SSO - SAML Authentication
Overview
You can configure your digital workplace to allow one third-party identity provider (IdP) that uses the SAML 2.0 standard to manage the authentication process of your workplace. This IdP will manage user credentials and handle authentication requests to your digital workplace.
IdP configuration articles
Click one of the following articles to view how to configure that IdP with your digital workplace:
If your IdP is not listed, you should still be able to configure it to work with your digital workplace as long as it uses SAML 2.0. While creating the connection in your IdP, refer to the Configuration settings below to know what information is needed. If your IdP asks you to provide your site's SAML endpoint, enter your digital workplace's URL with /saml.digest appended to it (e.g., https://customercare.igloosoftware.com/saml.digest).
Configuration settings
You can access the SAML Configuration page of your digital workplace by clicking the Configure SAML Authentication link found on the Sign In Settings page of the Control Panel.
Click Save at the bottom of the SAML Configuration page to apply any changes.
Connection Name
Enter a name for this connection. If you configure Sign in Settings to "Use SAML button on Sign in screen," this name will be displayed on the button.
IdP Login URL
Enter your Identity Provider's Single Sign-On URL. Your digital workplace will send POST requests to this location when users attempt to authenticate.
Refer to your IdP for this value.
IdP Logout URL
Enter your Identity Provider's Single Logout URL. Only enter a value if you want users to also log out of the IdP when they log out of the digital workplace.
Refer to your IdP for this value.
Logout Response and Request HTTP Type
Select how your workplace sends the logout response to your IdP's Logout URL.
Options include:
- POST
- Redirect
- Basic
You should refer to your IdP's documentation for which form this request should take. If the response type is not specified, try each of the available options until one works. Start with Redirect, then Post, and finally Basic.
You can ignore this setting if you have not configured an IdP Logout URL.
Logout Final Redirect URL
Enter the URL of the location where you want to send members when they log out. If left blank, members will be redirected to your digital workplace's homepage.
Binding Type
Select which messaging protocol to use for communications between your digital workplace and IdP.
Options include:
- Post
- Basic
You should refer to your IdP's documentation for the preferred option.
Public Certificate
Enter the public X.509 certificate that the IdP will send during the authentication process.
Refer to your IdP for this value.
Identity Provider
Select which IdP you are using.
Options include:
- Centrify
- Microsoft ADFS
- Okta
- OneLogin
- PingOne/Identity
- Other
Identifier Type
Select the primary key used to identify users when authenticating.
Options include:
- Email Address
- Custom Identifier
The selected value is what should get passed in the NameID field of the SAML Response.
Identifier Path
Do not change this value. This field is only available when using an Identity Provider of Other.
In your IdP, ensure that the desired Identifier Type is being passed to your digital workplace as NameID.
For example: /samlp:Response/saml:Assertion/saml:Subject/saml:NameID
Session Index Path
Do not change this value. This field is only available when using an Identity Provider of Other.
For example: /samlp:Response/saml:Assertion/saml:AuthnStatement
Email Path
Enter the path that matches how your IdP is passing the Email attribute to your digital workplace. Your workplace and IdP must use the same name for the attribute. You can change the @Name value in the example below to match the name of the email attribute being sent by your IdP. Alternatively, you can change the name of the email attribute being passed by your IdP to Email.
For example:
/samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="Email"]/saml:AttributeValue
First Name Path
Enter the path that matches how your IdP is passing the FName attribute to your digital workplace. Your workplace and IdP must use the same name for the attribute. You can change the @Name value in the example below to match the name of the first name attribute being sent by your IdP. Alternatively, you can change the name of the first name attribute being passed by your IdP to FName.
For example:
/samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="FName"]/saml:AttributeValue
You can leave this blank if User creation on Sign-in is not enabled.
Last Name Path
Enter the path that matches how your IdP is passing the LName attribute to your digital workplace. Your workplace and IdP must use the same name for the attribute. You can change the @Name value in the example below to match the name of the last name attribute being sent by your IdP. Alternatively, you can change the name of the last name attribute being passed by your IdP to LName.
For example:
/samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="LName"]/saml:AttributeValue
You can leave this blank if User creation on Sign in is not enabled.
Drift Time (In Seconds)
Enter how many seconds your digital workplace will wait for a response from the IdP. If a response takes longer than this time, authentication will fail, and the user will not be signed in to your digital workplace.
User creation on Sign in
Select how your digital workplace handles users who attempt to sign in to your digital workplace when they have valid IdP credentials but are not members of the workplace.
Options include:
- Create a new user in your site when they sign in (Users will be added to manage members on sign in)
- Do not create new users when they sign in (Users not in manage members will be denied access)
When creating new users in your digital workplace this way, they will be created with the following details:
- First Name (from First Name Path)
- Last Name (from Last Name Path)
- Email Address (from Email Path)
- CustomIdentifier (from Identifier Path if the Identifier Type is Custom Identifier)
- Membership to the All Members group.
If enabled, this option does not provide any additional user syncing functionality (e.g., additional fields, group membership, deprovisioning, etc.).
If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts.
Sign in Settings
Select how users sign in to your workplace using the IdP.
Options include:
- Use SAML button on "Sign in" screen
- Redirect all users to the IdP
Using Igloo Authentication when the workplace redirects users to the IdP
Append /?signin to your digital workplace's URL to navigate to the Igloo Authentication sign in page (e.g., https://customercare.igloosoftware.com/?signin). From here, you can use your Igloo Authentication credentials to sign in to your workplace. If you enter your Igloo Authentication credentials incorrectly, you will be redirected to your IdP's sign in page.
Troubleshooting
Capturing a SAML Trace
When trying to figure out why SAML Authentication may not be working, capturing a trace of the SAML communications between your IdP and digital workplace is necessary. Refer to the article Capturing a SAML trace to learn how to do this with different browsers.
X.509 certificate expired
If all users are suddenly unable to authenticate to your digital workplace, the X.509 certificate that your IdP is using may have changed from what you have entered in your digital workplace. This change often occurs due to an IdP having an expiry date on these certificates. Refer to the article SAML Certificate Check to learn more about comparing the certificate that your IdP is sending to what your digital workplace is expecting.
SAML Configuration page is not saving
An incorrect X.509 Public Certificate is the most common cause of failures to save. Ensure that you have copied the correct information into this field.