Index
- Types of external authentication available
- Which authentication should I choose?
- Finalise configuration
Types of external authentication available
Captio provides the following authentication options:
Which authentication should I choose?
WITH MICROSOFT:
If Microsoft Active Directory is available, it is possible that the ADFS server is installed. In this case, any of the three authentication options can be chosen.
WITH MICROSOFT AZURE AD:
If you are using Microsoft Azure AD, you should use SAML authentication.
A Premium Azure AD subscription is required.
OTHER PROVIDERS:
For identity providers other than Microsoft ADFS or Azure AD, consult the identity provider to check compatibility with the authentications available.
NOTE:
All of the available authentications go through HTTPS encrypted with SSL and require a trust relationship to be established between the Service Provider and the Identity Provider.
Depending on the type of authentication to be used, complete the corresponding tab of the form provided.
WS-Trust
Active Directory Federation Services (ADFS) is a technology that extends Active Directory configuration to provide service outside of the infrastructure. With ADFS, users can be given access to Captio without requiring them to manage another set of credentials.
In the authentication system, the data go through HTTPS encrypted with SSL and require a trust relationship to be established between the Service Provider and the Identity Provider.
In active WS-Trust authentication, Captio never stores the password entered at login, it only sends it through secure protocol to the client ADFS for validation.
Once configured, users can access Captio using their corporate username and password.
To set up WS-Trust, the following details are needed:
Relying Party Identifier: https://login.captio.net
This identifier is used to identify the trust relationship with the federation service. It is used to send claims to the trust relationship.
The following information must be supplied to Captio:
WS-Trust User Mixed Endpoint
This is the URL where Captio will send credential validation requests. The URL is located in its Identity server.
In ADFS servers, the URL is constructed like this:
https://[IdP Server]/adfs/services/trust/13/usernamemixed
If you have an ADFS system in Windows Server, you can consult our detailed guide CAPTIO - Guide for integration with ADFS WS-Trust.
Go to Finalise configuration section for the next steps.
If you have any questions during the process, contact support at help@captio.com
WS-Federation
Active Directory Federation Services (ADFS) is a technology that extends Active Directory configuration to provide service outside of the infrastructure. With ADFS, users can be given access to Captio without requiring them to manage another set of credentials.
In the authentication system, the data go through HTTPS encrypted with SSL and require a trust relationship to be established between the Service Provider and the Identity Provider.
Once configured, users can access Captio using their corporate username and password. Users must first enter their username in Captio and once detected, the authentication will be redirected to an authentication screen provided by the client, where users will re-enter their username and their password.
To set up WS-Federation, the following details are needed:
Captio Relying Party Identifier / Wtrealm: https://login.captio.net/[client_id]
Where [client_id] is your company identifier assigned to you by Captio.
It is a URI (not necessarily a URL) which identifies the relying party. The STS is used to decide whether to issue a token and what claims to add to it.
This identifier is used to identify the trust relationship with the federation service. Requests issued by Captio will use this identifier.
The following information must be supplied to Captio:
Remote Metadata Address
This is the URL where Captio will look for the public metadata file for its identity server configuration. This file specifies, among other things, the endpoints necessary for communication between the SP and IdP and the public certificate to validate the signing of the tokens issued by the identity server.
If you have an ADFS system in Windows Server, you can consult our detailed guide Setting up ADFS WS-Trust.
Go to Finalise configuration section for the next steps.
If you have any questions during the process, contact support at help@captio.com
SAML
In this authentication system, the data go through HTTPS encrypted with SSL and require a trust relationship to be established between the Service Provider and the Identity Provider.
Once configured, users can access Captio using their corporate username and password. Users must first enter their username in Captio and once detected, the authentication will be redirected to an authentication provided by the client, where users will re-enter their username and their password.
To set up WS-Federation, the following details are needed:
Captio Relying Party Identifier / Wtrealm: https://login.captio.net/[client_id]/Acs
Where [client_id] is your company identifier assigned to you by Captio.
It is a URI (not necessarily a URL) which identifies the relying party. The STS is used to decide whether to issue a token and what claims to add to it.
This identifier is used to identify the trust relationship with the federation service. Requests issued by Captio will use this identifier.
The following information must be supplied to Captio:
Remote Relying Party Identifier
This is the identifier used by the identity server in SAML responses.
This is “Issuer” field in SAML responses.
Remote Metadata Address
This is the URL where Captio will look for the public metadata file for the identity server configuration. This file specifies, among other things, the endpoints necessary for communication between the SP and the IdP and the public certificate to validate the signing of tokens issued by the identity server.
Remote Logout URL (SLO) - Optional
This field can be used to force a specific logout URL. If this field is left blank, the configuration of federation metadata file will be used.
Captio has detailed configuration guides for the following systems:
Go to Finalise configuration section for the next steps.
If you have any questions during the process, contact support at help@captio.com
Finalise configuration
It is recommended that a test be done with a single user before modifying the authentication type for all users in the environment.
The authentication method for a user can be modified by going to the “Users” tab and editing the user. There is a drop-down menu where you can select the authentication method that has just been configured. Once the changes are saved, the user will switch to the new authentication method.
The only user it can’t apply this is the administrator. To change a user's authentication method back to standard Captio authentication, go to the “Users” menu.
If you have any questions during the process, contact support at help@captio.com