Setup Single Sign-On for SAML Apps

Setup Single Sign-On for SAML Apps


miniOrange supports Single Sign-on into your apps, to securely login for admins and users. miniOrange supports several different protocols for your applications, such as SAML, WS-FED, OAuth, OIDC, JWT, RADIUS, etc. Using Single Sign-on, users can use one set of credentials to login to multiple applications. This improves security, as it reduces avenues for phishing attacks, and also improves access to your application.

Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorization data. Using SAML, an online service provider (SP) can contact a separate online identity provider to authenticate users who are trying to access secure content. miniOrange provides a solution to perform single sign-on (SSO) for applications supporting SAML protocol, like AWS, WordPress,  Atlassian, Dropbox Enterprise, moodle, SAP, Zoho, zendesk, etc. The steps to configure SSO settings for SAML applications on miniOrange are as follows.

miniorange img Configure Single Sign-On (SSO) Settings for SAML Apps:

  • Login as a customer from the Admin Console.
  • Go to Apps >> Add Application 
  • Browser 1 SAML Configure Apps Single Sign On for SAML Apps
  • Click on SAML/WS-FED tab. Select the Custom SAML App.
  • SAML tab Single Sign On for SAML Apps SAML tab Single Sign On for SAML Apps2
  • If you can't find your application in the below list, you can submit your app request to add the application as a pre-integrated app.
  • Once you select the Custom App option, you will find a window similar to :
  • SAML custome app Single Sign On for SAML Apps
  • Either you can Copy-Paste all the attributes of the Service Provider (SP), or you can directly upload an XML file containing relative information.
  • To upload the file, follow these steps: Click on Import SP Metadata button.
  • SAML upload XML file Single Sign On for SAML Apps
  • You will get a popup with following options.
  • SAML configuration Single Sign On for SAML Apps
URLYou get the URL for Metadata information from the Service Provider, you can directly add this URL in the input field provided
TextWhen you select Text option, you will have to fill all the attributes manually
FileWhen you select File option, you can directly upload the XML file containing all the information.
  • Here is a description of what each field under the Basic Settings section means.
    • SP Entity ID is used to identify your app against the SAML request received from SP. Make sure the SP Entity ID or Issuer is in this format: httpss://www.domain-name.com/a/[domain_name]/acs.
    • ACS URL or Assertion Consumer Service URL defines where the SAML Assertion should be sent after authentication. Make sure the ACS URL is in the format: httpss://www.domain-name.com/a/[domain_name]/acs.
    • Audience URI, as the name suggests, specifies the valid audience for SAML Assertion. It is usually the same as SP Entity ID. If Audience URI is not specified separately by SP, leave it blank.
    • Single Logout URL defines where the user should be redirected after receiving the logout request from SP. You can mention your applications logout page URL here. Make sure the Single Logout URL is in the format: httpss://mail.domain-name.com/a/out/tld/?logout.
  • Here is a description of what each field under the Attribute Mapping section means
    • NameID defines what SP is expecting in the subject element of SAML Assertion. Generally, NameID is Username of Email Address
    • NameID Format defines the format of subject element content, i.e. NameID. For example, Email Address NameID Format defines that the NameID is in the form of an email address, specifically “addr-spec”. An addr-spec has the form local-part@domain, has no phrase (such as a common name) before it, has no comment (text surrounded in parentheses) after it, and is not surrounded by “<” and “>”. If NameID Format is not externally specified by SP, leave it unspecified.
    • You can Add Attributes to be sent in SAML Assertion to SP. The attributes include user’s profile attributes such as first name, last name, fullname, username, email, custom profile attributes, and user groups, etc.
  • The Login Policy section on the same window is for adding policy for your app.
  • SAML policy Single Sign On for SAML Apps
    • Select a Group Name from the dropdown – the group which should have access to the SAML SSO using this app.
    • Give a policy name for Custom App in Policy Name.
    • Select the Login Method Type for authentication like Password, Mobile, etc.
    • Enable 2 Factor/Adaptive for authentication if required.
    • Click on Save button to add policy for Apps (Single Sign-On).
     

miniorange img Configure Service Provider (SP)

  • From the list of Apps configured, you can locate the app you created, you can see the Select >> Metadata option present in front of that specific app.
  • SAML metadata Single Sign On for SAML Apps
  • Click on the Metadata option, you will get a window similar to:
  • SAML metadata window Single Sign On for SAML Apps
  • When you want to set miniorange as an IDP, you have to use the URLs listed under "Information required to set as IDP" heading (as shown in the above image)
  • When miniorange is used as broker service, you have to use different set of URLs listed under "Information required to Authenticate with External IDPs" heading (as shown in the above image)
  • If you want to make it quick and easy, click on the Download Metadata button to get XML file which you can upload while configuring SP.(Shown in the image below)
  • SAML external authentication Single Sign On for SAML Apps
  • Broker Flow/Broker Service You can use MiniOrange as a broker when you have an external identity source i.e. you have external IdP configured which has all of the information. When we say external IdP, we mean IdPs like Okta, OneLogin etc.
  • You can edit Application by using following steps:
    • Login as a customer from Admin Console.
    • Go to Apps.
    • Search for your app and Click on edit in Select menu against your app.
Hello there!

Need Help? We are right here!

support
Contact miniOrange Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com