Enabling SAML single sign-on

Success4 supports Secure Assertion Markup Language (SAML), which lets you provide single sign-on (SSO). With SSO, users can sign in once using their company sign-in form to gain access to multiple systems and service providers.

You can enable SAML single sign-on for CSM's and admin.

As a success4 admin, your role consists of enabling the SAML SSO options.

How SAML SSO for Success4 works

SAML for success4 works the way SAML does with all other service providers. A common use case is a company where all user authentication is managed by a corporate authentication system such as Active Directory or LDAP (generically referred to as an identity provider, or IdP). Success4 establishes a trust relationship with the IdP and allows it to authenticate and sign in users to Success4 instance.

A common use case is a user who signs in to their corporate system at the beginning of the work day. Once signed in, they have access to other corporate applications and services (such as email) without having to sign in separately to those services.

If a user attempts to sign in directly to a Success4 instance, they are redirected to your SAML server or service for authentication. Once authenticated, the user is redirected back to your Success4 instance and automatically signed in.

Requirements for enabling SAML SSO

Meet with the team in your company responsible for the SAML authentication system (usually the IT team) to make sure your company meets the following requirements:

  • The company has a SAML server with provisioned users or connected to an identity repository such as Microsoft Active Directory. Options include using an in-house SAML server such as OpenAM, or a SAML service such as Okta, Google, OneLogin, or PingIdentity.
  • Success4-bound traffic is over HTTPS, not HTTP
Request the following information from the team:
  • The remote login URL for your SAML server (sometimes called SAML Single Sign-on URL)
  • The metadata from the SAML server.
  • The SHA2 fingerprint of the SAML certificate from your SAML server. X.509 certificates are supported and should be in PEM or DER format. There is no upper limit on the size of the SHA fingerprint.
  • (Optional) The SAML IDP server URL. This enables manage users button. It will redirect to the endpoint which the user have configured in SAML IDP URL.

Note: If the user doesn't exist in the Success4 app, The user will be redirected to unauthorised screen. Even though the user have been added to a group or given a access in the SAML server.

The next step is to enter the information in the Success4 Admin to enable SSO.

Enabling SAML SSO

To enable SAML single sign-on in Success4

  1. Go to the admin portal.
  2. Go to the settings, Change the auth method to SAML2.
    3. 3. For  SAML, click  Configure.
    4. For  SAML SSO URL, enter the remote login URL of your SAML server.
    5. Enter the SAML metadata. This is required for us to communicate with your SAML server.
    6. Enter the  Certificate fingerprint. This is required.
    7. (Optional) Enter the SAML IDP server URL. This enables manage users button. It will redirect to the endpoint which the user have configured in SAML IDP URL.
    8. Click Save.

    Required user data to identify the user being authenticated

    When you implement SAML SSO access to Success4 instance, you specify certain user data to identify the user being authenticated.

    Specifying the user's email address in the SAML subject's NameID

    You should specify the user's email address in the SAML subject's name ID.

    Table 1. Email required in the SAML subject's name ID
    Concept Where specified Description Example value
    email <saml:Subject> <saml:NameID> Email of the user signing in. Uniquely identifies the user in Success4. xyz@example.com

    Email example: 

    <code> <saml:Subject>       <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">xyz@example.com</saml:NameID>       <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">         <saml:SubjectConfirmationData NotOnOrAfter="2014-04-23T21:42:47.412Z"/>       </saml:SubjectConfirmation>     </saml:Subject>

    Specifying three required user attributes in the SAML assertion

    Table 2. Required user attributes in the SAML assertion
    Concept Attribute Description
    Email email The user email
    first name first_name The given name of this user. You must specify the full namespace for this attribute.
    last name
               		last_name The surname of this user. A user in Success4 is updated in accordance with this user's given name and surname. See example below. You must specify the full namespace for this attribute.

    Example: 

    <code><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email"> <saml:AttributeValue xsi:type="xs:anyType">xyz@example.com</saml:AttributeValue> </saml:Attribute><saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname">  <saml:AttributeValue xsi:type="xs:anyType">James</saml:AttributeValue>  </saml:Attribute>  <saml:Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname">  <saml:AttributeValue xsi:type="xs:anyType">Dietrich</saml:AttributeValue>  </saml:Attribute>

    Configuring the identity provider for Success4

    Table 3. Identity provider attributes
    Attribute Value
    entityID https://your_subdomain.success4.us/saml2_auth/metadata/
    AudienceRestriction https://your_subdomain.success4.us/saml2_auth/metadata/

    where your_subdomain is the Success4 subdomain.

    Configuring the SAML server for Success4

    Some SAML servers may require the following information when configuring an integration with Success4:

    • Access Consumer Service (ACS) URL: Specify https://your_subdomain.success4.us/saml2_auth/acs/ (case sensitive),
    • Redirects to SAML Single Sign-on URL: Use HTTP POST

Still need help? Contact Us Contact Us

Related Articles