Enabling SSO Using SAML 2.0 (with other IdPs than AD FS)

Administrator -

This article provides guidelines and instructions to configure your SSO provider (other than AD FS) as well as your Enterprise Account in order to enable the SSO functionality using SAML.

Supports & Requirements

Identity Provider (IdP)

SSO integration with SAML 2.0 is supported in the XMedius cloud platform with any of the following IdPs:
  • AD FS*
  • Okta
  • F5

That said, any other compatible IdP should also technically be supported (for example among others, OneLogin).

* For an integration with AD FS, see the dedicated article: Enabling SSO with Active Directory (AD FS) – Using SAML 2.0.

User Accounts

It is still necessary to create user accounts in your Enterprise Account once the SSO functionality is enabled.

For more information, see: User Accounts in SSO Context.

Client Integrations

For all details about client integrations supported when configuring SSO with SAML 2.0, see: Supported Client Integrations & Restrictions.

Identity Provider (IdP) Configuration Guidelines

Configure your IdP according to the following:
  • Assertion Consumer Service (ACS) URL:

    https://login.[xmedius_domain]/auth/saml/callback

    Note: Use the [domain] that corresponds to the region of your enterprise account (i.e. xmedius.com for USA, xmedius.ca for Canada or xmedius.eu for Europe).
  • Entity ID:

    https://login.[xmedius_domain]/

    Note: Use the same [xmedius_domain] as above – and do not forget the mandatory slash (/) at the end.
  • The email address should be included in the NameID field of the Assertion Subject, as in the following example:
    <saml2:Subject>
         <saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">john.smith@example.com</saml2:NameID>
         <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml2:SubjectConfirmationData InResponseTo="_74c1cb68-ccba-49fb-b9c8-a4e9d76d1a6d" NotOnOrAfter="2019-05-15T16:09:14.590Z" Recipient="https://login.xmedius.com/auth/saml/callback" />
         </saml2:SubjectConfirmation>
    </saml2:Subject>
  • The Assertion should be signed
  • The Response should be signed as well
Note: The following signature algorithms are supported: RSA-SHA1, RSA-SHA256, RSA-SHA384, RSA-SHA512.
Restriction: The XMedius cloud platform does not offer Signed AuthNRequest and does not support encrypted assertions.

Enterprise Account Configuration

Enable the SSO functionality (with SAML) in your Enterprise Account:

  1. Login to your XMedius Cloud account using a Web browser.
  2. Edit your Enterprise Settings:
    1. From the main menu of your Web Portal, select enterprise_account > Enterprise Settings.
    2. Go to Single Sign-On section and select SAML 2.0.
    3. Provide the following required information:
      Issuer (Identity Provider) The Issuer of your IdP (also called entityID).
      Sign In URL The location (URL) of the single sign-on service of your IdP.
      X.509 Signing Certificate Your IdP certificate, in Base-64 encoded X.509 format.
    4. If needed, provide the following optional information:
      URL Redirect After Sign Out Custom URL to redirect users when they sign out of the portal. If you leave this field empty, the default logout page of the XMedius cloud portal will be used.
    Important: Keep the fail-safe URL (https://login.[domain]/[account]/no-sso) provided at the bottom of the SSO configuration section, it will allow you to log in using your XMedius Cloud account credentials if you lock yourself after SSO activation.
Have more questions? Submit a request

Comments

Powered by Zendesk