How do I set up SSO?
SoftwareOne Services Portal has an SSO Authentication framework that integrates with all SAML-based tools, such as Okta and Ping. This topic describes how you can set up SSO with these tools.
When sharing any secure information with SoftwareOne, please use our single-use link generator
Setting up SSO with SAML
Process
Setting up SSO with SAML involves the following steps:
-
Provide IdP metadata to SoftwareOne - Provide SoftwareOne with basic metadata about your IdP. If your SSO tool requires the Assertion Consumer Service URL and Entity ID, contact SoftwareOne.
-
SoftwareOne configures the Services Portal for your connection - SoftwareOne proceeds with a basic setup on the Services Portal IdP and provides you with
{connection_name}to use for further configuration. -
You complete your IdP configuration - Finalize the setup on your side.
-
Federation becomes active - All logins to the Services Portal for any of the specified IdP domains are federated out to your SAML-based IdP.
Information required by the Services Portal
To set up SSO with SAML, SoftwareOne requires the following information:
-
IdP Domains (list of email domains, for example,
@user.orgfor which authentication should be federated out to your IdP) -
Sign In URL (HTTP-POST or HTTP-Redirect)
-
Sign out URL
-
X509 Signing Certificate (in the
.pemor.cerformat)
Technical specification
Capabilities
|
Item |
Details |
|
Supported Protocol Bindings |
HTTP-POST & HTTP-Redirect |
|
SAML Authentication Requests signed |
Yes (by default) |
|
Sign Request Algorithm |
RSA-SHA256 (default) or RSA-SHA1 |
|
Sign Request Algorithm Digest |
SHA256 (default) or SHA1 |
|
Signing Certificate Strength |
2048 Bit RSA |
|
IdP-Initiated SSO |
Supported, but strongly discouraged |
Settings
The {connection_name} is a verbatim string that SoftwareOne provides after receiving your initial configuration settings.
|
Setting |
Value |
|---|---|
|
Entity ID |
Example: If your
|
|
Assertion Consumer Service URL |
https://{idp_base_url}/login/callback?connection={connection_name} Example: If your |
|
Metadata URL |
https://login.pyracloud.com/samlp/metadata?connection={connection_name} |
|
Single Logout URL |
https://login.pyracloud.com/logout |
|
Single Login URL |
We strongly discourage using IdP-Initiated SSO flows because they are vulnerable to Login CSRF attacks. If possible, let the Client Portal initiate the sign-in (and federate out) when required. |
Attribute mappings
The Services Portal requires the following attributes via specified mappings:
|
Attribute |
Mapping |
|---|---|
|
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier Fallback URL 1: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn Fallback URL 2: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
|
|
|
|
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
|
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Fallback URL: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name |
|
|
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
The attributes must satisfy at least one mapping for all properties above. If your IdP provides values for the required attributes in different claims/namespaces, provide a list of claims to be used for all attributes above.
Make sure to provide the attribute values as they are without any modifications. URLs are sometimes changed by security software, for example, Proofpoint’s Targeted Attack Protection adds urldefense.com at the beginning of links.