Configuring federated Single Sign-On

The Customer Portal can be integrated with third-party identity management systems via Single Sign-On (SSO). This allows customers that are logged in to the identity management system to access Customer Portal content without having to log in again. This approach requires that the utility uses a third-party identity management system that supports modern web standards for authentication and authorization.

The following figure shows the message flow between the systems involved in a federated SSO deployment.

The federated single sign-on procedure consists of the following:

The user browses to the utility website.
The browser is redirected to the Security Token Service (STS) for authentication.
The STS presents a login page application to collect credentials.
The user posts their credentials for authentication.
The STS writes a cookie to establish a secure session and issues a standard security token (RSTR).
The utility website receives the security token (RSTR) issued by the STS.
The utility website writes a session cookie to avoid future redirects to the STS for the lifetime of the session.
When the user browses to the Customer Portal, they are redirected to STS. Since there is already a session cookie for the STS, the user is not prompted to log in again. The STS issues a security token RSTR for the Customer Portal.
The Customer Portal receives the security token.
The Customer Portal writes a session cookie to avoid future redirects to the STS.

All the previous interaction is standards-based and can be handled by the underlying software, the browser, the web server software, and the identity management system.

The configuration that allows the Customer Portal to access this infrastructure is defined in the PortalServices\web.config file in the product installation folder. This configuration is complicated and will vary depending on the identity management system being used. Contract Itron for guidance on how to configure this file.