Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Notifications
Login / Register
Community
Community
Notifications
close
  • Forums
  • Knowledge Center
  • Events & Webinars
  • Ideas
  • Blogs
Help
Help
  • Explore Community
  • Get Started
  • Ask the Community
  • How-To & Best Practices
  • Contact Support
Login / Register
Sustainability
Sustainability

Single Sign On (SSO)

How to configure SAML Single Sign On (SSO) in EcoStruxure IT Expert

Search in

Improve your search experience:

  • Exact phrase → Use quotes " " (e.g., "error 404")
  • Wildcard → Use * for partial words (e.g., build*, *tion)
  • AND / OR → Combine keywords (e.g., login AND error, login OR sign‑in)
  • Keep it short → Use 2–3 relevant words , not full sentences
  • Filters → Narrow results by section (Knowledge Base, Users, Products)
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
  • Home
  • Schneider Electric Community
  • EcoStruxure IT Help Center
  • EcoStruxure IT Help Center Categories
  • IT Expert
  • Configuration
  • Single Sign On (SSO)
Options
  • My Knowledge Base Contributions
  • Subscribe
  • Bookmark
  • Invite a Friend
Invite a Co-worker
Send a co-worker an invite to the portal.Just enter their email address and we'll connect them to register. After joining, they will belong to the same company.
You have entered an invalid email address. Please re-enter the email address.
This co-worker has already been invited to the Exchange portal. Please invite another co-worker.
Please enter email address
Send Invite Cancel
Invitation Sent
Your invitation was sent.Thanks for sharing Exchange with your co-worker.
Send New Invite Close

Related Forums

  • EcoStruxure IT Forum

  • APC UPS Data Center & Enterprise Solutions Forum

Previous Next

Invite a Colleague

Found this content useful? Share it with a Colleague!

Invite a Colleague Invite

EcoStruxure IT Support

Submit a support request for additional assistance with EcoStruxure IT software.

Request Support

Single Sign On (SSO)

Sort by:
Date
  • Date
  • Views
  • Likes
  • Comments
  • Helpfulness
Options
  • Subscribe
  • Bookmark
  • Invite a Friend

Configure Okta for IT Expert SAML SSO

  Instructions for how to Configure SAML single sign on (SSO) in IT Expert Also see IT Expert permissions   Access to both the Admin page of Okta and Administrator access to IT Expert is required.   In Okta:   Go to the Admin page of your Okta account.    Click Applications and then Create App Integration.       Select SAML 2.0 as the sign-in method and click Next.     In General Settings, specify the App Name for your application and click Next       In Configure SAML, enter the Basic SAML Configuration details in Okta as shown in IT Expert on the Administration > More... > SSO page.       Scroll down and click Next.     Click Finish.       In the application you just created, click Sign On and then click More details in the Settings section.     Copy the Sign on URL value in details into the SAML SSO sign-in URL field in step 1 of the SSO wizard in IT Expert.       On the Sign On page in Okta, scroll to the SAML Attributes section and click Edit.     Enter the following attributes in Profile attribute statements and Group attribute statements. The phone attribute is optional.   Profile attribute statements   Name Name format Value name Unspecified user.firstName + " " + user.lastName email Unspecified user.email phone Unspecified user.mobilePhone   Group attribute statements   Name  Name format Value group Unspecified Matches regex.*       Note: The value Matches regex: .*  ensures that all groups for a user will be sent to IT Expert. Due to technical limitations, in some cases this could lead to errors when logging into IT Expert, for example, when a user has a large number of groups. You can set more sophisticated filtering mechanisms if needed.      More information about the Matches regex option     Scroll to the SAML Signing Certificates section.   You can generate and download signing certificates to upload to the SSO configuration wizard of IT Expert.   If you don’t have available and valid certificates listed, click Generate new certificate.  On the new certificate, click Actions and then click Activate.    Click Download certificate.        In IT Expert, Upload the certificate you downloaded. Go to Administration > More... > SSO step 1 of the SSO configuration wizard.     In Okta, click Assignments in your application to assign people or groups to your application.   Click Assign and then Assign to People or Assign to Groups. Only assigned people or groups can access the application.        
View full article
Sisko JLehr Sisko
‎2025-07-22 09:54 AM

314 Views

Configure Azure AD for IT Expert SAML SSO

Instructions for how to Configure SAML single sign on (SSO) in IT Expert Also see IT Expert permissions    In Azure:   Add a new enterprise application.   Go to Single sign-on, and then select SAML.   ITE_Azure_SSO_1_4407905336721.png   Enter the Basic SAML Configuration details in Azure as shown in IT Expert on the Administration > More... > SSO page:   ITE_Azure_SSO_2b_4407905336721.png   Click Edit in the User Attributes & Claims section. Note: Group configuration is not applicable for partners.       Click Add new claim.     In the Name field, enter group (use lower case only).   Expand Claim conditions.   Add a claim condition for Any user type.   Select the groups that should have user level permissions to IT Expert.   Under Source, select Attribute.   Under Value, enter <your user group name> (use lower case only).   Add another claim condition.   Select the groups that should have Administrator level permissions in IT Expert.   Under Source, select Attribute.   Under Value, enter <your administrator group name>.   Click Save.   The UI should look like this. '   ITE_Azure_SSO_6_4407905336721.png  
View full article
Picard EcoStruxureIT
‎2021-09-23 07:42 AM

Last Updated: Sisko JLehr Sisko ‎2025-06-04 04:41 AM

12170 Views

IT Expert SAML SSO certificate expiration

To prevent interrupting your organization's access to IT Expert, it is required that you edit your SAML SSO configuration before the certificate configured in IT Expert expires.    Otherwise, only users with credentials configured directly in IT Expert can log in.   Log in the IT Expert. Go to Administration > SSO. Click Edit configuration.   Edit mode is available only when there is at least one non-SSO Administrator in the organization.   In edit mode, a Cancel edit button allows you to revert all changes and return to the original configuration.   See Configure SAML SSO in IT Expert for more information.      
View full article
Sisko JLehr Sisko
‎2024-09-03 02:57 PM

962 Views

Configure SAML single sign on (SSO) in IT Expert

Administrator users and partners can configure SAML 2.0 single sign on in the Administration > More > SSO option in IT Expert. Any identity provider (IdP) that supports the SAML protocol is supported.  An EcoStruxure IT Expert subscription is required.   Once you configure SSO, all users with an email address on one of the domains you specify must use your identity provider to log in to IT Expert.   You can still use the IT Expert Administration > Users option to invite and manage users from email domains not using the domains you specify for SSO.   If your SSO certificate expires, you must reset your SSO configuration.   idea_icon_4403017628561.png   It is strongly recommended that at least one Administrator user who does not require SSO to log in is configured in IT Expert Administration > Users.   If you subscribe devices to EcoStruxure Asset Advisor and configure SSO, you must also configure your organization's users on the Administration > Users tab. Otherwise, the Schneider Electric Service Bureau cannot contact the individuals responsible in case of an incident.     In this article Configure your identity provider Supported SAML attributes Configure SSO in IT Expert 1. Enter SAML details 2. Test SAML configuration 3. Verify domain ownership Enable Identity Provider (idP) Initiated SSO login Update your SAML SSO certificate or sign-in URL Reset SSO configuration   Configure your identity provider   Azure users also see Configure Azure AD for IT Expert SAML SSO   Before you configure SSO in IT Expert, use the Identity Provider details on the Administration > More > SSO page to configure the integration with IT Expert in your identity provider's user interface. Refer to your identity provider's documentation for more information.     Log in to IT Expert and go to Administration > More > SSO.   Copy and paste the SAML Assertion Consumer Service (ACS) URL and the SP Entity ID in the appropriate fields. These values are specific to your account. Note: The SP Metadata URL will be displayed in step 2 of the IT Expert configuration. Some identity providers require it.   IT Expert requires that you configure your identity provider to send these three SAML attributes:   "name": How user names are displayed "email": User email address "groups": The groups your IT Expert users are members of Note: Groups configuration is not applicable for partners.   If your identity provider does not support adding the SAML attributes above, see the full list of supported SAML attributes below to use as alternatives.   You can create groups in both your identity provider and IT Expert; group names must match exactly in both. You can assign access permission for each group on the IT Expert Administration > Groups tab. See IT Expert permissions   Note: IT Expert contains two groups by default, Administrators and Users. Users you want to have Administrator rights in ITE must have a group SAML attribute with the value "Administrators."  Users who should have regular user rights in ITE must have a group SAML attribute with the value "Users." Users without a group SAML attribute will not have access to ITE.  Consult the documentation for your identity provider to learn about adding SAML attributes.   Note: Every time a user logs in using SSO, the identity provider sends EcoStruxure IT a list of the groups the user belongs to. If any changes to group assignments are needed, you make the changes in your identity provider, not in IT Expert.   Supported SAML attributes   EcoStruxure IT supports these attributes, if, for example, your identity provider only supports InCommon Federation Attributes, or other standard attributes:   SAML attribute Description name Display name of the user displayname urn:oid:2.16.840.1.113730.3.1.241 http://schemas.microsoft.com/identity/claims/displayname http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name email E-mail address of the user urn:oid:0.9.2342.19200300.100.1.3 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress phone Phone number of the user phoneNumber telephoneNumber urn:oid:2.5.4.20 urn:oid:0.9.2342.19200300.100.1.20 urn:oid:0.9.2342.19200300.100.1.41 http://schemas.xmlsoap.org/ws/2005/05/identity/claims/mobilephone group List of groups the user is a member of groups urn:oid:2.16.840.1.113719.1.1.4.1.25 http://schemas.xmlsoap.org/claims/Group   Configure SSO in IT Expert Your identity provider will provide the information needed to configure SSO in IT Expert. Return to IT Expert Administration > More... > SSO.   1. Enter SAML details     Copy the SAML SSO sign-in URL from your identity provider into the SAML SSO sign-in URL field. In Azure, this is the User access URL under Properties. The URL must start with https://   Upload your SAML SSO certificate or paste it into the text field. The certificate must be x.509 in *.PEM or *.CER format.   The certificate must start with:  ‘-----BEGIN CERTIFICATE-----’ and end with: ‘-----END CERTIFICATE-----’    Make sure there are no blank lines before or afterThe certificate expiration date is automatically extracted from the valid certificate and cannot be edited.   Specify your Sign-in email domain(s). For example, if user email addresses are user@mydomain.com, enter mydomain.com in the field. Separate multiple domains with a comma, or use the Enter or Tab keys. Note: All users with an email address on one of the domains you specify must use your identity provider to log in to IT Expert. The Continue button is enabled when all the field are populated and valid.   2. Test SAML configuration Verify that your SAML connection is configured properly.      Open a different browser or an incognito window.   Go to https://ecostruxureit.com and click Log in. Choose Customer.    Enter the test email address shown in ITE.  The password field will disappear, and the login for your identity provider will be displayed.   Log in to EcoStruxure IT as Administrator.   Return to SSO configuration in ITE. If the test login was successful, click Verify. If the test login was not successful, the SAML configuration is incorrect. Click Not working? Start again.   IMPORTANT: You must successfully test your connection to enable SSO for your email domains.   3. Verify domain ownership   You must verify that you own the domains you specified in the SAML details. There are three ways to verify ownership: DNS TXT, HTML file, or HTML META. The verification method you choose depends on your domain's web host.    Contact your Customer Success Manager for help verifying your domain ownership if needed.   DNS   Go to the home page of your domain and create a DNS TXT record.   Copy the TXT content displayed in ITE starting with ecostruxure-it-verification=   Return to ITE and click Verify. A checkmark icon  appears next to verified domains.       HTML file   Create the file ecostruxure-it-verification.html using the contents diplayed in ITE, and upload it to your domain's website.  Your website must be publicly available at the naked domain, with no www or any other subdomain prefix in its URL. Example: https://randomdomain.dk/ecostruxure-it-verification.html    Return to ITE and click Verify.     HTML META   Add the meta tag displayed in ITE to the <head> section of your website's home page. Your website must be publicly available at the naked domain, with no www or any other subdomain prefix in its URL. Example:   https://randomdomain.dk/ecostruxure-it-verification.html   Return to ITE and click Verify.     Repeat step 3 to verify all the domains you specified.   Once you have verified all your domains, your SSO configuration is complete. You can return to the SSO page to add and verify additional domains as necessary.   You can remove unverified domains at any time. You can remove verified domains as long as at least one verified domain is configured.   Enable Identity Provider (IdP) Initiated SSO login   Check to allow users to log in to IT Expert from the login page for your organization's identity provider.  Note: IT Expert uses OIDC as a response protocol. See Identity Provider (IdP) initiated SSO risks and considerations     Edit configuration   Click Edit configuration to update your SAML SSO sign-in URL or SAML SSO certificate.   Note: Edit mode is available only when there is at least one Administrator user configured in IT Expert who does not required SSO to log in. You can jump between configuration steps when in edit mode.   Click Yes to continue.     Update your SAML SSO sign-in URL and SAML SSO certificate as needed. The expiration date is extracted from the certificate and cannot be edited. Click Continue.       Click Cancel Edit if you decide not to make changes at this time or you make a mistake.   Test your SAML configuration (see step 2 above) and then verify your domain (see step 3 above) to enable SAML SSO settings.   Reset SSO configuration   Resetting your SSO configuration completely removes all SSO settings in IT Expert.   You must start again at step 1 to reconfigure SSO, including reconfiguring SSO when your SSO certificate has expired. The URLs and verification files from any previous ITE SSO configuration cannot be reused.   When you reset your SSO configuration, users who are required to use SSO to log in to ITE will no longer have access unless they also have IT Expert user accounts listed in Administration > Users.  
View full article
Picard EcoStruxureIT
‎2021-06-23 11:39 PM

Last Updated: Sisko JLehr Sisko ‎2025-02-18 08:46 AM

12046 Views

Identity Provider (IdP) initiated SSO risks and considerations

Make sure you understand the risks before enabling IdP-Initiated SSO. Note: IT Expert uses OIDC as a response protocol.   To learn more, see his article from auth0: Configure SAML Identity Provider-Initiated Single Sign-On
View full article
Picard EcoStruxureIT
‎2023-02-01 07:39 AM

Last Updated: Sisko JLehr Sisko ‎2025-02-18 09:27 AM

2572 Views
Didn't find what you are looking for? Ask our Experts
To The Top!

Forums

  • APC UPS Data Center Backup Solutions
  • EcoStruxure IT
  • EcoStruxure Geo SCADA Expert
  • Metering & Power Quality
  • Schneider Electric Wiser

Knowledge Center

Events & webinars

Ideas

Blogs

Get Started

  • Ask the Community
  • Community Guidelines
  • Community User Guide
  • How-To & Best Practice
  • Experts Leaderboard
  • Contact Support
Brand-Logo
Subscribing is a smart move!
You can subscribe to this board after you log in or create your free account.
Forum-Icon

Create your free account or log in to subscribe to the board - and gain access to more than 10,000+ support articles along with insights from experts and peers.

Register today for FREE

Register Now

Already have an account? Login

Terms & Conditions Privacy Notice Change your Cookie Settings © 2025 Schneider Electric

Welcome!

Welcome to your new personalized space.

of

Explore