Azure AD Enterprise Application for that due to configuration storage
limits in Azure AD.
3.1. Disclaimer
The Azure portal is constantly updated, which can result in the following screenshots to not look
exactly the same as the current portal, however the flow normally should not differ much from this
document.
3.2. Pre-conditions
The company has already configured an Azure Active Directory with users and groups. It is advised to
create groups for each Releezme role and assign the correct users to the correct Releezme roles (see
0), but it is also possible to assign users directly to the application.
1) Create an Enterprise Application from your Azure Active Directory by clicking “New application”.
3) Enter a name for your application, e.g. “Vecos Releezme Locker Management System”. Ensure
that “Integrate any other application you don’t find in the gallery” is selected to create a non-gallery
application. Press “Create” to create the application.
4) In your newly created application first select “Set up single sign on”.
9) Leave all settings to what is automatically set in the Basic SAML configuration page and press
Save.
13) Click “Add new Claim” and enter a claim as shown here.
a) Name: role
b) Namespace: http://schemas.microsoft.com/ws/2008/06/identity/claims/role
c) Source: attribute
d) Source attribute: user.assignedroles
14) While the Enterprise application is open copy some information to be send to Vecos:
c) Both the app federation metadata URL and the Azure AD identifier have to be send to Vecos
so they can add them to your Company in Releezme.
15) Now the roles assigned to this Enterprise application have to be configured. This is done by going
back to the root of your Azure AD and selecting “App registrations”.
16) Select the application that was just created and open the Manifest.
17) Edit the manifest as described in section 3.5. Note that Azure might not allow you to delete the
default roles as they are in there, but then just add the Releezme roles to the existing ones. Save
the updated manifest.
18) Now go back to the Enterprise application to assign users and groups.
a) The name must be at least 4 characters long and can be a name which makes sense within
your organization.
b) The redirect URI must be of type Web and with https://<ReleezmeURL>/sso/logincallback as
the URL.
5) Press “Register”.
6) The newly created application should be shown:
7) Select “Endpoints” and copy the value of “Federation Metadata Document”. This should be given
to VECOS to configure Single Sign-on at the Releezme side.
15) Press “Select” to confirm the assignment. Then press “Assign” to create the assignment.
16) Optional:
a) Go to Manage -> Branding in the registered application
b) Fill in any information as you like.
17) Other optional configuration settings which can be done:
a) Properties:
i) upload a logo for the application to make it easier identifiable.
c) Self-service. Set these settings to what the company policy is: Keep “allow users to request
access to this application” on “No” (recommended) or set to “Yes” if you want your users to
gain access to this application by themselves. If set to “Yes” further configuration is required.
Azure AD Application Registration page has a new feature in preview, which allows for easy
editing the app roles. If possible use this interface.
The only thing that needs to be changed is the list of appRoles. Locate the default empty list of
appRoles and replace the contents of the list (the part between the square brackets []). See also:
https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles
Value: this must be exactly one of the values are mentioned in section 0.
3.5.2. Example
An example is given below. With this configuration only the service desk and facility manager roles are
used, but the other roles can be added.
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Releezme Service Desk Role",
"displayName": "Releezme Service Desk",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "CompanyServiceDesk"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Releezme Facility Manager Role",
"displayName": " Releezme Facility Manager",
"id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "CompanyFacilityManager"
}
],
This allows using an Enterprise application per Releezme company. Each identifies using the Identifier
so Azure AD can check if the user that is logging in, is allowed access to a specific Enterprise
application.
Repeat the steps from 3.3, 3.4 and above for each of the Releezme companies. Use a unique
identifier for each Enterprise Application.
The Identifier values for all Enterprise applications have to be sent to Vecos so they can be used
to configure the different companies in Releezme. Make it clear which Identifier belongs to what
company to ensure this is configured correctly.
Azure AD Application Registration page has a new feature in preview, which allows for easy
editing the app roles. If possible use this interface.
In the manifest the appRoles can include the company code by using the role name plus the company
code with both separated by a semi-colon. Example:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Releezme Service Desk Role Company A",
"displayName": " Company A Releezme Service Desk",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "CompanyServiceDesk;YourCompanyA"
},
{
"allowedMemberTypes": [
"User"
],
"description": " Releezme Service Desk Role Company B",
"displayName": " Company B Releezme Service Desk ",
"id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "CompanyServiceDesk;YourCompanyB"
}
],
Note: if your organization has two companies in Releezme, then this will double the number
app roles in the manifest.
4.2. Pre-conditions
The company has already configured Okta with their users and groups. It is needed to create groups
for each Releezme role and assign the correct users to the correct Releezme roles (see 4.4).
Note: this manual was made with a developer account, but this is similar to the normal
administrator account.
3. From the left side-bar select “Applications” and create a new application via “Create App
Integration”.
4. Select sign-in method “SAML 2.0” and click Next.
7. Fill in the general SAML Settings (Note: screenshots below shows the URL for the Releezme
European environment. See 1.4 for the exact URL for your situation).
9. Fill in the feedback and click Finish to complete the application creations.
12. An XML file will be shown. The URL of this XML document should be given to VECOS to
configure Single Sign-on at the Releezme side. This URL will typically be in the form of
https://your_company.okta.com/app/*********/sso/saml/metadata
13. Assign your users to the application. Click ‘Assignments’ and assign users and/or groups.
Adding the Releezme groups should be sufficient. Click ‘Assign’ for the appropriate groups
and then click ‘Done':
3. The group is now created. Repeat this for all roles listed in 1.7.
4. When all groups are created, select the group you want to assign users to.
5. SURFconext
5.1. Introduction
SURF is an collaborative organization for ICT in Dutch education and research. One of their products
is SURFconext, which allows global access with 1 set of credentials via their services. Releezme by
VECOS is one of the service providers available to be used. However some configuration is required.
• The company code is the same as your organisation’s name (SAML2 attribute
“urn:oid:1.3.6.1.4.1.25178.1.2.9”)
• Federation Metadata address for SURFconext is:
https://metadata.surfconext.nl/idp-metadata.xml
• The SAML2 Entity Identifier for SURFconext is:
https://engine.surfconext.nl/authentication/idp/metadata
6. Troubleshooting
6.1. Errors in the ADFS login page
Scenario:
1. User navigates with their browser to https://<ReleezmeURL>/sso and enters the correct
company code.
2. Releezme redirects user to the ADFS page of the company.
3. Company ADFS login page displays an error.
Likely causes:
• Customer side configuration uses incorrect relying party trust identifier or uses incorrect
endpoint definition (https://<ReleezmeURL>/).
• Access control has not setup correctly or user is not authorized to use the Releezme
application by the ADFS service.
1. User navigates with their browser to https://<ReleezmeURL>/sso and enters the correct
company code.
2. Releezme redirects user to the ADFS page of the company.
3. User enters their company credentials in their own company’s ADFS page or ADFS page
directly redirects back to Releezme.
4. Releezme does not login the user and again shows the SSO login page from Releezme and
user has to enter company code again.
Likely causes: