Introduction
Prism by Building EnginesTM is a new platform for Commercial Real Estate (CRE) Property Operations. In this technically focused white paper, we will discuss the capabilities and setup needed for web- based Single Sign On (SSO) using the OpenID Connect standard.
For enterprise integrations, Prism supports the OpenID Connect standard to allow you to use your enterprise credentials, such as Azure AD, Okta or others, to authenticate with Prism. This allows two options for your users:
- A user, upon entry of the email in the login screen, will be redirected to the enterprise login page.
- A company can also redirect users to use a special URL that will load on the enterprise login page directly.
Prism SSO is focused on authentication and not authorization. Identity in the Prism platform is driven by a user’s email address and the permissions for such a user are managed within the Prism application rather than through SSO-driven grants and/or roles.
At the present time, Prism only supports the newer OpenID Connect standard and does NOT support the Security Assertion Markup Language (SAML) 2.0.
Enabling SSO, Single Sign On, in Prism
Enabling SSO in Prism requires interaction with the Building Engines/JLLT Support Team. We will detail the steps involved here. Please be aware these steps presuppose some expertise with your SSO Identity Provider (IdP) software.
As part of this, we need to identify the Account or Portfolio to which we are adding support so typically we’d need:
- Contact information for a Prism Account Admin in the Account
- IT support from the customer’s company if that is not the Prism Account Admin
- Type of IdP such as Active Directory/Azure, Okta, et al.
After the initial contact with the Customer Support Team, you will be put in contact with a BE Solutions Engineer.
Authentication Name
Each implementation of SSO requires an Authentication Name or Authentication Service Name. This must be unique within the Prism ecosystem and it typically a shortened form of the organization name in question. Hypothetical examples might be beiazure, pyramidpmo, etc.
This name is not generally seen by the users other than its usage in some URLs as shown above.
OpenID Connect Web Application Definition
Base Configuration
A new application needs to be created in the customer’s SSO environment. As an example, using Azure Active Directory, you would create a new Enterprise Application. The fields required for Prism include:
- OpenID Connect Well Known Configuration URL
- Issuer URL
- Client ID
- Client Secret
- Name of the email claim
Please note, Prism requires a client_id/client_secret pair. We do not, at present, support a simple client_id expecting public key validation. Prism’s default behavior will be to:
- Decode the ID token
- Using the name given above, see a claim that will include the email address of the user
Prism will then expect that the user has been previously imported or configured in the Prism system.
Redirection URL
The customer IdP needs to white-list the callback URLs for Prism (desktop and mobile). These URLs use the Authentication Service Name and follows the formats:
- Web: https://connect.buildingengines.com/sso_login/<name>/sso_callback_oidc
- iOS PM (Property Management): com.buildingengines.prism://auth
- iOS Tenant: com.buildingengines.tenant://auth
- Android PM (Property Management): https://connect.buildingengines.com/prism
- Android Tenant: https://connect.buildingengines.com/tenant
Prism will send as a redirection URL following authentication, so these addresses typically needs to be configured in the IdP settings.
Domain Wildcards
The customer should further provide either what explicit users, by email address, should have SSO or what domains, such as buildingengines.com, should be enabled for SSO.
This should be a two-phase process first choosing a single Prism user by email, registered in the system, for testing and validation. Although SSO is a common activity, there are several settings and nuances, so it is not unusual to have to diagnose/debug a configuration to ensure we authenticate correctly and are able to properly decode the token to find the email address of the authenticated user.
Intranet/Direct URL
Once enabled, a user of SSO can bypass the login screen in Prism by using a direct URL. The URL is simply based on the chosen Authentication Service Name. The general format is:
https://connect.buildingengines.com/sso_provider?service=<name>
Given an example of MYCREORG, the URL would be:
https://connect.buildingengines.com/sso_provider?service=MYCREORG
OpenID Connect (OIDC) vs. SAML
Prism engineering has chosen to focus its implementation on the OpenID standard as opposed to the traditional SAML 2.0 approach. While we are investigating broadening support in the future to include SAML, at the present time only OIDC is supported. The following is a list of certified providers for OIDC:
https://openid.net/certification/#OPs
Any additional questions or concerns, please contact the Customer Support Team or consult the Knowledge Base.