Initiate Single Sign-On Follow
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). This standard allows for one place for users to sign in and authenticate to multiple programs and apps.
In some cases, your company assumes the role of IdP and delegates the SP role to Fuel Cycle. In these cases, you need a system that acts as IdP for single-sign-on (SSO) for your users. Those users log into this platform, and that's the only time they need to log in (for example, you could use Okta as your IdP for SSO). Logging in authenticates users, and then they click a button to access and log in to Fuel Cycle, for example.
When Fuel Cycle assumes the role of IdP, this delegates the SP role to another system. In these cases, Fuel Cycle users log in to authenticate and then click a button to access another platform, like Alchemer or Qualtrics.
The Fuel Cycle platform supports SAML 2.0 SSO and welcomes clients who want to enable this feature for their client users. In either of the above cases, you must contact your Fuel Cycle representative to set up your Fuel Cycle application for SAML SSO.
The instructions assume that your company's IT personnel handles the metadata exchange.
Preliminary requirements
Fuel Cycle can set up SSO for moderators to log in or for members to log in—if the community were an employee community, for example. Please specify with your Fuel Cycle representative.
To set up SAML 2.0 SSO integration for a client community, we need to ensure that the following assumptions are met:
- Your company assumes the role of Identity Provider (IDP) and delegates the role of Service Provider (SP) to Fuel Cycle.
- Your company has a SAML 2.0 SSO login system set up for the role of IDP.
How to Setup
- Your company provides Fuel Cycle with the IDP metadata and signing certificate (if applicable).
- Fuel Cycle provisions new SP metadata to the client. We will need email for everyone to identify members.
- Your company adds our provided SP metadata to its SAML 2.0 SSO system.
- Fuel Cycle adds clients’ IDP metadata and signing certificate to their community backend.
Once this is completed, we request that you test through your SSO app and verify that it is working in your system as expected, as you are the ID provider responsible for generating the authentication. The person testing must have a valid Moderator account for your community.
Identifying Members
Every authenticated member login SSO verified in the community using SAML 2.0 must include the member’s email address associated with their community registration.
See the bottom of this article for details and an example of including the email address attribute in the SAML response.
Sending Email Addresses in the SAML Response
SAML Response must have the email address. The email may be in saml:Attribute with the attribute name as Email, EmailAddress, email, or mail or in NameID. Either way, it must be precisely the same as the email address of our SP account. For example:
<saml2:Subject> <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">pgunasekaran@fuelcycle.com</saml2:NameID> <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml2:SubjectConfirmationData NotOnOrAfter="2022-09-13T23:03:05.312Z" Recipient="https://fc-prd.fuelcyclestage.com/saml/SSO/alias/xxx"/> </saml2:SubjectConfirmation> </saml2:Subject>
Also, Fuel Cycle can add users if the saml response has details of first name and last name:
<saml2:AttributeStatement xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"> <saml2:Attribute Name="first name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >padmapriya</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="last name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >gunasekaran</saml2:AttributeValue> </saml2:Attribute> <saml2:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified" > <saml2:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string" >pgunasekaran@fuelcycle.com</saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement>
Comments
0 comments
Please sign in to leave a comment.