SSO SAML Behaviors and Troubleshooting - Precisely_EnterWorks - EnterWorks - 11.0

EnterWorks Guide

Product type
Software
Portfolio
Verify
Product family
EnterWorks
Product
Precisely EnterWorks
Precisely EnterWorks > EnterWorks
Version
11.0
Language
English
Product name
Precisely EnterWorks
Title
EnterWorks Guide
Copyright
2024
First publish date
2007
Last updated
2025-01-07
Published on
2025-01-07T07:44:20.997352

The fields referenced here are found below in the Manage User Information window in the Classic UI.

SSO Logging

Logs for SSO are found in <drive>:\Enterworks\logs\enable2020\enable-web-server-services\<date-time>-log-enable-web-server-service.log.

User's Group Order

When a user's user groups are added or removed, EnterWorks preserves the group order set in the Manage User Information window.

Just In Time (JIT) Provisioning (Automatic Provisioning)

When Just In Time (JIT) provisioning (also know as Automatic provisioning) is enabled, EnterWorks will request that the IDP authenticates users and manages their user group assignments.

The process of authorization is as follows:

  1. The IDP sends a response to EnterWorks.
  2. EnterWorks checks to see if the user exists in the EnterWorks system.
    • If the username exists in EnterWorks, the login will be authorized and EnterWorks will update the list of the user's user groups to match the list of user groups in the IDP response.

    • If the username doesn't exist, EnterWorks will check the IDP's response to see if it contains one or more groups that exist in EnterWorks.

      • If the IDP's response does not contain one or more groups that exist in EnterWorks, the login will be unauthorized.

      • If one or more groups do exist, the login will be authorized and EnterWorks will update the list of the user's user groups to match the list of user groups in the IDP response.

When an existing EnterWorks user logs into EnterWorks, EnterWorks will verify with the IDP that the user exists in the IDP's directory and it will request a list of the groups the user belongs to. For each group on the returned list that exists in EnterWorks, if the user is not in the group, EnterWorks will add them. EnterWorks will then remove the user from any EnterWorks groups that are not on the list returned from the IDP.

For a user to be authenticated, the user must belong to at least one group in the IDP and that group has to exist in EnterWorks. If the group does not exist in EnterWorks, the user will not be authenticated.

Obtaining a Signing Certificate

EnterWorks obtains the signing certificate in the following manner:

  1. EnterWorks will look for the file:
    <drive>:\Enterworks\certs\token_cert.pem
    If it finds the file, it will pull the certificate out of it.
  2. EnterWorks will then look at the metadata. If a signing certificate is provided in the metadata, it will pull the certificate from the metadata and use it. If EnterWorks already has pulled a certificate from token_certs.pem file, EnterWorks will use the certificate it found in the metadata.

Open the Manage User Information Window

To open the Manage User Information window:

  1. Log into the Classic UI.
  2. Open the Feature bar, open the Users and Groups tab, and click Users to open the Users tab.
  3. Double-click a user's Login to open the user's record for editing. The Manage User Information window will open.