TABLE OF CONTENTS
Introduction
In this section we will explain you how to setup your identity providers, get your MetaData and what information you need to provide to Identity Provider.
NOTE: This functionality is NOT free of charge. Please contact your account manager and ask for commercials. Once approved, support team can enable it.
The use-case for the SAML SSO is that you as a client have a product(CRM, ERP system, etc) which is your main application and all of your employees/agents are logged in there and you don't want them to login again on Thomalex system. Your application/product is acting then as a Identity Provider were Thomalex is acting as the Service Provider.
In order for Thomalex to be able to login your employees, they must exists within our system. Creating employees can be done using our API. If the employee/agent exists, we log them into the Thomalex system.
Default behavior of the functionality is that you need to setup the SSO on each site that is represented in the Thomalex system. Every site should have it's own setup.
As in Thomalex we have both Parent(Main) sites and affiliate sites, we added a setting which would allow one SSO setup for all affiliate sites that belong to that Parent site.
Depending on an Agency workflow, one agency can have multiple affiliate agencies(stores) operating under their brand and they have Agents that can move from one agency site to another. For that purpose we added an ability to create an Agent directly through the SSO functionality.
Image: SAML SSO Settings. Visible by the Thomalex team only
Setup
Step 1: Login as a Administration you will see menu "SAML SSO". When you click on that. you will have option to add an modify you Identity Providers.
Image 1. Feature Location
Step 2: Click on a button to add Identity Provider and list of Identity Providers that you already have. Also, you can delete or edit your Identity Providers.
Image 2. Button Location
Step 3: Please insert Identity Provider Name, SSO Service URL and Certificate (from .cer extension)
Image 3. Identity Provider Info Box
Step 4: On your side you would need to specify Service Provider information's:
| Single Sign On URL | https://your-dedicated-url/SSO/AssertionConsumerService |
| Service Provider Name(Audience) | https://thomalex.travel |
Step 5: Optional In SAML Configuration page you have a link to your metadata. Metadata is your configuration that you need to provide to your Identity Provider. In order to access the metadata in thomalex, the URL should match the dedicated URL for the website or a corporate (don't use the generic thomalex URL).
Image 4. Metadata location
Image 5: Metadata example
SAML SSO Attributes
Within Thomalex SSO implementation, you have an ability to perform different actions. Depending on a setup that is made in our system some functionalities might be available to you.
In order to successfully establish the connection with the Thomalex platform you will need to send specifics attributes.
Attributes are listed in the table below:
| Attribute Name | Mandatory | Description |
|---|---|---|
| ClientSiteCode | Yes | Each site in Thomalex has it's own unique Id, you need to pass this value otherwise you will not be able to login. |
| Action | No | In case that you want to login and initiate the search on Thomalex platform you can do that by specifying if the provided search query is for Air, Car or Hotel search. Allowed values:
|
| SearchRequest | No | This is connected with Action attribute. Here you would specify the actual search query for the given action. Search query will be the same as for the API. You can find the documentation examples here. Make sure to serialize the query object into the json string. |
| CUSTOM_FIELD_XXX | No | We have an ability to send custom data when performing a search. This property should be sent together with the SearchRequest parameter. You can have as many as you want CUSTOM_FIELD sent. XXX represent the actual number of the Custom Field which was created in the Administration panel. |
| ThirdPartyExternalId | No* | Depending on a SSO setup, you can have SSO enabled on parent site and also allow all the affiliate sites to use the same SSO configuration. The pre-request to have that one working you would need to specify the Third Party External Id that was saved in the Thomalex system. Each ThirdPartyExternalId must be unique within the Affiliates. * Mandatory if SSO for affiliates is enabled |
| FirstName | No* | In case we allow creating and moving Agents across different affiliate sites, you need to specify FirstName of the Agent *Mandatory if feature enabled |
| LastName | No* | |
| AllowedSearchType | No* | When creating Agents, you can choose what are the modules they can see. Allowed values:
In case you want to give them access to multiple modules specify the data like this: Air,Car,Hotel *Mandatory if you have the feature for creating agents enabled |
Table 1. List of available attributes
NOTE: Allowing the SSO to create and move Agents can only be done by the Thomalex support team.
Examples of the Payloads are attached: