Many clients want to connect to SAFE via a preferred SAML 2.0 IDP provider. SAFE does fully support any SAML 2.0 provider.
Local SAFE accounts are required for all users. You will still create users in Settings > User Admin and apply all necessary permissions to those uers. SAML connectivity simply removes the login process and passes that off to your SAML system.
Before applying the SAML settings on this page make sure your email address is the SAML as is registered in your SAML system. If the email address does not line up you will NOT be able to log in after applying the SAML settings.
Identity Provider configurationThere are many IDP SAML providers, in this example, we are going to show setup for Okta. This example should be pretty similar for most providers.
- Go to OKTA (or your chosen provider) admin portal of your organization and Sign In
- Click on “Admin” at the right top corner
- Go to Applications -> Applications -> Add Application -> Create New App
- Configure SAML settings:
Single sign on URL = https://securelb.trackerproducts.com/saml2/login
Audience URI (SP Entity ID) = https://securelb.trackerproducts.com
- Go to the next step
- On the “Sign On” tab, download “Identity Provider metadata” (it will be required for Service Provider configuration)
- Go to https://secure.trackerproducts.com and login with your Org Admin login
- Open Settings -> Organization -> Org Settings
- Scroll down to SAML Settings
- Set Enabled to “On”
- Open SAML metadata file (downloaded in previous step) in any text editor
- Find entityID attribute and copy-paste it’s value into IdP Name
- Copy-paste full content of the metadata file into IdP Metadata
- Save changes
Now try and connect to our site via your SAML provider site.
- Q. SP Initiated / IDP initiated? A. We support both workflows
- Q. Is there any relay state value that will be passed along with AuthnRequest? A. No
- Q. What is the base URL/entityID/issuer? A. https://securelb.trackerproducts.com
- Q. What URL on the SP side will consume the SAML Assertion sent by IDP? A. https://securelb.trackerproducts.com/saml2/login
- Q. What value is required in the NameId for the SAML assertion? A. User email
- Q. What is the required format for NameID? A. Standard email format
- Q. Other user attributes required? If so, please forward those attribute names. A. No