How To Configure SSO Using SAML

Overview

For the Single Sign On feature to work, configurations need to be done depending on the role of the platform: Identity Provider or Service Provider systems. Click the links below to jump to the role that needs to be configured.

Identity Provider Configuration Procedures

1. Navigate to the Identity Provider setup section.

Go to Setup > Security > Identity Provider

The list of identity providers will be displayed. If there is only one record, it will be automatically displayed. Note that while there can be many profiles defined, there can only be one active identity provider profile at any given time.

2. Create an Identity Provider

Click New to add a new identity provider or select an existing provider to update. The details entry page is then displayed.

Populate the details with the appropriate information.

Field Definitions

Table 1
Field Definition
Identity Provider Name Unique name/label for the Identity Provider profile.
Enabled When checked, this is the active identity profile.
Issuer URL of the issuer. This is normally the BillingPlatform org domain/URL.

Click Submit to save the new Identity Provider profile. Upon saving, certificate information will also be made available on the details page. These can be copied onto a text file and shared with the service providers as a prerequisite for being identified as a trusted system.

3. Add Service Providers

Click on the Service Provider child node on the left navigation pane. The list of identity providers will be displayed. If there is only one record, it will be automatically displayed.

Click New to add a Service Provider, or select an existing record to view/update its details. The details page is displayed where the necessary information can be entered.

Refer to the table below for the information expected for each field.

Field Definitions

Table 2
Field Definition
Service Provider Name Unique name/label of the service provider.
Start URL URL where users are redirected when the application is invoked. This can be an absolute URL or a link for the application name.
Entity Id Entity Id value from the service provider. This needs to be provided by the service provider system.
ACS URL ACS stands for Assertion Customer Service, and needs to be obtained from the service provider.
Subject Type

The subject type that the service provider needs. This configuration needs to be provided by the service provider. Available options are:

  • Username - Name of the user.
  • User ID - An ID external to the service provider.
  • Federation ID - An ID internal to the service provider.
Name ID Format The format of the Name ID that is passed in the subject. This needs to be provided by the service provider.
Issuer If no URL is provided, the BillingPlatform org domain will be used as the default.

Click Submit to save the new service provider. Additional service providers can be added as needed.

Service Provider Configuration Procedures

1. Navigate to the Service Provider configuration section.

Go to Setup > Security > Single Sign-on. The profile details will be displayed.

2. Update the configuration

Click Edit to update the details of the Service Provider configuration.

Field Definitions

Table 3
Field Definition
SAML Enabled Specifies if the platform needs to be connect to an IDP via SAML.
Upload New IDP Certificate Click this button to upload a certificate file from the Identity Provider.
SAML User Id Type

Specify the format of the user information that is expected from the Identity Provider. This needs to be confirmed with the identity provider. Available options are:

  • Assertion contains User's username
  • Assertion contains the Federation ID from the User object
SAML User Id Location

Specify the location of the User ID information against the data that is sent by the Identity Provider. This needs to be confirmed with the identity provider. Available options are:

  • Identity is in the NameIdentifier element of the Subject statement
  • Identity is in an Attribute element
Attribute Name

This is only applicable if the SALM User Id Location value is set to "Identity is in an  Attribute element". Specify the name of the attribute in this field.

SP Initiated Request Type

Specifies the method to be used to initiate an authentication request to the Identity Provider. Available options are:

  • HTTP POST
  • HTTP Redirect
Issuer

Unique identifier for the Service Provider. Once this has been configured and communicated with the Identity Provider, any changes will need to be reconfigured in with the Identity Provider again.

This is equivalent to the Entity Id in the Identity Provider configuration.

Entity id Identifier of the Identity Provider. This is equivalent to the Issuer in the Identity Provider configuration.
Start URL URL where users are directed when they open the application.
IDP Login URL URL for the endpoint where authentication requests are sent.
IDP Logout URL URL for the endpoint where logout requests are sent. 
Recreate Certificate and Private Key? Checking this will instruct the system to refresh the installed certificate and private key.
User Provisioning Enabled Checking this enables the just-in-time provisioning feature. This means that if a user is not existing in the platform but authenticated by the identity provider, it will be created in the platform.
API User Applicable only if User Provisioning is enabled. This is an existing platform user that will be used to provision the new user. 
Required Fields

Applicable only if User Provisioning is enabled. This is the table of attribute mappings of the required information needed when provisioning a new user. These are:

  • USERNAME
  • ROLENAME 
Attributes Mapping

Applicable only if User Provisioning is enabled. This is the table of attribute mappings for optional information when provisioning a new user. Columns to be populated are:

Column Definition
User Entity Field Picklist of the fields that are populated when provisioning a user in the platform.
External Field Name of the expected identity provider attribute that will contain this information.
Default Value Default value to be used in the field if the identity provider does not provide the information.

 Click Submit to save the changes and complete the Service Provider role configuration.

Related Topics

Have more questions? Submit a request

Comments

Powered by Zendesk