Versions Compared

Version Old Version 23 New Version 24
Changes made by

Julie Isebaert

Julie Isebaert

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Remember that a Cobundu user needs to be linked to an IWMS user in order to have certain rights (eg to make a reservation or to book a ticket). So make sure the users exist in MCS IWMS first, this way you can link them during the upload.

...

Cobundu SSO is available for Go.cobundu.comStudio.cobundu.com and Personal AssistantWorkplace App.

Prerequisites for Cobundu SSO

  • MCS IWMS account for user must exist
    • Ideally, an HR interface takes care of automatic creation of MCS IWMS users
    • In case the logged in user doesn’t exist in MCSIWMS, the user will not be able to use any MCSIWMS-dependant features like making reservations.
  • Identity Provider Mapping (receiving following attributes from the identity provider: "MCS IWMS login ID", "First Name", "Last Name" and "E-Mail“)
    • In case the “MCS “IWMS login ID” attribute is not correctly mapped, the user will not be able to use any MCSIWMS-dependant features like making reservations.
  • (optional) Mapping between Active Directory account groups with Cobundu roles

How is it set up?

Cobundu supports SAML 2.0 protocol which is the industry standard among all up-to-date integrations. See SSO SAML 2.0 for a general understanding of how SSO works.
The SSO configuration from MCS IWMS cannot be re-used on Cobundu. These are 2 separated apps from the Identity Provider perspective, and each requires an independent SSO federation setup.

Development takes 2 MDs (incl PM).  The estimate depends on configuration and regulations on the Identity Provider in terms of supported SAML 2.0 options and features, as well as on the maturity of IT staff that is responsible for configuring federation on the customer side. The estimate does not cover HR interface setup on MCS IWMS (user accounts sync), which is a prerequisite for SSO to work on Cobundu.

...

A user logging in with e-mail address is now also supported: It uses a whitelist of e-mail providers (eg @spacewell.com or @mcs.be) to check the tenant. To whitelist an e-mail domain, add it to Settings > SAML SSO > "Allowed email domains (comma separated)" (underneath "Auto-Create user").

On GO and Studio, if your customer has SSO installed and you want to bypass (and login using your Cobundu ID), go to https://go.cobundu.com/no-sso; select "Log in with your Cobundu credentials"; then log in with your Cobundu ID and password.

 

...

Role Mapping (see Roles & Profiles chapter below)

Initially, SSO was creating users, but that's as far as the user management goeswent. There is no update done, no deletion or deactivation. If a user is set to disabled in MCSthe IWMS, the consequence will be that the Cobundu user is still active, but does not have any MCS IWMS rights anymore: the user can login to Cobundu touchpoints and browse reservable rooms, floorplans etc, but as soon as they want to make a reservation or book a ticket, this will not be possible (because they don't have the correct MCS rights anymore)IWMSrights anymore).

We have now added a way to overcome this by providing a mapping table in Studio, where one can map the Active Directory account groups with Cobundu roles:

  • If a user logs in using SSO and has no Cobundu account yet
      • The user will be automatically created
      • Based upon the AD Account Group ID passed via metadata, the user will be created and assigned a Cobundu role as defined in the role mapping 
  • If a user logs in using SSO and already has a Cobundu account
      • Based upon the AD Account Group ID passed via metadata, the user will be assigned a Cobundu role as defined in the role mapping

This Feature can be turned on or off.

 

More information on Cobundu SSO can be found in this presentation (keep in mind: Cobundu SSO only available for Go, Workplace app and Personal AssistantStudio)

View file
nameCobundu MCS User Management - Cobundu SSO.pptx
height250

 

Presentation in French (2020):

View file
nameCobundu MCS User Management - Cobundu SSO_FR.pdf
height150

...

  • "Developer" role is assigned typically to users who have the rights to view/consume/integrate COBUNDU APIs with touchpoints. As these users can also be external developers who work on integrating COBUNDU with their systems, such users should not have access to COBUNDU touchpoints. On GO, users with only developer role are automatically redirected to the API documentation upon login and cannot use any other front-end features.On Personal AssistantWorkplace App, an alert will be shown and the user will not be allowed to continue.

...