Single Sign On
Schematic overview
The Engage portal hosts a Service Provider endpoint based on SAML 2.0 protocol.
The Identity Provider (IDP) in the form of an SSO service is located at the customer side.
The Single Sign-On is initiated in Engage and after postback from the IDP, the SAML assertion is checked to be valid and Single Sign-On is performed.
Setup requirements
To set up Single Sign-On between Engage and a third party IDP, below information is required to be exchanged between both parties.
Marigold requires below information from the customer:
- The Identity Provider ID.
- SingleSignOnServiceBindingType: indicates whether the request to the Identity Provider is a POST or a REDIRECT request.
- SingleSignOnServiceUrl: location of the Identity Provider SSO service.
- The public key of the Identity Provider certificate.
Marigold provides below information to the customer in the form of a metadata.xml file:
- The service provider ID.
- The location of the assertion consumer service.
- The public key of the service provider certificate
Supported SAML attributes
The Engage Service Provider supports a number of attributes coming from the customers’ IDP. These attributes can be added to the SAML Assertion in the SAML:AttributeStatement nodes.
The exact names of the attributes to be used are as listed below.
- UserID
- Has to be a unique identifier in the Engage software. This can be the e-mail address of the user, the username, or anything else that identifies the user.
- Max length: 255 characters
- Firstname
- Max length: 255 characters
- Lastname
- Max length: 255 characters
- Mail
- Max length: 255 characters
- Language
- Format: EN, FR, ES, NL, …
- Selligent/IdpGroup
- The exact name of the IDP Group that is configured in the Admin Configuration module under ‘IDP Groups’. Multiple attributes called ‘Selligent/IdpGroup’ can be inserted to grant multiple permission roles to a user.
Functionality
As shown in the schematic, the actual authentication of the user account will be performed by the Identity Provider. The feedback of the IDP is sent to Engage and processed as indicated below.
Authentication on the IDP failed:
- User will not be logged in on the Engage Portal. An error will be shown to the user.
Authentication on the IDP succeeded:
- If a user with the specified unique id is already known in Engage.
- The user will be authenticated using SSO.
If the SAML Assertion contains an IDP Group the user will receive the module permissions configured in the IDP Group settings.
In case the IDP Group attribute is not sent the user will keep the permissions that were assigned manually.
- The user will be authenticated using SSO.
- If the user is not known in Engage.
- The user will be created in Engage
If the SAML Assertion contains an IDP Group the user will receive the module permissions configured in the IDP Group settings.
In case the IDP Group attribute is not sent the user can log in, but cannot see any of the
application modules. An administrator user can configure the necessary permissions on this new user account manually.
- The user will be created in Engage
