Horizzon supports single sign-on (SSO) using a SAML 2.0 Identity Provider. To be able to use SAML 2.0, a new application needs to be registered with the identity provider, and the Horizzon Server needs to be configured. 

Configuring user synchronization and authentication

1. In the sidebar menu, click Settings > Authentication.
   
   
2. On the authentication settings page, in Authentication, select identity provider SAML 2.0.
   
    
3. Enter the following details about the identity provider:
   
   
   
   Identity provider metadata path: Enter the metadata path for the newly registered application.
   
   Identity provider name: Enter a name for the identity provider. This is the name users will see on the sign-in button on the Horizzon sign-in page.
   
   Service provider entity ID: Also known as Audience Restriction, Relying Party Identifier or Audience URI. Enter the entity ID of the Horizzon Server. If not filled, the entity ID will use the callback URL mentioned on this settings page. Depending on the identity provider, you can also use a unique identifier name instead of a URL (Azure AD).
   
   If you are working with the cloud or hybrid solution, use the following format:
   https://<mydomain>.horizzon.cloud/<serviceprovider>
   
   If you are working with the on-premise solution, use the following format:
   https://<name:port>/<serviceprovider>
   
   Maximum authentication lifetime: The Bizzdesign software implements a maximum sign-in time, as defined in the SAML 2.0 Session Token Profile specification, of seven days (604800 seconds). The sign-in time enforces that users must have signed in with the identity provider within the last hour for the SAML assertion to be accepted. Depending on your settings, this maximum authentication time may be too short for your identity provider. If your identity provider uses a longer maximum sign-in time, you may need to change the lifetime value here to align with your identity provider's session timeout value. The setting is specified in seconds.
   
   
4. By default, Horizzon uses the HTTP Post SAML binding type. Only select HTTP Redirect if your IDP supports this.
   
   
   
   

5. Save the changed settings.
   
   

6. Create a SAML metadata XML file to automatically import the metadata in your identity provider:
   
   In the address bar of your Horizzon environment, behind <mydomain>.horizzon.cloud/, replace the text settings/ts-authentication with saml/metadata.xml and press Enter. Example:
   
   https://<mydomain>.horizzon.cloud/saml/metadata.xml
   
   The metadata.xml file is automatically downloaded to your device.
   

   If your Horizzon environment has a <mydomain>.bizzdesign.cloud address, you still use a 2-domain setup for your environment. In that case, please contact Bizzdesign Support before continuing.

    

7. In your identity provider, create a Bizzdesign authentication app and specify the following details:
   
   Name: Type a name for the application.
   
   Supported account types: Select the appropriate account type.
   
   Redirect URI: Select the option Web, and type the URI of your Horizzon client.
   
   If you are working with the cloud or hybrid solution, use the following format:
   https://<mydomain>.horizzon.cloud/auth/callback/SAML2Client
   
   Replace <mydomain> with the name of your Horizzon environment.
   
   If you are working with the  on-premise solution, use the following format:
   https://<name:port>/auth/callback/ SAML2Client
   
   Replace <name:port> with the name of the computer and port on which your Horizzon is running.
   
   
8. Optional: To be able to register users, Horizzon matches SAML attributes with the attributes used by your identity provider. For that, Horizzon looks at a fixed set of assertion attributes on provider side to match with (email, first_name, family_name, member_of). If the attribute names used by your identity provider are different, then configure them below for matching. The Group membership attribute is optional and only required if you intend to utilize groups. Please take note that these attributes are case sensitive and must be lower case.
   
   
   
   

9. In addition to the assertion attributes listed in the previous step, the NameID (also known as the nameidentifier) must be included in the SAML subject, with urn format urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified. The attribute value for the NameID should be set to the E-mail address, as is in the case of the email attribute. The reason for this is that the NameID value updates the username for the user's Horizzon user profile, which itself is used as a key for a user's local (personal) storage in Enterprise Studio (Online). In non-SSO configurations, the username and email are the same, and so this configuration should be preserved when enabling SAML authentication.
   

   When existing users switch to signing in using SAML it is advised to use the NameID attribute to be the  E-mail address. If you use a different value, these users will lose access to the model packages stored in the personal storage in Enterprise Studio (Online).

10. For the SingleSignOnService and SingleLogoutService bindings, send:
    
    urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST and 
    urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
    
    After the new application has been created, Horizzon can be further configured.
    
    
11. At the authentication settings in Horizzon, in Hours before removal, set the number of hours the group members must remain in Horizzon after they have been removed via just-in-time provisioning, to prevent data loss in case of mistakenly removed group members. After this time the group members will be removed from Horizzon.
    
    
     
    
12. If you use group authentication, user access is configured via these groups. If you do not use group authentication or are not able to upon user provisioning, you can specify one or more default roles for all users to provide them access. If you do not define any default role, users will initially have minimal access. 
    
    Under Default roles, select the roles that the provisioned users need to have when signing in to Horizzon. The selected roles will be assigned to all users upon provisioning. For more information about roles, please refer to User roles and permissions.
    
    

User provisioning and group membership

Users are provisioned just-in-time, meaning that they are added as user to Horizzon the moment they first sign in, provided that they have been granted access. Group membership is also registered just-in-time. Users are added and removed from groups the moment they sign in to Horizzon. The actual groups have to be created in Horizzon before members can be added just-in-time.

Additional service provider settings for certain identity providers

HoriZZon service provider has a preconfigured value for a setting that conflicts with certain identity providers, namely: ADFS 2.0/3.0. If you intend to use ADFS 2.0/3.0 as your identity provider, please contact Bizzdesign Support.

useNameQualifier

This setting controls whether or not the service provider should send the NameQualifer. By default, the service provider is configured to include the NameQualifier in the AuthnRequest. Some identity providers do not accept NameQualifer when using nameid format "entity" (i.e. urn:oasis:names:tc:SAML:2.0:nameid-format:entity), and so NameQualifier must be disabled in this case. Valid values are true (the default) and false (to disable).