SSO - SAML Authentication
What is it
SAML Authentication, or Single sign-on via SAML, employs the SAML 2.0 standard to authenticate users against a third-party identity provider (IDP). With SAML Authentication, the IDP manages all credentials and authentication requests. Igloo refers to the IDP for confirmation of user credentials.
SSO Authentication requires you to have an Identity provider that supports SSO via SAML 2.0. Common IDPs include Microsoft ADFS, Okta and oneLogin. Only one IDP can be setup at a time to manage authentication. Contact your Igloo representative to learn how you can enable this feature on your community site.
How to Configure SAML Authentication
Before beginning to configure SAML Authentication in your Igloo community, you will need to have your IDP set up and able to send and receive SAML requests. Each IDP is different, contact your provider if you need more information.
Step 1: Access SAML settings
In your Control Panel, navigate to Membership > Sign In Settings, then click “Configure SAML Authentication”.
Note: Selecting the “?” icon provides your community SAML endpoint which your IDP will need. It is https://yourcommunity.com/saml.digest.
Step 2: Enter a name
Set a name for this connection in the Connection Name field.
This will be displayed on the Igloo login screen if you are not automatically redirecting people to your IDP.
Step 3: Enter your IDP Login URL
This is the SAML endpoint to which your site will send POST login requests. This information will come from your IdP.
Step 4: Enter Single Sign-Out information (optional)
If your IDP supports Single-Sign-Out, you will need to enter the following:
IdP Logout URL: This is the URL to which your site will send logout information. This should be provided by your IDP
Logout Response and Request HTTP Type: select whether your IDP accepts POST, Redirect, or Basic logout requests.
Logout Final Redirect URL: Enter a url for your IDP to redirect users to after logout has been completed.
Step 5: Enter your public certificate
Enter your public X509 certificate that will be sent along with your SAML responses when authenticating. Your IDP should provide this, or you can find it in a SAML response.
Note: The form will not save if a valid certificate value has not been entered.
Step 6: Select your identity provider
Igloo has a few pre-configured settings for common IDPs. Select yours from the list if it appears. Select “Other” if it does not.
Step 7: Select your primary identifier type
This is the primary key used to identify users in the Igloo database when authenticating. It should be the value passed in the NameID of your SAML responses. You can either use email address or your own unique Custom Identifier.
Regardless of which you choose, the each user’s identifier must be unique and should never change.
Using a Custom Identifier is usually recommended, if available. These should be unique values that can never change for the individual. Use of a Custom Identifier accommodates email address changes due to name changes, etc.
Step 8: Enter identity information paths
Four pieces of information are needed for authenticating and provisioning people via SAML: identifier, email, first name, and last name. All of these need to be passed in the SAML response by your IDP.
The location in the response is relatively standard and the default paths are pre-populated for you, but you can adjust them if needed.
Identifier Path: This option will only appear if you select “Other” as your Identity Provider. This is the value for your identifier path in the SAML response.
Session Index Path: This option will only appear if you select “Other” as your Identity Provider. This is the value for your session path in the SAML response.
Email Path: This field is necessary even if you are using a Custom Identifier
First Name and Last Name Paths: You need these attributes populated if you want Igloo to automatically provision new users (see step 9).
Step 9: Enable or disable user creation
If you have provided the first name and last name as part of the SAML response, Igloo can automatically add new users to your site when they log in for the first time.
It is more common to have this set to “Do not create new users” and have new people added through Manage Members or the Igloo LDAP Sync Tool.
Step 10: Set redirect behavior
You can determine if people will see the Igloo login page with a button that allows them to log in via your IDP, or are automatically redirected to your IDP.
Typically, this is set to Use SAML button on “Sign in” screen while you are configuring and testing SSO, and then is changed to Redirect all users to IdP once complete.
Step 11: Save your changes
Select the Save button at the bottom of the form to save your changes.
Frequently asked questions
How do I configure my IDP?
Every Identity provider is different and should be able to provide documentation and support for how to add new service providers. One piece of information they will need though, is the SAML endpoint which is https://yourcommunity.com/saml.digest
I need to update my SAML settings but cannot login
You can circumvent the automatic redirect by adding /?signin to your community URL and log in using Igloo credentials. If you are a community manager and do not have Igloo credentials for your site, contact your Igloo representative.
Why will my form not save?
Valid values must be entered for all mandatory fields before the form will save. An incorrect Public Certificate is the most common cause of failures to save.