Adding a New SAML Authenticator & Enabling Single Sign On

Modified on Mon, 29 Jun at 1:38 PM

To add a new SAML authenticator for Single Sign On with your Identity Provider, go to the Authenticator page and click Add New.

Configuration Options

Name *

A unique identifier for this connection. Because of legacy requirements, this must be the same value as the Host field.

Description

Descriptive text about this Authenticator.

Login Page Text

If Remote Initiated is disabled, SSO users will be able to authenticate via the platform's login page. This field customises the text displayed next to the SSO login link.

Disabled

When checked, this Authenticator is not in use. When enabling this option for the first time, immediately go to the Users area to ensure all users have the correct authentication method assigned to their account. By default, all users will be enabled as SSO users.

Remote Initiated

Select this checkbox if the SSO is to be initiated only from a specified location (e.g. a link on an intranet). When enabled, the SSO login option will not be displayed on the platform's login page.

Remote URL *

The URL of the IdP that the user will be redirected to when using SP initiation, or when Remote Initiated is checked. It will be prepended to any links when sending an email to a user who is using SAML authentication. The exact value will vary depending on the client's IdP setup.

Group Value(s) Mapping

If Group Name values are provided in the assertion and match exactly the Group Name values available in IntelligenceBank, these Groups can be automatically assigned to the user. Supported assertion parameters are "group" or "member-of".

Only Map Group Value(s) on User Creation

If Group Value(s) Mapping is enabled, you can choose for the feature to only apply when a user is initially automatically created as part of the assertion. This requires the Auto User Creation on SSO setting to be enabled under Admin > Settings.

Group Value(s) Mapping Type

This option defines the behaviour of the mapping. On Creation:

  • On initial user creation, if there is a Template user in the system, the Groups from the assertion are either MERGED with the Template User Groups or REPLACE the Template User Groups.
  • If there is no Template user enabled in the system, the Groups are assigned to the user in both scenarios where Merge or Append is enabled. If no values are matched, the user will not be created.

On Updates / Subsequent Assertions:

  • REPLACE — Group values in the assertion replace any existing group values against the user account at the time of assertion. This does not apply if there are no Groups listed in the assertion, or if zero Group name values from the assertion can be matched — in this case the current Group values are kept.
  • MERGE — Group values are appended to / merged with any existing groups available for the user at the time of the assertion.

Host *

The URL of the IdP that will be sending the SAML assertion. Because of legacy requirements, this value must also be used as the Name field.

ServiceProvider *

A text identifier for IntelligenceBank. Usually "IB" or "IntelligenceBank", but there is no definitive value. The important thing is that it matches on both the Authenticator and the client's IdP configuration (where it may be called the Audience or SP).

Authproc

If the IdP requires an authentication request, set this to 'true'. This will then be added to the remote URL when accessing from the Login page.

Base64Attributes

Turn Base64Attributes on if this is set at the IdP end. This is usually not required.

CertData

The value of the client's IdP certificate, used to ensure the received information is from the correct source.

Important: Do NOT include ——BEGIN CERTIFICATE—— at the start or ——END CERTIFICATE—— at the end of the certificate data.

CertFingerprint

Optional field which the IdP may require.

OrganizationName

This should be set to your organisation's name.

OrganizationDisplayName

This should be set to your organisation's name.

SignAuthnrequest

Whether to sign authentication requests sent from this Service Provider / IntelligenceBank. If set, the AuthnRequestsSigned attribute of the SPSSODescriptor element in SAML 2.0 metadata will contain its value. Note that this option also exists in the IdP-remote metadata, and any value there overrides the one configured in the Service Provider configuration.

SingleLogoutService

Set this field to where the SSO user should be sent to on logout.

Service Provider Metadata

The Service Provider Metadata facilitates the setup process by indicating:

  • The entityID — an ID used on our end (for 99.99% of setups, this is simply "IB", set as the Service Provider field value in the Authenticator). This must match the value set in the Identity Provider.
  • The name ID format — the attributes or claims required in the assertion. At a minimum, it must be an email address; additional parameters can still be passed. The metadata provides only the minimum required field.
  • The assertion consumer endpoint (Location) — the IntelligenceBank platform URL with /auth at the end. This must also match the value set in the Identity Provider.

The SP metadata is typically an XML file that can be uploaded directly into the IdP to facilitate configuration. Below is an example — the items in bold are the only values that need to change from client to client. It can be created manually with a text editor and saved with a .xml extension.

<?xml version="1.0"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
  validUntil="2028-12-10T05:56:21Z"
  cacheDuration="PT1539221381S"
  entityID="IB">
  <md:SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="false"
    protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
      Location="https://yourplatformURL.intelligencebank.com/auth"
      index="1" />
  </md:SPSSODescriptor>
</md:EntityDescriptor>

Supported Assertion Parameters

The following IntelligenceBank User Account fields can be mapped automatically by providing the corresponding parameters in the assertion.

IntelligenceBank Field Supported Parameter in Assertion
First Name 'name', 'firstname'
Last Name 'surname', 'lastname'
Groups 'member-of', 'groups'
External ID 'External-ID', 'userid', 'employeeid'

Also see:

If you have any questions or need assistance with setting up SSO in your IntelligenceBank platform, please contact your Customer Success Manager or submit a request via the Helpdesk.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article