Configuring the Login page
When users navigate to your Apporto instance, they will see the Apporto Login page. Multiple authentication methods are available, and you can configure them from site settings.
Use the information in this guide to learn how to:
- Customize the Login page
- Enable two-factor authentication (2FA)
- Enable single sign-on (SSO) integration
Customize the Login page
The table below shows the values that make up the Login page.
Field | Datatype | Required? | Notes |
---|---|---|---|
Login page title | String | Yes | Short message to display above the username/password prompt. |
Background image | Image file | No | If no image is added, a default image will display.
Accepted formats include JPEG and PNG. A ratio of 8:8 is recommended (e.g., 800 x 800 pixels). Otherwise, your image will automatically be cropped or resized. |
Subtitle | String | No | Short title to show under the username/password prompt. |
Description | String | No | Text that can be displayed below the subtitle |
Link text | String | No | Used with the link URL to provide a text link |
Link URL | Hyperlink | No | Optional link to show under the description. |
Additional features in this section:
- Enable two-factor authentication – This allows you to add a secondary security feature to the login process for user accounts using local authentication.
Follow the steps below to customize the Login page.
- Click setup or the icon in the navigation panel to view the Setup screen.
- Click on the Login page tab in the lower part of the page.
- Enter your desired values.
- If you wish to add your own background image
- Click upload image to trigger the file manager.
- Select a file from your local storage. The ideal image has an aspect ratio of 8:8 (e.g., 800 x 800 pixels) and is a PNG or JPEG file.
- The system will display a preview of your image and prompt you to save the change.
- If you are not satisfied with the preview, click remove image to remove the current file and then click upload image again to import a new image.
- Click save changes to update the Login page with your new settings.
Enable two-factor authentication (2FA)
Two-factor authentication (2FA)–also known as multi-factor authentication (MFA)–is a login method that requires users to provide a combination of security measures. Checking the “enable two-factor authentication” setting for the Login page will require users to use an authenticator app to generate login credentials. See the MFA section of the article on accessing Apporto for more information.
Enable single sign-on (SSO) integration
Single sign-on (SSO) authentication is the most commonly used method for Apporto users. For information on how to log in to the system with SSO, see the article on accessing Apporto.
To access SSO settings, click on the “SSO domains” tab in the lower part of the Setup page.
Create an SSO domain
The table below shows the values that make up an SSO domain record.
Field | Datatype | Required? | Notes |
---|---|---|---|
User auth method | Lookup value | Yes |
|
Domain name | String | Yes | This is a descriptive name for easy reference. |
Email domain | String | Yes | Include everything after the @ symbol. |
Include subdomains | Boolean | No | |
SSO login URL | String | Yes | SAML2 SSO login URL as provided by your Identity Provider (IdP) |
SSO logout URL | String | No | If SSO logout is desired, you can provide the SAML2 SSO logout URL as provided by your Identity Provider (IdP). |
Service provider entity ID | String | Read-only | This value is auto-generated by the system. You will need to provide the SP entity ID to your Identity Provider (IdP) when setting up the SSO integration.
The format will be https://yourorganization.apporto.com/passport-saml. |
Service provider (SP) URL | String | Read-only | This value is auto-generated by the system after the configuration is saved. You will need to provide this to your Identity Provider (IdP) as the reply URL (Assertion Consumer Service URL). |
Unique user identifier attribute | String | Yes | The full SAML2 assertion attribute name of the attribute that defines the user’s unique user identifier |
User first name attribute | String | Yes | The full SAML2 assertion attribute name of the attribute that defines the user’s first name |
User last name attribute | String | Yes | The full SAML2 assertion attribute name of the attribute that defines the user’s last name |
User email attribute | String | No | The full SAML2 assertion attribute name of the attribute that defines the user’s email address |
SSO active | Boolean | No | This value will be set to TRUE (ON) by default. You may switch it off, if you want to configure the SSO connection without it immediately being in use. |
SAML2 Assertions must be signed. The Identity Provider’s (IdP) signing certificate(s) must be added to the SSO configuration for the SSO integration to work.
Follow the steps below to add a domain for SSO authentication.
- Click the create new SSO domain button to trigger the Create SSO domain form. The form has three main sections:
- SSO domain profile – SSO instance location information and mapping values
- Information about the location of your SSO instance
- Mapping values to interface Apporto with your SSO instance. The service provider entity ID and URL will be provided for you and can easily be copied to provide to your Identity Provider (IdP).
- Information about the location of your SSO instance
- Certificates – signing certificates used by the SSO Identity Provider (IdP) server to sign assertions
- Groups – assignment of the SSO domain to one or more user groups
- SSO domain profile – SSO instance location information and mapping values
- Start the setup process by copying the service provider entity ID and URL to provide to your SAML2 Identity Provider (IdP) administrator. In return, the IdP administrator should provide the SSO login URL, SSO logout URL (optional), and the attribute names to use for the attribute mapping fields. Enter these values exactly as given by the IdP administrator. Ensure the desired user auth method is selected for your use case. Enter a domain name in the email domain field that will be used to trigger the SSO login flow for users attempting to login directly to the portal. Complete this section by ensuring the domain name contains a unique descriptive name to describe this SSO integration.
- From the “Certificates” tab, click the add certificate button to trigger the pop-up.
- Upload a certificate file and click add to apply it to the domain.
Each certificate file must be in the PEM format with a .pem file extension.
- Repeat as needed for multiple certificates.
- Upload a certificate file and click add to apply it to the domain.
- Click on the “Groups” tab and click add group to select one or more groups that will use the SSO domain for authentication.
- Click save to finish creating the SSO domain.
Update an SSO domain
For an existing SSO domain record, you may update any values in the domain profile or mapping values sections by editing the contents. You may also add new certificates and link additional user groups. Commit all changes by clicking save. See the section above for more information.
Additional features in this section:
View certificate details
To view the details of an existing SSO domain certificate, follow the steps below:
- From the “certificates” tab, click view for the certificate you want to examine. The View certificate pop-up screen will display.
- The certificate details include:
- Subject information (only fields set on the certificate will be displayed)
- Country
- State/province
- Locality/city
- Identity management provider organization name
- Organizational unit name
- Common name
- Email address
- Issuer information (only fields set on the certificate will be displayed)
- Country
- State/province
- Locality/city
- Identity management provider organization name
- Organizational unit name
- Common name
- Email address
- Validity
- Start date/time
- Expiration date/time
- Current status
- Subject information (only fields set on the certificate will be displayed)
- Click on the close button or anywhere outside the pop-up window to return to the Update SSO domain screen.
Remove a certificate
To remove an invalid certificate, follow the steps below:
- From the “certificates” tab, click remove for the certificate you want to remove.
- The certificate will no longer be visible in the list, and the system will prompt you to save changes.
- To commit the change, click save. To abort the change, refresh the screen without saving and the certificate will be visible in the list once again.
Unlink a group
To detach a group from the SSO domain, follow the steps below:
- From the “groups” tab, click unlink for the group you want to remove.
- The group will no longer be visible in the list, and the system will prompt you to save changes.
- To commit the change, click save. To abort the change, refresh the screen without saving and the group will be visible in the list once again.