New Feature

Public

August 2023

Single Sign-On (SSO) is a critical requirement in large Enterprises within the SOX compliance scope. Convergent Mediation 9.0 now supports OIDC single sign-on. To enable centralized user management and control, it is now possible to tie SAP Convergent Mediation by DigitalRoute to a centralized identity provider. This enables users to log in using SSO, along with multi-factor authentication flows.

In order to change the standard Convergent Mediation login credentials to company Active Directory credentials for Single-Sign-On I performed the following steps.

1. Pre-requisite: You need an ID Provider with OICD
   
   
   
   • Get access info from your administrator:
     
     
     
     •  Credentials: client id, client secret
     
     
     • Provider id URL (e.g., https://login.microsoftonline.com/digitalroute.com/v2.0/)
     
     
     
     
   
   
   
   


2. Ask your Administrator to update the following SSO configuration:
   
   
   
   • Create Active Directory group for Convergent Mediation SSO that you belong to
     
     
     
     • E.g., “stockholm”. Make sure the name is all in lowercase characters only.
     
     
     • Send groups claim with Name (and not ID) in SSO setup. I.e., “sAMAcountName”.
     
     
     • Use your Web UI URL (e.g., http://localhost:9001/desktop/) as the redirect URL in the SSO request.
     
     
     
     
   
   
   
   


3. Create your selected Active Directory group in Convergent Mediation via Access Controller (note that only alphanumeric characters, “-“ and “_” are allowed in the group name), however please note that the name should be in all lowercase letters only.


4. Example group below: “stockholm” (Note: your Active Directory-user must belong to this group.)
   
   
   
   • 
   
   
   
   


5. 
   
   Update platform configuration
   
   
   
   
   • 
     
     Via command-shell:
     
     
          $> mzsh topo open platform
   
   
   • 
     
      Add the following properties in platform configuration and save:
     
     
             auth.oidc.rp.client.id="<your client id>"
     
     
             auth.oidc.rp.client.secret="<your client secret>"
     
     
             auth.oidc.rp.provider.url="<your provider URL>"
     
     
             auth.oidc.rp.claims.username="name"
     
     
             auth.oidc.rp.provider.name=""
     
     
             auth.oidc.rp.scopes=""
     
     
             auth.oidc.rp.auth.debug="true"
     
     
             auth.oidc.rp.group.syncDisabled="false"
     
     
             auth.oidc.rp.group.default="<AD-group created in Convergent Mediation>"
     
     
             auth.oidc.rp.groupPath="groups"
   
   
   • 
   
   
   
   


6. Restart platform and ui
   $> mzsh restart platform ui


7. Login via the Web UI
   
   
   
   • http://localhost:9001/desktop/ (note this URL could differ from your installation)
   
   
   • Press “Login with SSO” button.
   
   
   • 
   
   
   • Now you should be logged in with newly created user based on your AD credentials and AD group created in Convergent Mediation earlier.
   
   
   • 
   
   
   • Here’s the automatically generated user with default group selected in the Access Controller (viewed from standard Desktop).
   
   
   • 
   
   
   
   

 

That’s all on our latest product release feature guide. Thank you for reading today’s blog post.

We are excited about the new functionalities in SAP Convergent Mediation 9.0 by DigitalRoute and recommend you to upgrade to benefit from them in your BRIM deployment.

Stay tuned and take care!

Best regards, SAP Convergent Mediation product team

More information

SSO Documentation