Introduction
SAML (Security Assertion Markup Language) is an open-source standard for authentication. It allows an organization to use one set of credentials along multiple systems by exchanging information between IDP (Identity Providers) and SP (Service Providers).
Another common standard is (OIDC) OpenID.
Roles
Service Provider: A service provider is an application that supports SAML assertions. Sessionboard is the service provider.
Identity Provider: The identity provider is the original system that controls user creation/authentication. It must support SAML. Some examples are:
Auth0
Okta
OneLogin
The expectation is that customers can configure SAML-compliant SSO IDPs to manage the creation of Sessionboard users and ensure the same password can be used in both systems for access.
Setup Requirements
Sessionboard requirements:
Sessionboard will provide the following information to the customer:
Assertion Consumer Service URL: This is the url that receives a POST call from the identity provider with the SAML assertion. This endpoint will use the certificate to check that.
Audience URL: This is an identifier of the SP.
Customer requirements:
The customer must provide the following information to Sessionboard to enable SAML 2.0 SSO:
A SAML application created in the vendor identity provider.
x509 Certificate for SAML Assertion
Issuer (it is useful to identify the provider’s application uniqueness).
Domain (which domain is intended to support SSO).
View 'Okta Setup' below for further instructions on how to receive the requested information above.
By default, Sessionboard expects the following attributes to be returned as part of the user profile:
id: default ID from the SAML remote user directory.
firstName: user first name, used to reference the user and associated contact in our system
lastName: user last name, used to reference the user and associated contact in our system
email: user email that is used to log into Sessionboard and for authentication communications (password reset, new user invitation, etc.)
nameID: also user email
Okta Setup
Create an application: Using the left menu, go into Applications > Applications.
Click on Create App Integration
Choose SAML 2.0 and click Next.
Fill out step 1 and click Next.
Fill fields in step 2 utilizing information received from Sessioboard:
Scroll down to Attributes Statements (Optional)
Important! This information is used to create a new user if it does not exist.Add the following:
firstName = user.firstName
lastName = user.lastName
email = user.email
id = user.id
After that click Next and Save.
The application has been created and it can now be configured in Sessionboard.
On the right side of your screen, click on the View SAML setup instructions button.
Open these to access the information you will need to provide to Sessionboard.
Once this is configured and saved, the identity provider will be ready to create and manage users in Sessionboard.