Enabling SSO in Prism requires interaction with the Building Engines/JLLT Support Team. We will detail the steps involved here. Please be aware these steps assumes some expertise with your SSO Identity Provider (IdP) software.
As part of this, we need to identify the Account or Portfolio to which we are adding support so typically we’d need:
- Contact information for a Prism Account Admin in the Account
- IT support from the customer’s company if that is not the Prism Account Admin
- Type of IdP such as Active Directory/Azure, Okta, et al.
After the initial contact with the Customer Support Team, you will be put in contact with a BE Solutions Engineer.
Authentication Name
Each implementation of SSO requires an Authentication Name or Authentication Service Name. This must be unique within the Prism ecosystem and it typically a shortened form of the organization name in question. Hypothetical examples might be beiazure, pyramidpmo, etc.
This name is not generally seen by the users other than its usage in some URLs as shown above.
OpenID Connect Web Application Definition
Base Configuration
A new application needs to be created in the customer’s SSO environment. As an example, using Azure Active Directory, you would create a new Enterprise Application. The fields required for Prism include:
- OpenID Connect Well Known Configuration URL
- Issuer URL
- Client ID
- Client Secret
- Name of the email claim
Please note, Prism requires a client_id/client_secret pair. We do not, at present, support a simple client_id expecting public key validation. Prism’s default behavior will be to:
- Decode the ID token
- Using the name given above, see a claim that will include the email address of the user
Prism will then expect that the user has been previously imported or configured in the Prism system.
Redirection URL
The customer IdP needs to white-list the callback URLs for Prism (desktop and mobile). These URLs use the Authentication Service Name and follows the formats:
- Web: https://connect.buildingengines.com/sso_login/<name>/sso_callback_oidc
- iOS PM (Property Management): com.buildingengines.prism://auth
- iOS Tenant: com.buildingengines.tenant://auth
- Android PM (Property Management): https://connect.buildingengines.com/prism
- Android Tenant: https://connect.buildingengines.com/tenant
Prism will send as a redirection URL following authentication, so these addresses typically needs to be configured in the IdP settings.
Domain Wildcards
The customer should further provide either what explicit users, by email address, should have SSO or what domains, such as buildingengines.com, should be enabled for SSO.
This should be a two-phase process first choosing a single Prism user by email, registered in the system, for testing and validation. Although SSO is a common activity, there are several settings and nuances, so it is not unusual to have to diagnose/debug a configuration to ensure we authenticate correctly and are able to properly decode the token to find the email address of the authenticated user.
Intranet/Direct URL
Once enabled, a user of SSO can bypass the login screen in Prism by using a direct URL. The URL is simply based on the chosen Authentication Service Name. The general format is:
https://connect.buildingengines.com/sso_provider?service=<name>
Given an example of MYCREORG, the URL would be:
https://connect.buildingengines.com/sso_provider?service=MYCREORG