Trustelem applications

Aha!

Configuration Aha!

Trustelem Configuration

Airbrake

Airbrake Configuration

Trustelem Configuration

Apimo

Activate SSO for APIMO

Please enable Trustelem for my Apimo subscription (https://mydomain.apimo.pro/homepage).

My base Trustelem URL for Apimo is https://mydomain.trustelem.com/app/93XXX

Modification should be applied on [put your desired date here] at [hour].

Setup Trustelem groups

Apimo requires the users' agency and profile.
Use the following procedure so as to make Trustelem transmit these attributes:

Notes:

AppDynamics

AppDynamics Configuration

function CustomSAMLResponse(msg: SAMLResponse, user: User, groups: Groups, deny: Deny): void {
    msg.setAttr("username", user.firstname+"."+user.lastname);
}

Trustelem Configuration

function CustomSAMLResponse(msg: SAMLResponse, user: User, groups: Groups, deny: Deny): void {
  for (let g in groups) {
      msg.addAttr("groups", groups[g].name);
  };
}

Arcgis

ArcGIS Configuration

Trustelem Configuration

AssetSonar

AssetSonar Configuration

Trustelem Configuration

Automox

Automox Configuration

Trustelem Configuration

AWS

AWS Configuration

Trustelem Configuration

Role Configuration

function getRoles(user: User, groups: Groups): string[] {
    return ["Role1", "Role2"];
}

Information

BambooHR

BambooHR Configuration

Trustelem Configuration

Blissbook

Blissbook Configuration

Trustelem Configuration

BlogIn

BlogIn Configuration

Trustelem Configuration

Bonusly

Bonusly Configuration

Trustelem Configuration

Boond Manager

BoondManager automatically connects users if login on Trustelem and BoondManager are equal.
You can force authentication through Trustelem - preventing users from signing in with their BoondManager password:

Box

Breezy

Breezy Configuration

Trustelem Configuration

Bugsnag

Bugsnag Configuraiton

Trustelem Configuration

CakeHR

CakeHR Configuration

Trustelem Configuration

Ci-book

    Please enable Trustelem for my ci-book subscription (https://sub-domain.ci-book.com).

    My Trustelem OAuth URLs for ci-book are:
    - https://mydomain.trustelem.com/app/166XXX/auth
    - https://mydomain.trustelem.com/app/166XXX/token
    - https://mydomain.trustelem.com/app/166XXX/resource

    Users should be forced to sign-in through Trustelem from [put the appropriate date here].
    In the meantime, please keep the standard login form together with Trustelem sign-in process.

CoderPad

Configuration CoderPad

ConnectWise Control

ConnectWise Configuration

Trustelem Configuration

function CustomSAMLResponse(msg: SAMLResponse, user: User, groups: Groups, deny: Deny): void {
    for (const cust_group in groups) {
      if (cust_group === "admin") {
        msg.addAttr("role", "Control Administrator");
      }
    }
}

Coralogix

Coralogix Configuration

Trustelem Configuration

Corporama

    ClientID: trustelem.oauth2.gmyXXX
            
    ClientSecret: zokzH[...]DRY
            
    https://mydomain.dev.tlm.io/app/12XXX/auth
            
    https://mydomain.dev.tlm.io/app/12XXX/token
            
    https://mydomain.trustelem.com/app/12XXX/resource

Datadog

Datadog Configuration

Notes

Trustelem Configuration

Demo OIDC

Demo App configuration

Trustelem configuration

You're done!

Digital Recruiters

Configuration

Note

Dropbox

Envoy

Envoy Configuration

F5 Big-Ip

Supported Features

The integration currently supports the following features:

Configuration du VPN Big-Ip (SAML)

Before we start, we consider that the Standard Network Configuration of Big-Ip has already been done, please be sure to have a functional VPN
Note: For a Web Portal authentication the VPN config must include the Full Webtop Mode
First of all, in the Trustelem app settings, enable the authentication method you want to use

Configuration de Big-Ip

Trustelem Configuration

Big-Ip VPN Configuration (RADIUS)

Before we start, we consider that the Standard Network Configuration of Big-Ip has already been done, please be sure to have a functional VPN
Note: For a Web Portal authentication the VPN config must include the Full Webtop Mode

First of all, in the Trustelem app settings, enable the authentication method you want to use

Trustelem Configuration

Big-Ip Configuration

Facebook Workplace

Freshdesk

GitHub

GitHub Configuration

Trustelem Configuration

Information

GlassFrog

GlassFrog Configuration

Trustelem Configuration

Google

Harness

Harness Configuration

Trustelem Configuration

ITBoost

ITBoost Configuration

Trustelem Configuration

Join.me

KnowledgeOwl

KnowledgeOwl Configuration

function CustomSAMLResponse(msg: SAMLResponse, user: User, groups: Groups, deny: Deny): void {
    msg.setAttr("username", user.firstname+"."+user.lastname);
}

Trustelem Configuration

Leapsome

Leapsome Configuration

Trustelem Configuration

Lockself

Introduction

Application configuration elements, on the SP side

Application configuration elements, on the IdP side

Mod Auth Mellon

Configuration

<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>

NameIDFormat" has to be adapted if you use a different one in Trustelem and Mellon.

<Location />
        Require valid-user
        AuthType "Mellon"
        MellonEnable "auth"
        MellonDefaultLoginPath "/"
        MellonEndpointPath "/endpoint"
        MellonSPentityId "https&#58;//localhost"
        &#35; Files generated by the script:
        MellonSPPrivateKeyFile "/etc/apache2/mellon/https_localhost.key"
        MellonSPCertFile "/etc/apache2/mellon/https_localhost.cert"
        MellonSPMetadataFile "/etc/apache2/mellon/https_localhost.xml"
        &#35; Metadata Trustelem:
        MellonIdPMetadataFile "/etc/apache2/mellon/metadata-125021.xml"
</Location>

Notes

Mod Auth OpenIDC

Configuration

LoadModule auth_openidc_module modules/mod_auth_openidc.so

Use a2enmod mod_auth_openidc and restart Apache for Debian

<VirtualHost *:443>
        # Server setup
        ServerName myapplication.tld
        # ... your particular directives ...
        # OpenID Connect setup
        OIDCProviderMetadataURL https://mydomain.trustelem.com/app/146XXX/.well-known/openid-configuration
        OIDCClientID trustelem.oidc.XXXXXXXXX
        OIDCClientSecret XXXXXXXX
        OIDCRedirectURI https://myapplication.tld/redirect_uri
        OIDCCryptoPassphrase XXXXXXXX
        OIDCScope "openid"
        <Location /sso-login>
            AuthType openid-connect
            Require valid-user
        </Location>
        # Specific session cookie durations (seconds)
        OIDCSessionInactivityTimeout 300
        OIDCSessionMaxDuration 36000
</VirtualHost>

The OIDCCryptoPassphrase parameter is used in particular for encrypting user session cookies.

Notes

claims["attr1"] = user.firstname;

Moodle

Moodle uses plugins to manage OpenID Connect authentication.

Download and Install

chown -R www-data:www-data oidc/

Configuration

Provider Name : leave empty or set the name of your choice
    Client ID : trustelem.oidc.gvsgcy3e
    Client Secret : PMlrIbFW6goMduZkPdaJj8yv99nbT33W{{customValue('tokenURL')}}
    Authorization Endpoint : https://mydomain.trustelem.com/app/383693/auth
    Token Endpoint https://mydomain.trustelem.com/app/383693/token
    Resource https://mydomain.trustelem.com/app/383693/userinfo
    Scope : openid profile email
    ```

* We recommend to activate the following option:

    * Force redirect. You can use the "?noredirect=1" URL param if your configuration is not working

* Setup Trustelem with the following parameters:

    * Your Moodle server URL
    * Login URL: the application's URL starting the OIDC flow. It is used as a target to the application on the Trustelem user's  dashboard.
    The URL may be : https://yourmoodledomain/

#### Optional configuration

* You can add the following code in the setClaims function of the "custom claims" section of trustelem application configuration to use user email instead of his identifier as username in Moodle application. 

```ts
claims["sub"] = user.email

Nextcloud

Settings

email

Identity provider Data

https://mydomain.trustelem.com/app/166XXX
https://mydomain.trustelem.com/app/166XXX/sso

Optional identity provider settings

https://mydomain.trustelem.com/app/166XXX/slo

Attribute mapping

Security settings / Signatures and encryption required

OAuth 2

Introduction

These settings allow you to connect Trustelem with any OAuth 2.0 compliant implementation.
Before you start the configuration make sure to have access to the OAuth 2.0 settings of the client application.

Configuration

Office 365

Introduction

Setup Powershell environment

Install-Module MSOnline

Connect to Azure AD

connect-msolservice

Change Office federation settings

$cert = "MIIDXXX...XXXZWCxicZzKAgV"

The contents of the certificat is available on the setup page of your Trustelem application

$FederationBrandName = "mydomain.com"
Set-MsolDomainAuthentication -DomainName mydomain.com -Authentication managed
Set-MsolDomainAuthentication       -DomainName mydomain.com `
-FederationBrandName             $FederationBrandName `
-Authentication                  Federated `
-PassiveLogOnUri                 https://mydomain.trustelem.com/app/34XXX/sso `
-SigningCertificate              $cert `
-IssuerUri                       https://mydomain.trustelem.com/app/34XXX/mydomain.com `
-LogOffUri                       https://mydomain.trustelem.com/app/34XXX/slo `
-PreferredAuthenticationProtocol SAMLP

OpenID Connect

Introduction

Trustelem supports authorization code and implicit flows, as well as the OpenID Connect Discovery 1.1 standard.

If your application support the discovery standard

You need to configure the application with the following settings:

trustelem.oidc.gi2dXXXX
kmzHGEKEKFH51r0xXXXXXXXXXXXXX
https://mydomain.trustelem.com/app/150XXX
https://mydomain.trustelem.com/app/150XXX/.well-known/openid-configuration

If your application does not support the discovery standard

Additional parameters are necessary:

https://mydomain.trustelem.com/app/150XXX/auth
https://mydomain.trustelem.com/app/150XXX/token
https://mydomain.trustelem.com/app/150XXX/userinfo
{"keys":[{"kty":"RSA","use":"sig","kid":"150XXX","alg":"RS256","n":"XXX...XXX","e":"AQAB"}]}

Note

OpenVPN

OpenVPN Configuration

<LDAP>
    # URL of the server where TrustelemConnect is running
    URL ldap://address:port
    # Bind DN
    BindDN cn=trustelem,DC=mydomain,DC=trustelem,DC=com
    # Bind password
    Password xNc3x8T0hFtKKpQq
    # Network timeout (in seconds)
    Timeout 30
    # Enable Start TLS
    TLSEnable no
    # Follow LDAP Referrals (anonymously)
    FollowReferrals yes
    # TLS CA Certificate File
    TLSCACertFile /usr/local/etc/ssl/ca.pem
    # TLS CA Certificate Directory
    TLSCACertDir /etc/ssl/certs
    # Client Certificate and key
    # If TLS client authentication is required
    TLSCertFile /usr/local/etc/ssl/client-cert.pem
    TLSKeyFile /usr/local/etc/ssl/client-key.pem
    # Cipher Suite
    # The defaults are usually fine here
    # TLSCipherSuite ALL:!ADH:@STRENGTH
</LDAP>

<Authorization>
    # Base DN
    BaseDN DC=mydomain,DC=trustelem,DC=com
    # User Search Filter
    SearchFilter "(mail=%u)"
    # Require Group Membership
    RequireGroup false
    # Add non-group members to a PF table (disabled)
    #PFTable ips_vpn_users
    # Uncomment and set to true to support OpenVPN Challenge/Response
    #PasswordIsCR false
</Authorization>

OpenVPN configuration

Before starting, please be sure to have a functional VPN
Note: Please be sure to have a TrustelemConnect app correctly configured

OpenVPN configuration

Before starting, please be sure to have a functional VPN

Trustelem configuration

In the trustelem Login URL field enter:

Opsgenie

Opsgenie Configuration

https://mydomain.trustelem.com/app/33XXXX/sso
https://mydomain.trustelem.com/app/33XXXX/on_logout
$cert = "MIIDXXX...XXXNTYw=="

Trustelem Configuration

OwnCloud

Introduction

Application configuration elements, on the SP side

Application configuration elements, on the IdP side

PagerDuty

PagerDuty Configurationy

Trustelem Configuration

https://https://mydomain.trustelem.com/app/33XXXX/on_logout

ParkMyCloud

ParkMyCloud Configuration

Trustelem Configuration

Pingboard

Pingboard Configuration

Trustelem Configuration

Pipedrive

Trustelem Configuration

Proxyclick

Proxyclick Configuration

Trustelem Configuration

Pulse Secure

Before we start, please be sure to have a functional VPN

First of all, in the Trustelem app settings, enable the authentication method you want to use

Trustelem Configuration

Pulse Secure Configuration

Before we start, please be sure to have a functional VPN

First of all, in the Trustelem app settings, enable the authentication method you want to use

Trustelem Configuration

Pulse Secure Configuration

Pydio

Pydio requires a plugin to enable OpenID Connect authentication.

Download and installation

chown -R www-data:www-data authfront.openid/

Configuration

https://mydomain.trustelem.com/app/3XXXXX
{"keys":[{"kty":"RSA","use":"sig","kid":"58930","alg":"RS256","n":"03DSSaM_B0G70aclJFw-QK6HRl9hkFg2W5HKCGuAHm5wt2tP4FcQ8RMtLZ_WsdeFlUe9VdUGfACCSExq32k4XDR0PA5FJ9sE2pfGXIyyUP2drhqDI1Q754faHPjvkX5niiQkaNFby4HBjvsH6VWVU5PfHoHEeT20qemANWNlrfw8-jkMlN1aioWAuWI9L-OtGqUHEbZy_zj3GrZrAN7G73rClAtcgsIfeqkg3y5g2p4qRynS_MMmpuYiGz89Hcrr3lS52tKjHATskkII-eA-_78SB413KVKxRYSK9DjlA-Wm5Ott4AN99d6sVUIj0jp-fWSIueE4zy4OKrrQR91IYQ","e":"AQAB"}]}
{"issuer":"https://wallix-jflacher.trustelem.com/app/384294","authorization_endpoint":"https://wallix-jflacher.trustelem.com/app/384294/auth","token_endpoint":"https://wallix-jflacher.trustelem.com/app/384294/token","userinfo_endpoint":"https://wallix-jflacher.trustelem.com/app/384294/userinfo","jwks_uri":"https://wallix-jflacher.trustelem.com/app/384294/jwks","end_session_endpoint":"https://wallix-jflacher.trustelem.com/app/384294/end_session","scopes_supported":["email","family_name","given_name","groups","name","openid","organization","phone","profile","uid"],"response_types_supported":["code","code id_token","id_token","id_token token"],"grant_types_supported":["authorization_code","implicit"],"subject_types_supported":["public"],"display_values_supported":["page"],"claims_supported":["sub","iss","auth_time","acr","name","given_name","family_name","profile","email","locale","phone_number"],"ui_locales_supported":["fr-FR","en-GB"],"id_token_signing_alg_values_supported":["RS256"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post"]}
pydio_client_id

Rollbar

Rollbar Configuration

Trustelem Configuration

Salesforce

Introduction

Access to Salesforce parameters

Trustelem Configuration

Salesforce Configuration

SAML 2

Introduction

The SAML 2.0 configuration varies from application to application.
This page provides information about the most commonly used settings on both the application and Trustelem.
In SAML terminology, there is a client application which is called Service Provider (SP) and an identity provider (IdP), here Trustelem.

If you are the application developer

Note: our recommendation is to use OpenID Connect rather than SAML 2.0. OpenID Connect is more modern and more simple than SAML 2.0. If you still want to use SAML, you have 3 options:

Application configuration elements, on the SP side

Application configuration elements, on the IdP side

Slack

Trustelem Configuration

Slack Configuration

https://mydomain.trustelem.com/app/33XXXX/sso
https://mydomain.trustelem.com/app/33XXXX
$cert = "MIIDXXX...XXXNTYw=="

SmartRecruiters

SmartRecruiters Configuration

Trustelem Configuration

Add/edit a user with a SSO Identifier using API

Snowflake

Snowflake Configuration

use role accountadmin;
alter account set sso_login_page = TRUE;
alter account set saml_identity_provider =
'{
    "certificate": "MIIDUTCCAjmgAwIBAgIXXX",
    "issuer": "https://mydomain.trustelem.com/app/33XXXX",
    "ssoUrl": "https://mydomain.trustelem.com/app/33XXXX/sso",
    "type"  : "custom",
    "label" : "Trustelem" 
}';

Trustelem Configuration

SolarWinds Cloud

SolarWinds Configuration

Trustelem Configuration

function CustomSAMLResponse(msg: SAMLResponse, user: User, groups: Groups, deny: Deny): void {
    msg.addAttr("groups", "memberSW");
    if (user.email == "john.doe@trustelem.com") {
    msg.addAttr("groups","adminSW");
    }
}

Sprout Social

Sprout Social Configuration

StatusHub

Tableau

Tableau Configuration

Trustelem Configuration

ThousandEyes

ThousandEyes Configuration

https://mydomain.trustelem.com/app/3XXXXX/on_logout

TYPO3

UseResponse

UseResponse Configuration

Trustelem Configuration

Velpic

Velpic Configuration

Notes

Trustelem Configuration

WALLIX Access Manager

SAML - Access Manager configuration

SAML - Trustelem configuration

am-app.png

SAML - Notes

msg.setAttr("uid",user.email);

If you need a different AM profile :

//Define a default profile attribute which matchs the NAME of the Access Manager profile
msg.setAttr("profile","User")
//Change it depending on the email address
if(user.email=="rose.keler@trustelem.demo"){msg.setAttr("profile","Auditor")}
//Change it depending on the groups
for (let group in groups) {
  if(group=="Trustelem group name"){msg.setAttr("profile","Auditor")}
}

am-app2.png

Radius - Access Manager and Trustelem configuration

In a specific case, it's better to use Radius instead of SAML.

You can use Radius for all cases but SAML is better so it's not recommended:

Knowing that, if you need to use radius, the steps are:

WALLIX Bastion

Trustelem Configuration

Before starting, please be sure to have installed TrustelemConnect on your server, and setup this application in Trustelem admin Services tab.

LDAP-Radius

bastion.png

Bastion configuration

LDAP
RADIUS
LDAP AD Domain
cn=[trustelem group],ou=groups,dc=o10332,dc=trustelem,dc=com*

bastion5.PNG bastion6.PNG

Wombat Security

WordPress

Supported Features

The integration currently supports the following features:

Configuration

Wordpress Config
Login Type: Auto Login-SSO
Client ID: trustelem.oidc.gi3XXXX
Client Secret Key: vly5yqnXXXX
OpenID Scope: email profile openid
Login Endpoint URL: https://mydomain.trustelem.com/app/160XXX/auth
Userinfo Endpoint URL: https://mydomain.trustelem.com/app/160XXX/userinfo
Token Validation Endpoint URL: https://mydomain.trustelem.com/app/160XXX/token
End Session Endpoint URL: https://mydomain.trustelem.com/app/160XXX/on_logout
Identity Key: name
Nickname Key: name
Trustelem Config

Beware of access control policies

Wordpress Config
  Entity ID: https://mydomain.trustelem.com/app/160XXX/
  Single SignOn Service URL: https://mydomain.trustelem.com/app/160XXX/sso
  Single Logout Service URL: https://mydomain.trustelem.com/app/160XXX/on_logout
  user_login: email
  user_email: email
  display_name: displayname
  first_name: firstname
  last_name: lastname
Trustelem Config

Workplace

Wrike

XWiki

XWiki Configuration

xwiki.authentication.authclass=org.xwiki.contrib.oidc.auth.OIDCAuthServiceImpl
oidc.xwikiprovider=https://mydomain.trustelem.com/app/150XXX
oidc.endpoint.authorization=https://mydomain.trustelem.com/app/150XXX/auth
oidc.endpoint.token=https://mydomain.trustelem.com/app/150XXX/token
oidc.endpoint.userinfo=https://mydomain.trustelem.com/app/150XXX/userinfo
oidc.scope=openid,profile,email
oidc.endpoint.userinfo.method=GET

oidc.user.nameFormater=${oidc.user.email}
oidc.user.subjectFormater=${oidc.user.subject}

oidc.clientid=trustelem.oidc.gvsteodb
oidc.secret=v0x8W4Gx97uycjBs18xeA5f6fkp2wyIY
oidc.endpoint.token.auth_method=client_secret_basic
oidc.skipped=false

Notes

Trustelem Configuration

Roles Configuration

oidc.userinfoclaims=xwiki_groups
oidc.groups.mapping=YourXWikiGroup=YourTrustelemGroup
const xwikiGroups: string[]= [];
for(let g in groups) {
  xwikiGroups.push(g);
}
claims["xwiki_groups"] = xwikiGroups;
claims["name1"] = user.getAttr("attribute1");
oidc.user.nameFormatter=${oidc.user.email}-${oidc.user.name1}

You Don't Need a CRM

Zabbix

Trustelem Configuration

function CustomSAMLResponse(msg: SAMLResponse, user: User, groups: Groups, deny: Deny): void {
  msg.setAttr("username", user.firstname+"."+user.lastname);
}

Zendesk

Zendesk Configuration

Trustelem Configuration

  function CustomSAMLResponse(msg: SAMLResponse, user: User, groups: Groups, deny: Deny): void {
  msg.setAttr("role","admin");
}

Zscaler Cloud

Zscaler Portal Cloud configuration

https://admin.zscloud.net/#administration/auth-settings
 function CustomSAMLResponse(msg: SAMLResponse, user: User, groups: Groups, deny: Deny): void {
  &#32;&#32;msg.setNameID(user.upn);
 }
https://mydomain.trustelem.com/app/18XXXX/sso

If you want to turn ON the SAML Auto-Provisioning function

  function CustomSAMLResponse(msg: SAMLResponse, user: User, groups: Groups, deny: Deny): void {
    msg.setAttr('displayName', user.firstname + ' ' + user.lastname);
    msg.addAttr('groups', 'group1');
    msg.addAttr('groups', 'group2');
    msg.addAttr('groups', 'groupX');
    msg.setAttr('department', 'my_department');
  }

Note: instead of the constants "groupX" and "my_department", you can use other user's attributes.
For instance if you want to use Trustelem group attribute:

  for (let name  in groups){
    msg.addAttr('groups', name);
  }

Here is a complete example of custom scripting:

zscaler_custom_script.PNG