Setting Up SAML 2.0 Authentication Integration
Overview
The SAML 2.0 Authentication Integration allows organizations to configure Single Sign-On (SSO) for their platform using an Identity Provider (IdP). Users can create a new authentication integration, configure the required XML metadata, define system-generated settings, and assign teams based on Azure AD Group IDs. Once configured and activated, participants can log in securely through their organization's identity provider. The SAML 2.0 integration is also supported on the Check-in App, allowing check-in staff to authenticate using the same SSO configuration.
Step-by-Step Approach
1. Create a New Authentication Integration
- Navigate to the Integrations section from the main menu.
- Click the option to create a new integration.
- Select Authentication as the integration type.
- In the sub-type options, select SAML 2.0.
- Enter a meaningful name for the integration.
- Click the Create button to initialize the integration.
2. Configure XML Metadata for SAML Service Provider
- On the integration settings page, locate the XML Metadata for SAML Service Provider section.
- Click Select File to upload the XML metadata file from your Identity Provider.
- Click Upload a new document to browse and select the file from your device.
- Once the file is uploaded, the Extracted from XML fields will be automatically populated with the details from the uploaded file including the Unique Identifier for the Identity Provider, SSO Login URL, SSO Logout URL, and SP X.509 Certificate.
- The uploaded file will be used to establish the SAML connection between the platform and the Identity Provider.
3. Configure Extracted from XML Fields
- Once the XML metadata file is uploaded the following fields will be automatically populated in the Extracted from XML section:
- Unique Identifier for the Identity Provider (IdP) — the unique identifier of your IdP.
- SSO Login URL — the URL used for initiating the SSO login process.
- SSO Logout URL — the URL used for logging out of the SSO session.
- SP X.509 Certificate for verifying authentication — the certificate used to verify the authentication response from the IdP.
- If the fields are not automatically populated, or if you prefer to enter the details yourself, you can also manually enter the values directly into each field without uploading an XML file.
4. Review System Generated (Read Only) Fields
- Locate the System Generated (Read Only) section on the settings page.
- Review the following auto-generated fields:
- Domain — displays the platform domain (e.g. 3.0.devk8s.azavista.com).
- Entity ID for the Service Provider — displays the entity ID URL for the service provider (e.g. https://azavista.com).
- These fields are read-only and are automatically generated by the system.
5. Configure Configurable Fields
- Locate the Configurable Fields section on the settings page.
- Fill in or configure the following fields:
- Login Button Display Label — enter the label text to display on the SSO login button.
- Authn Request — enable or disable the authentication request checkbox as required.
- Default Team — select the default team to assign to users who log in via SAML 2.0.
- Behavior for Existing Team Assignments During Login — select the desired behavior from the dropdown. For example set it to Keep to retain existing team assignments during login.
- Password Login — select the desired behavior for password login from the dropdown. For example set it to Prevent to disable password-based login for users using SAML 2.0.
6. Assign Teams
- Locate the Assign Teams section at the bottom of the settings page.
- Click the + Group button to add a new Azure AD Group to Team mapping.
- Fill in the following fields for each group:
- Azure AD Group ID — enter the Azure AD Group ID to map to a team.
- Teams — select the team to assign to the users in the specified Azure AD Group.
- Add as many group mappings as required.
- Review the list of assigned groups at the bottom of the section.
7. Activate the Integration
- Once all the settings are configured, locate the Integration Inactive toggle at the top of the settings page.
- Review all configured fields to ensure they are correct.
- Enable the toggle to activate the SAML 2.0 integration.
- The integration status will change from Inactive to Active.
- Users will now be able to log in using SAML 2.0 SSO authentication.
8. Use SAML 2.0 Authentication on the Check-in App
- The SAML 2.0 authentication integration is also supported on the Check-in App.
- Once the SAML 2.0 integration is configured and activated,you can see it on the Check-in App.
- Open the Check-in App on your device.
- On the login screen, click on the Company Loginand you will be able to see the Login Button label that you have added.
- Once you click on the Login Button you will be redirected to your organization's Identity Provider login page.
- Enter your SSO credentials to authenticate.
- Once authenticated, you will be redirected back to the Check-in App and logged in successfully.