Single Sign On (SSO) | SSO Solution

miniOrange Single Sign-On (SSO) removes the need to repeatedly type usernames and passwords, which increases productivity and prevents many types of online fraud that is caused by using same or similar passwords across apps, typing in passwords in un-safe environments, password sharing etc. By enabling users to quickly and securely access applications, they can spend less time with technology and more time with their work.

Enterprise users regularly need to remember eight or more application passwords. Security best practices require those passwords be unique, strong and frequently changed. It’s no wonder enterprise users write them down, stick them to the monitor or just forget them.

miniOrange Single Sign-On (SSO) addresses these challenges by significantly reducing clicks and eliminating the need to remember or enter application usernames and passwords. Proven in enterprise environments around the world, miniOrange Single Sign-On can be used with all types of applications, saving enterprise users 15 minutes every shift, improving satisfaction levels and driving adoption.

Optimized workflows enable faster access to information and enhanced delivery. Passwords become centrally managed, simplifying HIPAA and HITECH compliance without impacting enterprise users or IT staff.

2. Creating a free Single Sign-On trial account

Create a free Single Sign-On Trial account with miniOrange.

Navigate to Free Trial Page
Enter Email Address, Cellphone Number, First Name, Last Name and Company Name. Select Single Sign-On Area of Interest.
Click on Sign up Now.
Account details will be sent to the registered Email address.

3. miniOrange Single Sign-On Admin Dashboard Overview

3.1 How to add users?

You can add users to our system in two ways-

Go to the Users/Groups tab -> Manage Users/Groups in Admin Console and click on Add User button to create a new user.

Download sample CSV format from our console and edit this CSV file according to it and upload it to our console via Bulk Upload. Note: If you can't see the Upload button, please contact us at info@miniorange.com to enable it.

3.2 How to see the Onboarding Status?

To see Onboarding Status go to Dashboard tab -> on the right side, under basic features you can see the OnBoarding status just click on that. Here you can see a pie chart, showing the status of user on-boarded.

3.3 How to enable or disable users?

To enable, the disabled users go to the Users/Groups tab and click the dropdown menu of the last column then you can see Disable User and Enable User options. Click on Enable to unlock the user and vice versa.

3.4 How to manage groups?

To manage groups navigate through Users/Groups tab -> Manage Users/Groups

Click on View Group button on the right side.
To add a new group click on Create Group. Enter a name of your choice and click on Create Group to add the group.
You can delete a group by clicking on Delete button.
You can assign the users to the created group by clicking on the assign users.
Check the checkbox of all that users which you want to assign.
Hit the apply button to save the users into the group.

3.5 How to manage roles?

You can configure admin roles of end users.

To manage roles navigate through Users/Groups tab -> Manage Roles

To configure role of an Enduser click on Add to add the end user as Administrator.
You can also remove Administrator privilege by clicking on Remove button.

3.6 How to manage shared identities?

To add a shared identity follow the step below:

Go to the Users/Groups Tab and select Manage Shared Identity
You can add an associated user to an end user by clicking on add under Add Shared Identity Tab
To view shared identity navigate to View Shared Identity, you can click on Edit to edit Shared Identity.

3.7 How to manage apps?

Under Apps tab in Admin Console, you can view the Apps and configure new SAML and Browser Plugin Apps.

Under View Apps tab you can see all details of Applications, edit them, delete them etc.
A new App can be configured by clicking on the Configure Apps button.
While configuring an app, you need to provide details depending on the type of app.
For SAML Apps, you need to provide ACS(Assertion Consumer Service) URL and also a set of attributes if necessary.
For Browser Plugin Apps, you need to provide a set of credentials or multiple sets of credentials for Individual Login and Shared Login respectively.

3.8 How to manage policies?

You can manage policies by adding a new policy and view the existing policies in Policies tab.

To add a policy go to Policies tab and select App authentication policy and then click on Add policy tab.
Select Application name from the dropdown.
Select a Group Name from the dropdown - the group for which you want to add policy.
Give a policy name in Policy Name field.
Click on Save button to add policy.
You can view policy, under View Policy tab of Policies->App authentication policy

3.9 How to see users and policy mappings?

To see users and policy mappings, go to the Policies -> User Policy Mapping, select the Application and enter the username, see the policies mapped against the username typed in Username field.

3.10 How to integrate with any custom application?

To integrate with any custom application you can refer to Custom App Integration under Integration tab, follow the integration guide there to integrate any custom application.

3.11 How to deploy pre-integrated applications?

To deploy any pre integrated applications, please select any of the pre-integrated apps (viz. Google Apps, Salesforce) from the Integration tab dropdown. Follow the integration guide to integrate the apps, the diagram below depicts Google Apps Integration.

3.12 How to customize SMS gateways?

You can customize SMS gateways in the following way:

Select SMS Gateway Configuration from Customization tab.
Now select the radio button Set organization SMS Gateway.
Here enter the SMS Gateway URL.
To test the SMS gateway enter a phone number, on which you want to receive OTP.
Enter the OTP Sent in SMS to verify.
You can SAVE this configuration, over our default SMS configuration.

3.13 How to customize SMTP gateways?

Customize your SMTP gateway configuration under Customization -> SMTP Gateway Configuration.

Select the radio button Set Organization SMTP Server.
Fill in the Required field under Primary SMTP Server Configuration.
To test the SMTP configuration, enter the email to test.
Now enter the OTP received on your the email, you entered in the STEP1 field.
You can SAVE the configuration, over our default SMTP configuration.

3.14 How to customize OTP Email Template Configuration?

You can add your own customized email to Customization -> Select OTP Over Email Template Configuration. Select Set Customized Email Template, edit the fields as per your requirement. You can test your Email Template Configuration by clicking on Send Test Email. Click on SAVE to save this Email Configuration.

3.15 How to manage License?

To manage license, do the steps that follow:

Go to Manage License tab and click on Make Payment to do the payment.
Enter the payment details here.
Click on Pay and do the payment.

3.16 How to change password?

You can Change your password anytime you want, go to the Account and select Change Password.

3.17 How to configure Second factor?

Click on Dashboard
On the right side, you can see Strong Auth Methods under Basic Features section.
Check the checkbox Prompt for the second factor during sign in to your console
Click on Save to use this new Strong Authentication Method.

3.18 How to edit account profile?

Edit your account profile under Account -> Personal Profile and edit your personal details and click on SAVE to save the account profile.

3.19 How to configure forgot phone options?

To set forgot phone configuration, go to Account and select Forgot Phone Configuration. Set the forgot phone configuration as per your choice, it is recommended to check alternate login method for security purposes.

4. Support for all types of external identity sources

4.1 SAML
SAML Integration

Our Single Sign-On service will act as a Service Provider to any IDP of your choice. And you don't have to worry about understanding SAML protocol at all. It can work with ADFS, Okta, salesforce, SimpleSamlPhp, Shibboleth, PING, RSA, Centrify, One Login, miniOrange or any other saml identity provider (Idp). This SAML service returns all the attributes provided by the IdP along with the username of the logged in user. You can then use these attributes to login user into your application.
- To configure and use miniOrange Single Sign-On services, create a business free trial account here.
- Click here to login to miniOrange admin dashboard.
- Go to Identity Sources from side menu.
- Click on Configure Identity Source Button on top right corner on screen.
- Add your Identity Source here entering all the required fields and click on SAVE button.
If you don't see the specific guide for your IDP, please contact us at info@miniorange.com.

For registering miniOrange as Service Provider in your Idp following are the endpoint urls given below:

ACS Url https://auth.miniorange.com/moas/broker/login/saml/acs/<YOUR_CUSTOMER_KEY>

SP Entity ID https://auth.miniorange.com/moas/
4.2 OAuth 2.0
OAuth 2.0 Integration

Configure and use miniOrange OAUTH Single Sign-On service
- To configure and use miniOrange OAuth 2.0 Single Sign-On services, you can create a business free trial account here.
- Login to miniOrange console at https://auth.miniorange.com/moas/login
- Now, go to Integrations -> Custom App Integration and collect your Customer Key, Customer API Key, Customer Token Key from here.
- Go to Apps -> Configure Apps -> OAuth2 Client to configure an OAUTH2 app
- You will see OAuth Apps listed here. Click on any of the apps here and then click on Add App
- For Facebook:
  - Leave the Scope field empty.
  - Create Developers account with Facebook.
  - Create an App here.
  - Under "Tell us about your website" section, enter https://auth.miniorange.com/moas/oauth/client/callback in the Site URL field
  - Collect App ID and App Secret by navigating to My Apps -> (Your App name).
  - Enter the App ID and App Secret in Client ID and Client Secret field respectively under Apps -> Add App Credentials.
  - Click on SAVE button to add the Facebook App.
  - Now to integrate Login With Facebook, add a button and add the following URL to it.
    
    https://auth.miniorange.com/moas/oauth/client/authorize?token=##token##&id=##customer_key## &encrypted=<true,false>&app=facebook_oauth&returnurl=##return_url##
    - ##token## in above URL can be encrypted or unencrypted. The token should contain Client Id (You received from EVE Online), timestamp (Current Timestamp in milliseconds) and API Key (The Customer API Key you collected above) seperated by colon.
    - ##customer_key## is the Customer Key you collected above.
    - Value of encrypted value can be true or false depending on, if the token is encrypted or not.
    - ##returnurl## will be the url where you want to redirect user after Login with Facebook.
- For Google:
  - Enter https://www.googleapis.com/auth/plus.login in the Scope field.
  - Visit the Google website for developers console.developers.google.com
  - At Google, create a new Project and enable the Google+ API. This will enable your site to access the Google+ API
  - At Google, provide https://auth.miniorange.com/moas/oauth/client/callback for the new Project's Redirect URI
  - At Google, you must also configure the Consent Screen with your Email Address and Product Name. This is what Google will display to users when they are asked to grant access to your site/app
  - At Google, under APIs & auth -> Credentials get Client Id by clicking on the button Create Client Id.
  - Collect the Client ID and Client Secret
  - Enter the App ID and App Secret in Client ID and Client Secret field respectively under Apps -> Add App Credentials.
  - Click on SAVE button to add the Google App.
  - Now to integrate Login With Google, add a button and add the following URL to it.
    
    https://auth.miniorange.com/moas/oauth/client/authorize?token=##token##&id=##customer_key## &encrypted=<true,false>&app=google_oauth&returnurl=##return_url##
    - ##token## in above URL can be encrypted or unencrypted. The token should contain Client Id (You received from EVE Online), timestamp (Current Timestamp in milliseconds) and API Key (The Customer API Key you collected above) seperated by colon.
    - ##customer_key## is the Customer Key you collected above.
    - Value of encrypted value can be true or false depending on, if the token is encrypted or not.
    - ##returnurl## will be the url where you want to redirect user after Login with EVE Online.
- For LinkedIn:
  - Leave the Scope field empty.
  - If you have not already done so, create an application. If you have an existing application, select it to modify its settings.
  - After app creation, collect Client ID and CLient Secret from here.
  - Enter https://auth.miniorange.com/moas/oauth/client/callback in Authorized Redirect URLs and click on Add button.
  - Now click on Update button to save settings.
  - Enter the Client ID and Client Secret in Client ID and Client Secret field respectively under Apps -> Add App Credentials.
  - Click on SAVE button to add the LinkedIn.
  - Now to integrate Login With LinkedIn, add a button and add the following URL to it.
    
    https://auth.miniorange.com/moas/oauth/client/authorize?token=##token##&id=##customer_key## &encrypted=<true,false>&app=linkedin_oauth&returnurl=##return_url##
    - ##token## in above URL can be encrypted or unencrypted. The token should contain Client Id (You received from EVE Online), timestamp and API Key (The Customer API Key you collected above) seperated by colon.
    - ##customer_key## is the Customer Key you collected above.
    - Value of encrypted value can be true or false depending on, if the token is encrypted or not.
    - ##returnurl## will be the url where you want to redirect user after Login with EVE Online.
- For EVE Online:
  - Leave the Scope field empty.
  - At EVE Online, go to Support. Request for enabling OAuth for a third-party application.
  - Add a new project/application. Generate Client ID and Client Secret.
  - Enter the Client ID and Client Secret in Client ID and Client Secret field respectively.
  - Click on SAVE button to add the EVE Online.
  - Now to integrate Login With Eveonline, add a button and add the following URL to it.
    
    https://auth.miniorange.com/moas/oauth/client/authorize?token=##token## &id=##customer_key##&encrypted=<true,false> &app=eveonline_oauth&returnurl=##return_url##
    - ##token## in above URL can be encrypted or unencrypted. The token should contain Client Id (You received from EVE Online), timestamp and API Key (The Customer API Key you collected above) seperated by colon.
    - ##customer_key## is the Customer Key you collected above.
    - Value of encrypted value can be true or false depending on, if the token is encrypted or not.
    - ##returnurl## will be the url where you want to redirect user after Login with EVE Online.
Back To Top
4.3 OpenID
OpenID Integration
- Click here to login to miniOrange admin dashboard.
- Go to Identity Sources from side menu.
- Click on Configure Identity Source Button on top right corner on screen. Select OpenID Tab
- Enter IdP Name and the OpenID Endpoint.
- Save OpenID configuration by clicking in the SAVE button.
4.4 LDAP
LDAP Integration
- Click here to login to miniOrange admin dashboard.
- Go to Identity Sources from side menu.
- Click on Configure Identity Source Button on top right corner on screen.
- Save your LDAP configuration here entering all the required fields and click on SAVE button.
- If you want to store your LDAP/AD configuration here in miniOrange, enter your ldap details here and save.
- If you want to store your LDAP/AD configuration on-premise, select option two and download miniOrange gateway.
- To configure apps refer to section 5.
4.5 AWS Cognito
AWS Cognito Integration
- Click here to login to miniOrange admin dashboard.
- Go to Identity Sources from side menu.
- Click on Configure Identity Source Button on top right corner on screen. Select AWS Cognito
- Save your AWS Cognito configuration here entering all the required fields and click on SAVE button.

5. App configuration for Single Sign On

Under Apps menu in Admin Console, you can view the Apps and configure new SAML and Browser Plugin Apps. While configuring an app, you need to provide details depending on the type of app.

SAML App Configuration: Follow the steps for the apps which support SAML eg. Google Apps, Salesforce.

Login as a customer from Admin Console.
Go to Apps >> Manage Apps. Click Configure Apps button.
Click on SAML tab. Select your app and click Add App button.

Provide following details of your application:

SP Entity ID is used to identify your app against the SAML request received from SP. SP Entity is usually but not necessarily in URL format.
ACS URL or Assertion Consumer Service URL defines where the SAML Assertion should be sent after authentication.
Single Logout URL defines where the user should be redirected after receiving the logout request from SP. You can mention your applications logout page URL here.
Audience URI, as the name suggests, specifies the valid audience for SAML Assertion. It is usually same as SP Entity ID. If Audience URI is not specified separately by SP , leave it blank.
NameID defines what SP is expecting in subject element of SAML Assertion. Generally NameID is Username of Email Address
NameID Format defines the format of subject element content, i.e. NameID.
For example, Email Address NameID Format defines that the NameID is in the form of an email address, specifically “addr-spec”. An addr-spec has the form local-part@domain, has no phrase (such as a common name) before it, has no comment (text surrounded in parentheses) after it, and is not surrounded by “<” and “>”.
If NameID Format is not externally specified by SP, leave it unspecified.
You can Add Attributes to be sent in SAML Assertion to SP. The attributes include user’s profile attributes such as first name, last name, fullname, username,email, custom profile attributes and user groups,etc.

Select a Group Name from the dropdown - the group which should have access to the SAML SSO using this app.
Give a policy name for Custom App in Policy Name.
Select the First Factor Type for authentication like Password, Mobile etc.
Enable Second Factor for authentication if required.
Click on Save button to add policy for Apps (Single Sign On).

Click on Metadata to view miniOrage IDP(Identity Provider) info or to download the metadata file which will be used by SP to configure miniOrange as IDP.
You can also configure miniOrange as IDP on SP manually using following information :

IdP Entity ID or Issuer	https://<mycompany.domain-name.com>/<customer-id>
SAML Login URL	https://<mycompany.domain-name.com>/idp/samlsso
SAML Logout URL	https://<mycompany.domain-name.com>/idp/samllogout
Broker Service Login URL	https://<mycompany.domain-name.com>/broker/login/saml_login
Broker Service Logout URL	https://<mycompany.domain-name.com>/broker/login/saml_logout
X.509 Certificate	X.509 certificate is enclosed in X509Certificate tag in IdP-Metadata XML file. (parent tag: KeyDescriptor use="signing")

Non - SAML(Browser Plugin) Apps Configuration

Follow the steps for the apps which don't support SAML and any standard protocol eg. Weebly, Squarespace.

Click Manage Apps under Apps menu item. Click Configure Apps button.
Click on Browser Plugin tab. Select your app(s) and click Add App button.

Save application after providing group name.

After configuring app you can see the link generated for application.

You can embed this URL in your web page saying "Login to Squarespace" or give this URL to your users for login.
For testing, SSO goes to user dashboard and download miniOrange Single Sign-On plugin from user dashboard.

Configure credentials of application(eg. squarespace) for login using browser plugin.

6. Directory-as-a-Service

miniOrange provides the facility to host identities in a private directory which can be provisioned as per requirement. Once a directory is provisioned, user management(user provisioning, user-deprovisioning, password management, access levels) is done from the directory. Connection to third-party applications with the directory is provided with various connectors.

Back to top

7. Social Login

miniOrange combines the social media data of all your social networks at one place. Whether you are using Facebook, Twitter, Google+, Vkontakte, any social network, miniOrange visualizes and checks your social marketing success, presented in a clean and neat design to always keep the overview.

8. Application Connectors

miniOrange Authentication Products also have ready integrations with a number of leading providers, these ready solutions allow enterprises quickly increase the security of information and resources without worrying about time for initial set up or future upgrades. The following custom connectors exist:

Java Connector
.NET Connector
Desktop application connector
Credential Vault connector
Mobile apps Single Sign-On
Windows Single Sign-On

Application connectors also exist for 4500+ cloud and legacy applications.

9. Customization

Our powerful branding options allow you to customize various aspects of miniOrange so that it mirrors your brand’s logo and colors, and matches the feel of your organization's aesthetics. We did all the customization for a global, world-class mining company. You can customize the following:

Login URL
Banner, logo, favicon and UI element colors
User invite templates
SMTP gateway
SMS gateway
Email templates

10. Reporting

miniOrange provides detailed reports for the following:

Single Sign-on
Two Factor Authentication
Fraud Prevention
Social Login

These reports assist in compliance and understanding user behavior.

11. Self-Service Console for end users

miniOrange Self-Service Console for end users provides the user the functionality to manage his/her organizational identity and configure applications for Single Sign-On. The various features of the self service console are:

One-click login into configured applications
Configure 2 Factor authentication
Navigate to custom added applications

12. miniOrange Single Sign on product details

miniOrange provides an array of user authentication solutions to enhance the security of sensitive information and resources. Our Strong Authentication, Fraud Prevention and Single Sign-on products weave together disparate protocols and processes in secure Software as a Service environment providing easy to deploy, scalable and flexible platform at minimal TCO.

Product Features:

Single Sign-On
miniOrange Single Sign-on solution ensures seamless access to all enterprise resources, Once Authenticated with miniOrange SSO, users can easily connect and navigate within enterprise as per defined policies. miniOrange SSO Solution can be deployed in minutes and supports various Cloud Apps, Web Apps and Legacy Apps and is so easy to use that once logged in users do not need to authenticate separately to other applications
2 Factor Authentication
miniOrange 2 Factor Authentication Solutions ensure right set of eyes have access to your sensitive and critical information and systems sitting on the cloud or on premise. miniOrange 2 Factor Authentication supports widest range of strong authentication methods, helps you achieve regulatory compliance such as FFIEC, HIPPA, PCI etc and increase the security of your resources at minimum cost.
Fraud Prevention
miniOrange Fraud prevention solution leverages user´s personalized information like behavior, location and device to authenticate and provides access to resources and prevents attacks not detected by static security solutions... Our flexible and sophisticated policy management system runs on our proprietary miniOrange Risk Engine that allows you to configure and customize risk policies as per your requirements.
Cloud Security
miniOrange cloud security platform protects information systems from theft or damage to the hardware, the software, and to the information on them, as well as from disruption or misdirection of the services they provide. It includes controlling physical access to your hardware as well as protecting against harm that may come via network access, data and code injection and due to malpractice by operators, whether intentional, accidental, or due to them being tricked into deviating from secure procedures.
Social Login
miniOrange combines the social media data of all your social networks at one place. Whether you are using Facebook, Twitter, Google+,Vkontakte, any social network, miniOrange visualizes and checks your social marketing success, presented in a clean and neat design to always keep the overview.

13. Two Factor Authentication & Fraud Prevention

miniOrange 2 Factor Authentication Products ensure right set of eyes have access to your sensitive information sitting on the cloud or on-premise.

Traditional two-factor authentication solutions use hardware tokens (or "fobs") that users carry on their keychains. These tokens generate one-time passwords for the second stage of the login process. However, hardware tokens can cost up to $40 each. It takes time and effort to distribute them, track who has which one, and replace them when they break. They're easy to lose, hard to use, and users consistently report high levels of frustration with token-based systems.
miniOrange provides 15+ authentication methods.

Read more

miniOrange Fraud Prevention product uses device, location, time of access and user behavior to minimize the risk of improper data access or loss of information. It dynamically analyzes user requests and apply business security policies to application access which minimizes the risks of unauthorized access. It complements the existing traditional access controls by using contextual elements (e.g. device, location, time of access and user behavior) to allow for a more dynamic policy decision.

Read more

Back to top

ACS Url	https://auth.miniorange.com/moas/broker/login/saml/acs/<YOUR_CUSTOMER_KEY>
SP Entity ID	https://auth.miniorange.com/moas/

Table of Contents

1. Single Sign-On Overview