Appearance
SSO
The only supported SSO mechanism is SAML.
We can enable SAML integration for companies by storing their IDP metadata in the database. Check the TeamIdentityProvider model for more details.
Each company has a unique login endpoint used to initiate the SAML flow. The endpoint is /companies/<company_slug>/login and it redirects to the IDP login page.
The IDP will then redirect to /companies/<company_slug>/acs with the SAML response. This endpoint will validate the response and create a session for the user. In case the user is not found in the database, it will create a new user and associate it with the company.
Testing SAML
We've a SAML configuration for IxDF, which uses Auth0 as the IDP. You can use this to test the SAML flow.
The configuration can be found in the database, You can also check Auth0 docs for more details.
- Log into Auth0 and go to
User Management > Usersand create a new user. - Go to
/companies/the-interaction-design-foundation/login - You should be redirected to Auth0 login page. Use the credentials you created in step 1.
- You should be redirected back to the app and logged in.
Testing SLO
You must have the SAML plugin enabled on Auth0 to test SLO. To get the logout URL, check the IDP metadata.
Parameters
To test SAML for IxDF, you need the following record in IDP settings:
| Parameter | Value | Description |
|---|---|---|
| Entity ID | urn:dev-0aqwcafzl6zipqux.us.auth0.com | The unique identifier of the IDP. |
| SSO Service URL | https://dev-0aqwcafzl6zipqux.us.auth0.com/samlp/ord63EbxzOoTAyr1IHg4wBwfLqMowB3Z | The URL to which the SAML request is sent. |
| SLO Service URL | https://dev-0aqwcafzl6zipqux.us.auth0.com/samlp/ord63EbxzOoTAyr1IHg4wBwfLqMowB3Z/logout | The URL to which the SAML logout request is sent. |
| X.509 Certificate | Download | The public key of the IDP. |
| Email Property Name | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | The name of the SAML attribute that contains the user's email. |
Test again with the credentials for the test user in LastPass. You should receive a flash message, saying that you're not a member of the company.
Setting up SAML for a new company
There are 2 steps to set up SAML for a new company:
- We should provide the company with their redirect SSO and SLO URLs (
route('saml.loginCallback')androute('saml.logoutCallback')) - We need to ask them for the IDP settings and create a new entry.