Summon: Configuring Summon SAML
Introduction
Setting up SAML for Sierra via Summon (SvS) requires both configuration in your SAML system as well as activation within Summon. Below are instructions on how to configure your institution’s SAML setup to work with Summon. In addition, you need to work with Summon customer support to configure and activate SAML support for Summon and to test your SAML configuration. We recommend testing your configuration in the preview environment prior to activation in the production environment.
Terminology
-
SAML (Security Assertion Markup Language) – A standard for exchanging authentication data between services.
-
IdP (Identity Provider) – The customer's services that validates login credentials and determines user permissions.
-
SP (Service Provider) – The customer's Summon instance.
-
SSO (Single Sign On) – After a user logs on once with an IdP, other systems can verify with the IdP to see whether the user has already logged on, and if logged on, authentication is completed without querying for the user's credentials.
Configuration Details
This section describes the steps needed to configure SAML for use in your Summon environment. Once you have confirmed that SAML works as expected in your Summon preview environment, please repeat the same steps for your Summon production environment. Note that the following procedure requires configuration in both your SAML system and Summon.
-
On the IDP portal page that is dedicated to adding new applications, upload the metadata from your Summon preview site to your IDP portal.
-
Use the following format to build the URL that returns the metadata for your Summon preview site:
<base URL for Summon site>/auth/saml/metadataExamples:
-
Preview environment: https://myinstitutionname.preview.summon.serialssolutions.com/auth/saml/metadata
-
Production environment: https://myinstitutionname.summon.serialssolutions.com/auth/saml/metadata
-
-
If your IDP accepts URLs as a method for uploading metadata, pasting the URL will be sufficient. Otherwise, copy the Summon metadata into a file and then upload it to your IDP portal.
-
Configure which user attribute is sent to Summon:
-
For SvS customers, either the user email or Sierra catalog's patron ID is required to associate users with their Sierra account.
-
For other customers, no specific user attribute is required.
-
-
-
In the Summon Admin Console, configure your SAML settings. For initial testing, ensure that you are in the Summon Preview environment. After testing is complete, perform this configuration with metadata from you Production environment:
-
On the SAML configuration page (Admin Console > Settings > SAML), copy your SAML IdP Metadata URL to the SAML IdP Metadata URL field and then select Parse, which should fill in the other SAML fields. For more details, see the SAML section.
-
In addition, set the following SAML fields:
-
SAML IdP Alias – Specify the display name for the link used to disconnect the user's cloud drive from Summon.
-
User Id Location – Specify whether the unique user ID is found in a nameId or attribute element. For SvS customers, we recommend having a designated attribute for the patron ID that coincides with the patron ID from the user's Sierra catalog.
-
User Id Attribute Name – Specify the name of the user ID attribute.
-
-
Save your SAML settings.
-
-
For SvS customers only, select the authentication methods used to sign into Sierra from the Enable Authentication Protocol(s) field on the Sierra configuration page (Admin Console > Settings > Sierra). The valid values are CAS, SAML, or Both. For more details, see the Sierra section.
-
If you want to enable users to save their searches to their SAML drive in Summon, set the Saved Search Enabled field to Summon Cloud (SAML config required) on the Advanced Search page (Admin Console > Settings > Advanced Search). For more details, see Configuring Advanced Search.
-
Perform the following tests to ensure that SAML is configured properly:
-
Test the ability to log on to Summon using the Login menu at the top of the Summon user interface.
-
Test the ability to log on to Summon on the Saved Searches page in the Summon UI.
-
Verify that you can retain searches between sessions using the SAML drive.
-
For SvS customers that have enabled SAML authentication, test the ability to log on to your library, view My Library Card page, and request items.
You can change the labels for these links and the headings under the Translations tab on the Admin Console.
-
Troubleshooting
Below are some common issues that may occur during the configuration and testing of SAML:
-
A 404 not found message returns while logging on to SAML.
Check the accuracy of the Single Sign-on Endpoint field on the SAML configuration page (Admin Console > Settings > SAML) by pasting that URL into a browser. When pasting the SSO endpoint directly into a browser, do you get a 404 error?
-
While logging on to SAML, the IDP does not recognize Summon (for example, this application has not been authorized or a similar message is returned):
This means that there was an error when setting up Summon metadata in the IDP. Try loading the metadata again.
-
The user ID is not recognized or the password is incorrect.
-
Any issue with the login itself (such as invalid credentials or the user does not exist) are unrelated to the SAML configuration in Summon.
-
The IDP within your SAML system manages the user's login.
-
-
A user’s login seems to be successful, but I get an error in the login window, and the URL in the login window is a Summon URL:
-
This is often an issue with the User ID Location; either the User ID Location was configured incorrectly (see the User ID Location field) or that attribute for the specific user is missing or incorrect.
-
Double check that the User ID Location is configured correctly and that the user ID is available via your SAML system. If this appears to be correct, you may need to contact Summon support for further troubleshooting.
-
-
For SvS customers only, the login is successful, but user information does not load into My Library Card.
-
This likely indicates a mismatch between the content for this specific user found in the User ID Location that was specified in the Summon Admin Console and the available patron accounts in the library catalog.
-
Is the IDP sending us a patron id or valid patron email from Sierra catalog in the user id location that was specified in the Summon customizer? If so, you may need to contact Summon support for further troubleshooting.
-