Enabling SAML single sign-on
Success4 supports Secure Assertion Markup Language (SAML), which lets you provide single sign-on (SSO). With SSO, users can sign in once using their company sign-in form to gain access to multiple systems and service providers.
You can enable SAML single sign-on for CSM's and admin.
As a success4 admin, your role consists of enabling the SAML SSO options.
How SAML SSO for Success4 works
SAML for success4 works the way SAML does with all other service providers. A common use case is a company where all user authentication is managed by a corporate authentication system such as Active Directory or LDAP (generically referred to as an identity provider, or IdP). Success4 establishes a trust relationship with the IdP and allows it to authenticate and sign in users to Success4 instance.
A common use case is a user who signs in to their corporate system at the beginning of the work day. Once signed in, they have access to other corporate applications and services (such as email) without having to sign in separately to those services.
If a user attempts to sign in directly to a Success4 instance, they are redirected to your SAML server or service for authentication. Once authenticated, the user is redirected back to your Success4 instance and automatically signed in.
Requirements for enabling SAML SSO
Meet with the team in your company responsible for the SAML authentication system (usually the IT team) to make sure your company meets the following requirements:
- The company has a SAML server with provisioned users or connected to an identity repository such as Microsoft Active Directory. Options include using an in-house SAML server such as OpenAM, or a SAML service such as Okta, Google, OneLogin, or PingIdentity.
- Success4-bound traffic is over HTTPS, not HTTP
- The remote login URL for your SAML server (sometimes called SAML Single Sign-on URL)
- The metadata from the SAML server.
- The SHA2 fingerprint of the SAML certificate from your SAML server. X.509 certificates are supported and should be in PEM or DER format. There is no upper limit on the size of the SHA fingerprint.
- (Optional) The SAML IDP server URL. This enables manage users button. It will redirect to the endpoint which the user have configured in SAML IDP URL.
Note: If the user doesn't exist in the Success4 app, The user will be redirected to unauthorised screen. Even though the user have been added to a group or given a access in the SAML server.
The next step is to enter the information in the Success4 Admin to enable SSO.
Enabling SAML SSO
To enable SAML single sign-on in Success4
- Go to the admin portal.
- Go to the settings, Change the auth method to SAML2.
- Access Consumer Service (ACS) URL: Specify https://your_subdomain.success4.us/saml2_auth/acs/ (case sensitive),
- Redirects to SAML Single Sign-on URL: Use HTTP POST
Required user data to identify the user being authenticated
When you implement SAML SSO access to Success4 instance, you specify certain user data to identify the user being authenticated.
Specifying the user's email address in the SAML subject's NameID
You should specify the user's email address in the SAML subject's name ID.
Concept | Where specified | Description | Example value |
---|---|---|---|
<saml:Subject> <saml:NameID> |
Email of the user signing in. Uniquely identifies the user in Success4. | xyz@example.com |
Email example:
<code> <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">xyz@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2014-04-23T21:42:47.412Z"/> </saml:SubjectConfirmation> </saml:Subject>
Specifying three required user attributes in the SAML assertion
Concept | Attribute | Description | |
---|---|---|---|
The user email | |
||
first name | first_name | The given name of this user. You must specify the full namespace for this attribute. | |
last name |
last_name | The surname of this user. A user in Success4 is updated in accordance with this user's given name and surname. See example below. You must specify the full namespace for this attribute. | |
Example:
<code><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email"> <saml:AttributeValue xsi:type="xs:anyType">xyz@example.com</saml:AttributeValue> </saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"> <saml:AttributeValue xsi:type="xs:anyType">James</saml:AttributeValue> </saml:Attribute> <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"> <saml:AttributeValue xsi:type="xs:anyType">Dietrich</saml:AttributeValue> </saml:Attribute>
Configuring the identity provider for Success4
Attribute | Value |
---|---|
entityID | https://your_subdomain.success4.us/saml2_auth/metadata/ |
AudienceRestriction | https://your_subdomain.success4.us/saml2_auth/metadata/ |
where your_subdomain is the Success4 subdomain.
Configuring the SAML server for Success4
Some SAML servers may require the following information when configuring an integration with Success4: