Terminology used in this article:
- IdP - Identity Provider (the asserting party) is the system that provides user information.
- This is your organization's IT system that contains your user directory - such as Active Directory, LDAP, etc. This could also be a 3rd party system your organization uses - such as Okta, etc.
- SP - Service Provider (the relying party relying on the assertion) is the system that trusts the user information provided by Identity Provider.
- This is the Accompa system.
- SAML assertion - An XML-based, open-standard data format for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider.
|
Overview:
Accompa Single Sign-On (SSO) enables you to allow your users to login to your Accompa system using their credentials from a different system (such as your company's Active Directory, web site, web application, etc).
Accompa SSO uses SAML 2.0 and is based on verifying a SAML assertion in the HTTP POST request submitted to Accompa. Accompa validates the SAML assertion integrity using the contained signature against the "Identity Provider Certificate" defined by you in your Accompa system.
|
This happens in following way: |
- IdP-Initiated Login Process:
- User logs into the IdP (please see definition above) system.
- User clicks a button in the IdP system.
- IdP system initiates a SAML authentication request to Accompa by sending a SAML assertion in an HTTP POST request to "Accompa SSO Login URL".
- Accompa authenticates the SAML assertion and validates the user.
- If the validation is successful, the user gets logged into your Accompa system.
- SP-Initiated Login Process:
- Accompa SAML doesn't support SP-Initiated Login at this moment.
|
Setup of Accompa SSO:
These are the steps required to fully setup SSO for your Accompa system:
- Login to your Accompa system using an account that has Administrator privileges.
- Click "Settings" menu in the top right corner of the page, then click the "Configure SAML SSO" menu item to open "Configure SAML SSO (Single Sign-On)" page.
- Enter proper values in various fields in this page as explained below:
- SAML SSO Status: Activate/deactivate SAML SSO for your company.
- Restrict to SSO Only: Select one of the following options
- Users must login using SSO
- If this option is selected, non-administrator users won't be able to login using Accompa login page.
- Users can login using SSO or Accompa login page.
- Issuer: This is often referred to as the Entity ID for the identity provider. SAML assertions sent to Accompa must match this value exactly in the <saml:Issuer> attribute of SAML assertions.
- Identity Provider Certificate: A valid authentication certificate issued by your identity provider.
- Request Signature Method: Select the hashing algorithm for encrypted requests, either RSA-SHA1 or RSA-SHA256.
- Identity Provider Login URL: This is the URL where Accompa sends a SAML request to start the login sequence.
- Identity Provider Logout URL: This is an optional field. If this field is set up, users will be redirected to this URL when they click the Logout link in Accompa.
- Custom Error URL: This is again an optional field, it's the URL of the page that the users are directed to if there's an error during SAML login. It must be a publicly accessible page.
- Click "Save" button.
Once the data in above fields is saved, the following information will be displayed in "Configure SAML SSO (Single Sign-On)" page. These values will be needed while configuring your Identity Provider setup.
- Accompa SSO Login URL: The URL where you need to POST the SAML assertion.
- Entity ID: The entity ID of your Accompa system.
|
|
Attributes in SAML Assertion:
The SAML assertion sent to Accompa shall contain following attribute related to user's identity: |
Attribute Name |
Definition |
Mandatory |
email |
It shall contain valid email of the user. This will be used to validate user in your Accompa system. |
Yes |
|
|
|
Logging in and Logging out:
To a page in your intranet (or your web site, web application, etc), add a hyperlink pointing to the service that will initiate SAML authentication on your Accompa system.
Visit this intranet page using a web browser. Click the hyperlink.
Your Accompa system will validate the SAML assertion from your SAML service.
If the SAML assertion is validated successfully, your Accompa system will parse and read the attribute related to the user identity in the SAML assertion.
The user is authenticated based on the email address:
- If the email address is valid and it exists in your Accompa system, the user gets logged into your Accompa system. Otherwise an error message is displayed.
When the user logs out from your Accompa system, their Accompa account session is terminated and they are redirected to the page defined in "Identity Provider Logout URL". If you haven't defined the "Identity Provider Logout URL", the user will be redirected to the Accompa login page.
We hope you're able to successfully implement SSO (SAML) using the steps in this article. Please contact us if you run into any issues, we're here to help!
|
|
|