> Support > Account Settings Management > Security > SAML Single Sign On

SAML Single Sign On


The SAML Single sign on features allows a user to make singular session login on their SAML server, which will also authenticate the users iVvy login without having to type in additional usernames and passwords.

To configure SAML single sign on for iVvy

  1. Go to the security settings of your account and select "SAML SSO" as the "Authentication Method". This will configure your account as a "Service Provider" (SP) that can communicate with an "Identity Provider" (IDP) to authenticate users.
    The examples below demonstrate how Google Apps can be used as the IDP, however the settings described can be applied to any IDP that implements SAML version

  2. Download the IDP metadata that contains the details you will need to enter on the security settings page of your account. In Google Apps, this looks like the following:
     


    Download the metadata from Option 2. This will be an XML document. 

     

  3. Enter the following security settings page of your account: For Example:
     

     

    Entity ID

    This is the entity id provided by the IDP. In Google, this is the "entityID" attribute of the <md:EntityDescriptor> element.

    Want AuthnRequestsSigned

    Select Yes to sign the requests between iVvy (SP) and the IDP. It is strongly recommended to select Yes for better security, however this depends on your IDP.

    Allow Signup

    Select Yes if you want to allow new users to sign in to your iVvy account. If this is set to No, users must be first added to your iVvy account before they can be authenticated by your IDP.

    Default Group Policy You can select the default iVvy policy that is assigned to new users that sign in to your iVvy account.
    Single Sign On Service Endpoint (HTTP-REDIRECT) This is the http endpoint provided by the IDP to authenticate users. In Google, this is the "Location" attribute of the <md:SingleSignOnService> element with a "Binding" attribute of "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    X509 Certificate This is the certificate generated by your IDP. In Google, this is the <ds:X509Certificate> element.
    NameId Format Set this format if your IDP has specific requirements, otherwise leave the default value selected.
    Unique Identifier This is where you map the attributes provided by your IDP to attributes of users in iVvy (SP).
     

     

    Email

    The email address of the iVvy user

    Username

    The unique username of the iVvy user

    First Name

    The first name of the iVvy user

    Last Name The last name of the iVvy user
    Custom The custom unique identifier of the iVvy user. Note: The unique identifier of the iVvy user is only visible when a Custom attribute is used in the SAML mapping.

     

    Multiple attributes can be mapped. All mapped attributes will be used by iVvy (SP) to uniquely identify the user authenticated by the IDP.

    The mapping of attributes (Unique Identifier above) must be able to uniquely identify users in iVVy. There is no specific mapping that can be entered here - it depends on the attributes provided by your IDP. The SAML key (i.e. IDP attribute) entered in the text area is case sensitive. The dropdown list has the following iVvy user attributes:

  4. The "Download our SP metadata" link will only appear once the security settings are saved.

    Download the SP metadata file (an xml document) and enter the appropriate settings in your IDP. In Google, this looks like the following:
     

     

    ACS Url

    This is the "Location" attribute of the <md:AssertionConsumerService> element.

    Entity ID

    This is the "entityID" attribute of the <md:EntityDescriptor> element.


    Note that "Signed Response" is ticked, which corresponds to selecting Yes for "Want AuthnRequestsSigned" in step 3 above.

    Note that in the Google example, "Name ID Format" is "unspecified". This could be different for your IDP and corresponds to the "NameId Format" setting in step 3 above.

    iVvy should now be ready to act as the SP (service provider) and authenticate user sessions with your IDP (identity provider).

    If you do not allow new users to sign up (i.e. the "Allow Signup" setting of step 3 above), you will now need to go to the Users section of your iVvy account and proceed to setup users who need access to your account.

    If you do allow users to sign up (i.e. "Allow Signup" is Yes), then you can go to the login page of your iVvy account which should begin the SAML authentication process with your IDP. After successfully authenticating with your IDP, you will be presented with the following form in iVvy to complete the creation of your user profile in iVvy.

     

     

You may also be interested in ...
Was this information helpful?
Rating:  
  1 2 3 4 5