Overview: These directions show how to configure SAML settings for single sign-on from your institution's Shibboleth identity provider to Taskstream.
Step 1: Obtain an authentication certificate from your Shibboleth identity provider (you may have to update the file extension from .crt to .cer). You will need to have this file on hand when creating the SAML connection record in Taskstream.
Step 2: Login to Taskstream and navigate to the System Administration area and into the Single Sign-On page.
Step 3: Select to create a new SAML Connection
Step 4: After providing the following items you will be given your connection's unique ACS URL.
- SAML integration method: This will be either using an HTTP Redirect or HTTP Post.
- Error Notification Email: You may provide an email address for error notifications (optional).
- Idp Url: The login URL for your identity provider
- Error URL: If no error URL is specified, upon error user will be presented with a Taskstream error page with error message depending on the type of error (optional).
- Logout URL: If no URL is specified by default upon logout the user will be logged out of Taskstream and redirected to Taskstream.com site (optional).
- Metadata URL: Not implemented at this time (optional).
- Attribute bindings for First Name, Last Name, and Email (used to match a user account within Taskstream upon first SSO connection.
- CER Certificate file: Upload the certificate file obtained from your identity provider.
Step 5: Click continue to view confirmation screen and from there click confirm to create the new connection.
Step 6: Download the SAML metadata template from the top of the page.
Step 7: Open the template xml and update the AssertionConsumerService Location to that provided on screen within Saml Connection Details when you select the new SAML connection record.
Step 8: Add an additional entry to your Shibboleth IdP relyingparty.xml within the config folder. You will need to add the following entry and restart the server for the environment configuration to take effect. Following is the relyingparty.xml configuration entry for Taskstream:
Note: The Taskstream Shibboleth solution does not automatically create new Taskstream accounts for a new user when they click the link from your portal/website. You must provision the Taskstream accounts for any new users beforehand. Please refer to this article for how to provision Taskstream accounts:
TS - Creating Accounts in TSDE
f a new user clicks the link and does not have an existing Taskstream account to match against, the user will see an error message stating they do not have a Taskstream account and to contact their administrator.