CMiC Cloud SSO Authentication

General Workflow

CMiC SSO is a new authentication feature for Cloud customers that allows users to bring their own identity when logging into CMiC. This gives IT admins control to set their desired password and conditional access policies using their preferred identity provider, like Azure (Microsoft) or GCP (Google).

CMiC SSO is powered by Azure. When a user is invited to use CMiC SSO, we set up the user as a guest user in our own Azure tenant. Once the user has accepted the invitation, end users will enjoy a single sign on experience (using their corporate identity).

Authentication/Federation Flow

One Time Passcode (OTP) Fallback

If the user’s email does exist in another federated provider, Azure will send the user a one-time passcode via email. Entering this one-time passcode will authenticate the user into CMiC.

Getting Started

During the initial launch of CMiC SSO, once a user has been invited to Azure, they must authenticate using CMiC SSO. We plan to shut down the legacy CMiC username/password authentication method by 2025/2026. We will provide a firm date closer to the end of 2024 and give plenty of advance notice before the cut-off date comes into effect. Please reach out to your account manager if you have any issues with this timeline. CMiC is dedicated to working with clients to ensure a smooth transition.

We recommend starting with a few internal users to ensure that the authentication flow works as expected. Once you have confirmed that the authentication flow works as expected, you can expand to a larger group of internal users.

NOTE: Some CMiC components (e.g., ECM Outlook plugin and eXPense mobile app) do not support Azure SSO yet. For users who need to use these features, please postpone the Azure SSO process mentioned below until further notice.

Security Considerations

Security Roles; Standard Treeview path: CMiC Field > Security > Role Maintenance

Admins must be assigned security access to the Graph Services program in PM (Project Management). Access is assigned to a security role on the Role Maintenance screen. This security is required to access the User Audit program.

User Audit Screen

Screenshot of User Audit screen.

Pgm: SDUSRAUDIT - User Audit

The User Audit screen is used by admins to review all user email addresses to ensure they are valid and unique (within the tenant). This is also the screen where admins can invite their users as Guest Users in Azure by selecting the user and clicking on the [Send To Azure] button. Selected users will receive an invitation to use CMiC SSO.

To invite a user to SSO, their email must be unique. A duplicate email in the Enterprise system contact, PM project contact, or PM system contact will prevent the user from being invited when sending to Azure in the User Audit screen.

NOTE: Access to this screen is granted via a security role (see Security Considerations).

Key columns on the User Audit screen are described in more detail below.

  • Sent to Azure: This field will be set to Y when the invitation has been sent from Azure.

  • Azure Guest User: This field will be set to Y when the invitation has been accepted by the end user.

  • Valid: This field will be set to Y when the user email is unique within the tenant and is a valid email format.

  • Azure Login Id: This field shows the Azure login associated with users who have accepted the Azure SSO invite.

  • LDAP Login Disabled: By default, users who have received an Azure SSO invite are no longer allowed to use the legacy login method. In the event that users need to switch back to legacy login, uncheck this box. The User Audit screen also has a Sync User LDAP Logon Status button, used to re-synchronize the status of the LDAP Login Disabled checkbox with the login method that the user is supposed to be using.

Accessing User Audit Screen

The User Audit screen will not be available in the standard menu as most customers are on a custom menu and would have to add it manually anyways. It’s an admin-only function so we felt most customers would want to keep it locked down. The screen can be added in two ways, as shown below.

Method 1:

Using Treeview Builder, add the User Audit screen to a custom menu by selecting "SD - User Audit" in the Target Name field's LOV.

Screenshot of adding User Audit screen by selecting the screen in the Target Name field's LOV.

Example of adding User Audit screen in Treeview Builder by selecting the target

Method 2:

Instead of adding the screen to a custom Treeview menu, while logged in, users can access the User Audit screen by opening a new browser tab and pasting the URL that directly accesses the screen .

The URLs for ATLAS and NOVA are as follows:

ATLAS PROD

https://atlas.cmiccloud.com/cmicprod/UIRuntime/faces/toDisplay.jspx?page_id=258826530

NOVA PROD

https://nova.cmiccloud.com/cmicprod/UIRuntime/faces/toDisplay.jspx?page_id=10642539

Launching Treeview Builder

The URLs to access Treeview Builder for CMiC SSO ATLAS and NOVA are as follows:

ATLAS PROD

https://atlas-az.cmiccloud.com/cmicprod/UITreeViewBuilder/faces/display.jspx

NOVA PROD

https://nova-az.cmiccloud.com/cmicprod/UITreeViewBuilder/faces/display.jspx

Accepting the Invitation

CMiC SSO Invitation Email

The CMiC SSO invitation will look similar to the one shown in the screenshot above. The customer's tenant “Account Name” will be used as the recipient's name in the email. The company logo is also pulled based on tenant set-up.

CMiC SSO Sign-in Page

To manually navigate to the CMiC SSO login page, use the following link:

https://atlas-az.cmiccloud.com

https://nova-az.cmiccloud.com

Switching Between Tenants

A convenient feature of CMiC SSO is that users will no longer have to enter their tenant ID when logging in. CMiC SSO will automatically connect the user to their tenant. If the user has access to multiple tenants, we added a new option for the user to switch between tenants.

NOTE: Users that have access to multiple tenants must be invited to use CMiC SSO from each tenant.

Switching Between Tenants

To switch tenants, click the user ID link on the console to open the User Settings pop-up window. From the Defaults tab, click on the Change Tenant button to launch a second pop-up window where the tenant can be switched.

Alternatively, users can switch between tenants by clicking on the Switch Tenant button on the top right corner of the Application Selector screen, as shown in the screenshot below.

Application Selector screen highlighting the Switch Tenant button

FAQ

Do I have to use CMiC SSO?

Yes, all users must register for CMiC SSO to ensure a smooth transition when the feature goes live. We have different options available for you to handle authentication through CMiC SSO and have allowed for extra time in our implementation plan to deal with any unexpected requirements. Rest assured we will not go live until we have a solution in place for all our customers.

What Identity Providers do you support?

Initially we will support Azure AD and Google as federated identity providers. If you are using a different identity provider, your Account Manager will explore different options with you. We can accommodate any identity provider that supports SAML 2.0.

What is the impact to my users?

Once the system admin has validated all user email addresses (within the tenant), we will send the users an invitation. Once they accept the invitation, they will be granted access to login to CMiC with their company’s identity provider (like Azure or Google). If they have already authenticated to these services during their browser session, they won’t be prompted for credentials at all as they are already authenticated and will be logged into CMiC automatically.

How will this impact my collaborators (external users)?

The registration and login process will be the same for external users. External users who login via Collaborate Gateway will authenticate with their own company's identity provider (just like your internal users). If this is not possible we can issue one time pass codes via the user's email to authenticate.

How should I handle the following error message? "Too many contacts with the same email address."

Verify that a unique email address is assigned to one system user/contact.

Pgm: SYSCNTCT - Contacts; standard Treeview path: Job Billing > Setup > Local Tables > Contacts (This screen can also be accessed in Opportunity Management)

If duplicate users with the same email address exist, delete the user name and the contact through the User Maintenance screen.

Pgm: SDUSRMNT – User Maintenance; standard Treeview path: System > Security > Users > User Maintenance - General tab

If the problem persists after correcting the duplicate email, then review whether there are also other contacts among partners that have the same email address as the user associated with the unsuccessful SSO invite. This can be done by creating a UI Log on the SYSCONTACT view as follows:

Log Builder

Note For details on the use of Log Builder, see Log Builder. This step related to UI Log is optional, but strongly recommended because the alternative is to manually review contacts listed in every single partner in CMiC Field, which can be a tedious process if there are multiple partners.

Once created, run the UI Log. Apply a filter on the Email1 column for the email address associated with the failed SSO invite. Take note of the Contact Code and Partner Code columns, as shown in the example below.

Once the contact and partner codes are identified, review the partner records in CMiC Field. Please see Partners for further details.

Navigate to the Partners screen found under the Security menu of CMiC Field and click on the partner record.

Partners; standard Treeview path: CMiC Field > Security > Partners

From the partner record's Contacts screen, find the contact(s) with the duplicate email address. Once identified, click the Edit icon to change the email address of the partner contact.

Partner's Contacts; standard Treeview path: CMiC Field > Security > Partners - Select a Partner Record

Contact Maintenance; standard Treeview path: CMiC Field > Security > Partners > Select a Partner Record > Click the Edit icon to edit contact

Once the other identified contacts have their email address modified, the SSO email invite can proceed.