You can configure your digital workplace to allow one third-party identity provider (IdP) that uses the SAML 2.0 standard to manage the authentication process of your workplace. This IdP will manage user credentials and handle authentication requests to your digital workplace.
Sections in this article:
- IdP configuration articles
- Configuration settings
- Using Igloo Authentication when the workplace redirects users to the IdP
- Troubleshooting
IdP configuration articles
Select an IdP article to learn how to set it up with your digital workplace:
If your IdP is not listed, you should still be able to configure it to work with your digital workplace as long as it uses SAML 2.0. While creating the connection in your IdP, refer to the Configuration settings below to know what information is needed. If your IdP asks you to provide your site's SAML endpoint, enter your digital workplace's URL with /saml.digest
appended to it (e.g., https://customercare.igloosoftware.com/saml.digest
).
Configuration settings
To access SAML Configuration page of your digital workplace:
- Select Control Panel.
- Under Membership, select Sign In Settings.
- Select Configure SAML Authentication.
Setting | Description |
---|---|
Connection Name | Enter a name for this connection. If you configure Sign in Settings to Use SAML button on Sign in screen, this name will be displayed on the button. |
IdP Login URL |
Enter your Identity Provider's Single Sign-On URL. Your digital workplace will send POST requests to this location when users attempt to authenticate. Refer to your IdP for this value. |
IdP Logout URL |
Enter your Identity Provider's Single Logout URL. Only enter a value if you want users to also log out of the IdP when they log out of the digital workplace. Refer to your IdP for this value. |
Logout Response and Request HTTP Type |
Select how your workplace sends the logout response to your IdP's Logout URL. Options include:
You should refer to your IdP's documentation for which form this request should take. If the response type is not specified, try each of the available options until one works. Start with Redirect, then Post, and finally Basic. You can ignore this setting if you have not configured an IdP Logout URL. |
Logout Final Redirect URL | Enter the URL of the location you want to send users to when they log out. If left blank, users will be redirected to your digital workplace's homepage. |
Binding Type |
Select which messaging protocol to use for communications between your digital workplace and IdP. Options include:
You should refer to your IdP's documentation for the preferred option. |
Public Certificate |
Enter the public X.509 certificate that the IdP will send during the authentication process. Refer to your IdP for this value. |
Identity Provider |
Select which IdP you are using. Options include:
|
Identifier Type |
Select the primary key used to identify users when authenticating. Options include:
The selected value is what should get passed in the NameID field of the SAML Response. |
Identifier Path |
Do not change this value. This field is only available when using the Other as the Identity Provider. In your IdP, ensure that the desired Identifier Type is being passed to your digital workplace as NameID. Example: /samlp:Response/saml:Assertion/saml:Subject/saml:NameID |
Session Index Path |
Do not change this value. This field is only available when using the Other as the Identity Provider. Example: /samlp:Response/saml:Assertion/saml:AuthnStatement |
Email Path/Attribute |
Enter the path that matches how your IdP is passing the Email attribute to your digital workplace. Your workplace and IdP must use the same name for the attribute. You can change the @Name value in the example below to match the name of the email attribute being sent by your IdP. Alternatively, you can change the name of the email attribute being passed by your IdP to Email. Example: /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="Email"]/saml:AttributeValue
|
First Name Path/Attribute |
Enter the path that matches how your IdP is passing the FName attribute to your digital workplace. Your workplace and IdP must use the same name for the attribute. You can change the @Name value in the example below to match the name of the first name attribute being sent by your IdP. Alternatively, you can change the name of the first name attribute being passed by your IdP to FName. You can leave this blank if User creation on Sign-in is not enabled. Example: /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="FName"]/saml:AttributeValue |
Last Name Path/Attribute |
Enter the path that matches how your IdP is passing the LName attribute to your digital workplace. Your workplace and IdP must use the same name for the attribute. You can change the @Name value in the example below to match the name of the last name attribute being sent by your IdP. Alternatively, you can change the name of the last name attribute being passed by your IdP to LName. You can leave this blank if User creation on Sign-in is not enabled. Example: /samlp:Response/saml:Assertion/saml:AttributeStatement/saml:Attribute[@Name="LName"]/saml:AttributeValue |
Drift Time |
Enter how many seconds your digital workplace will wait for a response from the IdP. If a response takes longer than this time, authentication will fail, and the user will not be signed in to your digital workplace. The default value is |
User creation on Sign in |
Select how your digital workplace handles users who attempt to sign in when they have valid IdP credentials but are not members of the digital workplace. Options include:
When creating new users in your digital workplace this way, they will be created with the following details:
If enabled, this option does not provide any additional user syncing functionality (e.g., additional fields, group membership, deprovisioning, etc.). If your digital workplace uses the ILST to manage members, select Do not create new users when they sign in to avoid the creation of duplicate user accounts. |
Sign in Settings |
Select how users sign in to your workplace. Options include:
For setting up and testing the connection, it can be convenient to temporarily select Use SAML button on "Sign in" screen and then only switch to Redirect all users to IdP once you have confirmed that single sign-in is working correctly. |
Using Igloo Authentication when the workplace redirects users to the IdP
Append /?signin to your digital workplace's URL to navigate to the Igloo Authentication sign in page (e.g., https://customercare.igloosoftware.com/?signin). From here, you can use your Igloo Authentication credentials to sign in to your workplace. If you enter your Igloo Authentication credentials incorrectly, you will be redirected to your IdP's sign in page.
Troubleshooting
Capturing a SAML Trace
When trying to figure out why SAML Authentication may not be working, capturing a trace of the SAML communications between your IdP and digital workplace is necessary. Refer to the article Capturing a SAML trace to learn how to do this with different browsers.
X.509 certificate expired
If all users are suddenly unable to authenticate to your digital workplace, the X.509 certificate that your IdP is using may have changed from what you have entered in your digital workplace. This change often occurs due to an IdP having an expiry date on these certificates. Refer to the article SAML Certificate Check to learn more about comparing the certificate that your IdP is sending to what your digital workplace is expecting.
SAML Configuration page is not saving
An incorrect X.509 Public Certificate is the most common cause of failures to save. Ensure that you have copied the correct information into this field.