Meridian Single Sign-On (SSO) Follow
Meridian single sign-on (SSO) provides an alternative login process for the Meridian Editor and the Meridian Manager app.
With SSO, your user data will remain internal to your organization.
In order to use SSO, you’ll need Meridian accounts. Once created, you can link your SSO users to your Meridian users.
Even if you’re using SSO, you can still create non-SSO Meridian accounts. The email address for the non-SSO users will need to be a different domain from the one used in your SSO configuration.
A Meridian user account email must exactly match the email returned in the SSO provider’s ID token.
SSO will be enabled by the Meridian team when certain requirements are met.
Meridian SSO uses OpenID Connect with an OAuth 2.0 Authorization Code Grant Type as its authentication protocol.
Meridian SSO Workflow Diagram
Who Needs to Be Involved
If you’d like to implement Meridian SSO, please contact your Meridian Customer Success Manager and Aruba Account Manager. They’ll facilitate the Meridian side of the SSO configuration.
For locations with a Meridian-powered app in production, Meridian recommends validating the SSO functionality in a test Meridian environment before implementing to your production app.
SSO Requirements
Before SSO can be enabled certain requirements must be met.
- An OpenID Connect-certified SSO provider.
- OpenID Connect OAUTH variables.
- A user database with real user data.
- An allowlist of Meridian URLs for the SSO provider.
- An SSO test user account for Meridian.
OpenID Connect Certification
The OpenID Foundation provides certifications for OpenID Connect providers. They provide a list of certified OpenID Connect providers.
OpenID Connect is an identity layer on top of the OAuth 2.0 framework that allows clients to verify the identity of an end-user, obtain profile information, and authorization data in a REST style.
OpenID Connect OAUTH Variable Inventory
You’ll need to provide Meridian with the following information from your OpenID Connect provider.
- Domain - The email domain of users who will log in with SSO.
- Web Client ID and Web Client Secret - These are used to connect to the Meridian Editor.
- Mobile Client ID - This is used to connect to Meridian mobile applications (Aruba Meridian or Meridian Manager).
- Auth Endpoint - The SSO endpoint URL used for authentication.
- Token Endpoint - The SSO endpoint URL used for the Meridian token.
- User Endpoint - The SSO endpoint URL to retrieve user information from the SSO user database.
- Issuer URL - The domain and subdomain of the SSO provider. For example, if the Auth Endpoint is
https://my-sso-domain.sso-provider.com/auth
then the Issuer URL ishttps://my-sso-domain.sso-provider.com
. - Public Key URL - The URL providing the SSO public key.
- Redirect URI - The URL the SSO provider will redirect to after it is done authenticating a user of Meridian's apps. Usually it is https://edit.meridianapps.com/api/sso/openid-backend. The SSO provider must actively allow this URL.
User Database
In order to use Meridian SSO, you’ll need to have an internal database of users that correspond to real people. That user database needs to be uploaded to your SSO provider.
If you remove a user from your SSO database, that user will no longer have access to Meridian.
Meridian URL Allowlist
Meridian will provide you with a list of URLs for your OpenID Connect provider allow.
The allowlist URLs are:
- Meridian Editor - https://edit.meridianapps.com/api/sso/openid-backend
- Aruba Meridian (iOS) - com.arubanetworks.aruba-meridian://redirect_oauth
- Aruba Meridian (Android) - com.arubanetworks.appviewer://redirect_oauth
- Meridian Manager app - com.arubanetworks.meridianmanager://redirect_oauth
You’ll only need the allowlisted URLs for those Meridian tools you’re planning on using.
Different OpenID Connect Flows
Meridian uses two OpenID connect flows for the Meridian Editor and for Meridian-powered apps. Each flow requires a separate profile in your SSO provider configuration.
The Meridian Editor uses a traditional SSO authorization flow.
The Editor’s SSO flow requires a client ID and client secret, as well as an allowlist of the Editor’s URLs.
The Editor’s SSO requires that the user’s email address is returned in the ID token. This can be configured in your SSO provider’s web app profile.
Meridian mobile apps use an authorization flow with Proof Key for Code (PKCE).
The mobile SSO flow uses a client ID and is enabled for PKCE, as well as an allowlist of the mobile app URLs.
The mobile flow requires that the user’s email address is returned in the ID token. The mobile SSO flow also supports
given_name
,family_name
,preferred_username
,image_url
, andupdated_at
, although these are not required.
Using a Login Page with a Custom HTML Template
If you’re using an SSO login page with a custom HTML template, please ensure that it’s sending the correct login form fields to the authentication server. If you don’t, the suggested username values in the URI parameters may take precedence over your login form contents.
Create an SSO Test User
The SSO implementation process requires close collaboration with the Meridian team. To ensure a smooth process, Meridian SSO requires that you create an SSO test user for Meridian to more easily troubleshoot any issues that arise during implementation.
Complete these steps to enable a Meridian SSO test user.
- Add a test user email address to your SSO provider database. The test user must use the same email domain as the customer’s other SSO users.
- Make sure that the test user account has minimal permissions in your SSO provider database.
- Send the SSO test user email address and password to Meridian.
- Meridian will use that email address to create a test account in the Meridian Editor.
- Meridian will log in with the test account to make sure it works.
When the SSO implementation is complete and testing is done, Meridian will request that you delete the test account from your SSO database provider.
SSO for the Meridian Editor
Once the SSO requirements are met, SSO will be available for user logins to the Meridian Editor.
The Meridian Editor uses a traditional authorization flow.
SSO for Meridian Manager App
Once the SSO requirements are met, SSO will be available for the Meridian Manager app.
Meridian mobile apps use an authorization flow with Proof Key for Code (PKCE).
Comments
0 comments
Please sign in to leave a comment.