Versions Compared

Version Old Version 8 New Version 9
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Anchor
_Toc528929420
_Toc528929420
Configuration of SSO on Mercell website

Anchor
_Toc528929421
_Toc528929421
Solution description

  1. The customers IT dep. must establish SSO trust. They must assign all the users that should participate in the trust to Mercell before the SSO can work. (Additional users can be added later.)They also need to secure correct settings for the SSO relaying trust.)

  2. The customers IT dep. Insert your SSO-info. (This is filled in, as described in the next slides, so the SSO will get activated from the customer side. This can easily be done by the customer themselves with their IT department.)

  3. Now the Customer users can connect using SSO: This can be done in two ways: a) The customer can use an URL from Mercell to connect using their Intranet, which redirect them to their own familiar SSO server, where they must log in, if they are not already logged in. After this login, they are instantly and automatically logged into Mercell. b) The customer can click on any URL from Mercell or just the my.mercell.com address, where they will get the usual Sign-on picture form the Mercell Portal. Press the Single SignOn login button and then fill in their own mail address, click on the login button, which will redirect them to their own familiar SSO server, where they also must provide their password. Once they complete their login, then they are instantly and automatically logged into Mercell.

...

Anchor
_Toc528929422
_Toc528929422
Configuration on Mercell website

  1. Login on to Mercell website as customer admin

  2. Click on company name

  3. Click on Single sign-on icon

  4. Click add new.

  5. Type name, use your company name and set domain to your company domain and click save

  6. Anchor
    _Hlk517681041
    _Hlk517681041
    Anchor
    _Hlk517679511
    _Hlk517679511
    If you have several email domains that should be linked with different customers in Mercell, set "Email domain" to users' primary mail (SMTP) and check "Match e-mail to domain". This will enable the option to have a shared SSO connection that directs users from a shared AD to several customers in Mercell.

...

  1. Use the Federation metadata link to setup claims on your ADFS serverexample on link: (https://my.mercell.com/m/logon/adfs/FederationMetadata.ashx?guid=xxxxxxx-xxxx-xxx-xxxx-xxxxxxxxxxx)

  2. Your SSO setup is now completed. (SSO enforcement is optional, but recommended)

  3. SSO - The SSO Enforcement consequence

SSO Enforcement notice!

Please secure that all your user has been informed of the «SSO-Only» switchover, or they will see the screen below when they try to login manually without any success. (That is why it should be a planned date for going into production for all.)The same alert also happens, if you remove them from your local MS ADFS server.

...

If you usually use your corporate intranet for SSO login, then do as before.If you use an URL from Mercell, or connect directly to https://my.mercell.com/da-dk/m/logon/, then you only need to click on the button called: «SSO login».
You will then have to enter your e-mail address as used in your company and click «Login». You will then be redirected to your own local SSO server, for a password. "Remember me" checkbox can be used to ensure that when accessing Mercell.com user is redirected directly to your own local SSO server. If login fails at local SSO server, user can access this page again and make changes. After you entered your password inside your local corporate SSO server, then you will be redirected back to Mercell again, but you are now automatically logged into our portal. You arrive either at your usual starting homepage, or at the specific Mercell URL you originally clicked on the first time.

...

Configuration of ADFS server

  1. Click add Relying Party Trust

  2. Insert Federation metadata link from Mercell website, click next

...

Code Block
languagexml
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
 => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"), query = ";mail,givenName,sn,userPrincipalName;{0}", param = c.Value);

...

Optional configuration of persistent Single Sign-On on ADFS server

  1. Run Windows PowerShell as admin

  2. Write "Set-AdfsProperties -EnableKmsi 1"

  3. There is now a checkbox on the ADFS login page, that can be checked to keep remembering if user is signed in.

...