Enabling CME Group Federation Single-Sign On allows users to log into CME Group applications using their own firm's credentials. It is compatible with most enterprise identity management systems. As a result, when a customer leaves his or her organization, web access to CME Group applications would be denied as soon as the user is disabled in the respective organization's directory.
Learn more about the benefits of CME Group Federation Single Sign-On.
Firms that federate with CME Group are required to support an identity provider (IdP) infrastructure capable of SAML 2.0 or OpenID Connect (OIDC). This content provides technical details to integrate a SAML 2.0 or OpenID Connect (OIDC) compatible identity provider with CME Group Federation Single Sign-On capability.
Review, sign, and return the CME Group Federation Single Sign-On Agreement to Global Account Management before beginning these steps.
Once all required agreements, metadata and submissions are processed, CME Group will contact your firm to confirm that your company is integrated with CME Group Federation Single Sign-On.
Once integrated with CME Group, you may use your enterprise's credentials to log into CME Group applications.
CME Group recommends establishing and testing this federated access using the New Release environment before implementing in the Production environment.
Federation Single Sign-On allows login to all CME Group services/applications except for the following:
- CME Direct
- EBS Workstation
- Co-Location Portal
Contents:
Required Submissions
Provide the following details to Global Account Management to federate with CME Group:
- Signed CME Group Federation Single Sign-On Agreement
- IdP Solution business contact
- IdP Solution technical contact
- Technical team distribution list (to communicate system maintenance/changes)
- Signing Certificate renewal schedule
- Estimated number of users who will leverage this integration
- Metadata xml or Metadata URL (as described below)
- Provide the list of email domains associated to your company
SAML 2.0 Integration
The following steps are required to successfully integrate your IdP solution with CME Group for SAML 2.0 single sign-on.
If you prefer to integrate as an OpenID Connect (OIDC) identity provider, please continue to OpenID Connect Integration.
Pre-Requisites for SAML 2.0 Integration
- SAML 2.0 capable Identity Provider (IdP)
Support service provider initiated login.
Support for SAML Single-Logout is preferred.
SAML 2.0 signing algorithm – SHA 256.
Corporate email address of your users must be sent as the SAML_SUBJECT.
- Additional attributes that are required in SAML assertion : firstName, lastName, email (same as subject), user_name (unique value tied to user that do not change)
- Ensure that the CME Group Customer Center Profile for all your users show their corporate email address.
Integration Steps
1. Configure CME Group as a Service Provider and Provide IdP Metadata
Please email the following details to Global Account Management:
SAML 2.0 metadata xml or metadata URL; otherwise, please provide the following information:
Parameter Production Value New Release Value IdP Entity ID
Sign-On URL*
Signing Certificate
Single Logout URL**
*URL to which SAML 2.0 Sign-On requests are sent, via redirect or POST bindings.
**URL to which SAML 2.0 SLO requests are sent via POST binding. Leave blank if not supported.
Once all required agreements, metadata and submissions are processed, CME Group will contact your firm to provide SP metadata and confirm that your company is integrated with CME Group Federation Single Sign-On.
2. CME Group will provide SP metadata
Please use the metadata xml file that was provided by CME Group, this will contain SP signing cert used for signing SAML AuthN requests, Entity ID and ACS url along with required SAML attributes.
If you cannot use the xml file and need these details, please let us know.
OpenID Connect Integration
The following steps are required to successfully integrate your IdP solution with CME Group for OpenID Connect single sign-on.
If you prefer to integrate as a SAML 2.0 identity provider, please continue to SAML 2.0 Integration.
Pre-Requisites for OpenID Connect Integration
- OpenID Connect capable Identity Provider (IdP).
Support OIDC Authorization Code Grant.
Support for JWT access tokens is required.
- Ensure that the CME Group Customer Center Profile for all your users contain their corporate email address.
Integration Steps
1. Create an OpenID Connect Client for CME Group
Create an OIDC Client for the Authorization Code Grant flow (for both New Release and Production environment as needed).
The authorization server should return a JWT access token with the user’s corporate email address in the sub element of the JWT token.
- Additional claims that are required in token: given_name, family_name, user_name, email (same as sub)
The redirect_url to be configured will be provided by CME IAM team after receiving the client details (see below 2. Provide the OIDC Client Details).
- Use the token signing algorithm: SHA-256.
2. Provide the OIDC Client Details
Please submit the following details for your production environment and test environment (as applicable) to Global Account Management:
OIDC client detail.
JWKS endpoint URL (if applicable); otherwise share the access token signing certificate.
OIDC well-known/discovery endpoint URL (if applicable); otherwise share these URLs:
- Authorization endpoint URL
- Token endpoint URL
Once all required agreements, metadata and submissions are processed, CME Group will contact your firm to confirm that your company is integrated with CME Group Federation Single-Sign On.
Log in to CME Group Applications
There are multiple scenarios for accessing CME Group Applications for both federated and non-federated users:
- Log Into CME Group Applications that are not Federation-capable: Some CME Group applications are not part of federated capability. To access these applications, users require a CME Group Login account. See the CME Group Login User Help System for details.
- Log in as a Federated User: After your company has successfully integrated with CME Group's federation capability, you may log in with your Company Account email credentials:
Contact/Support Information
To learn more about integrating with CME Group's Federation capability, contact Global Account Management.
For assistance with an existing Company Account, contact your firm administrator.
To address CME Group support requests, CME Group may require customers to supply an access code for identity validation. Please see Generate an Access Code for Support Staff.