SAML Service Provider Setup

Introduction

This guide gives an overview of how to configure an application to work with Acceptto’s SSO service, which allows access to the application using Acceptto authentication technology. You will be configuring your application to act as a Service Provider and configuring Acceptto to act as an Identity Provider.

Requirements
  1. Acceptto Appliance configured to connect to your user directory
  2. An Acceptto Organization account, with access to an administrative user
  3. An Application that supports SAML 2.0 authentication
IdP Initiated login Architecture

The IdP initiated login method is applied when a user logs directly to the IdP in order to have access to a portal containing a list of federated Service Providers (also referred as applications).

SAML flow chart for Idp initiated login
  1. The user accesses the IdP url for example idp.acceptto.com.
  2. The IdP requests the user to provide credentials.
  3. The IdP authenticates the user against eGuardian.
  4. eGuardian evaluates policies and send an out of band authentication request to It’sMe.
  5. The user approves the login attempt.
  6. eGuardian returns the result of the authentication.
  7. The IdP generates a signed assertion stating that the user is authenticated and has access to the Service Portal.
  8. The Service Portal verifies the assertion and allows the user access.

SP Initiated login Architecture

The SP initiated login method is applied when a user accesses directly a federated service (SP) and is redirected to authenticate to the IdP before access is granted.

SAML flow chart for SP initiated login
  1. The user accesses the Service Portal for example sp.acceptto.com.
  2. The SP redirects the user to the IdP.
  3. The IdP requests user credentials.
  4. The IdP sends an authentication request to eGuardian.
  5. eGuardian evaluates policies and sends an out of band authentication request to It’sMe.
  6. The user approves the transaction.
  7. eGuardian returns the result of the authentication to the IdP.
  8. The IdP generates a signed assertion stating that the user is authenticated and has access to the Service Portal.
  9. The Service Portal verifies the assertion and allows the user access.

Setup a SAML Application
  1. Login to Acceptto with a user account that has administrative privileges.
  2. Click on the “Applications” option on the menu bar.
  3. Click on the “New Application” button
  4. On the “Add Application” form, enter the following:
    1. App Name - Application name to be displayed in the admin panel and application portal
    2. Issuer or EntityID - The Issuer/EntityID of the SAML application. For example: ‘google.com/a/org.com’
    3. Sign In URL - The URL used to sign in to the application
    4. Metadata URL - The URL that includes that SAML application metadata
  5. Click “Save” to create the application.
  6. Note: Clicking the “Advanced Options” button allows additional optional configuration such as encryption certificates or custom attribute assertions.

Configure your SAML Application with Acceptto
  1. On the Add Application Page, select ‘Identity Provider Configuration’
  2. Use the configuration data in the settings page to configure you application
    1. Identity Provider Issuer. This is the name of the issuer of the SAML. It may be referred to as the “EntityID” or “Idp Name”
    2. Single Sign-On URL. This is the URL the SP uses to send SAML requests. It may be referred to as the “SAML Endpoint” or “SSO URL”
    3. X509 Certificate. This is the certificate used to validate SAML tokens.
    4. NameIdFormat. This is the user name format in which the user’s identity is asserted to the SAML application.
  3. Using the above data, configure your application according to the vendor instructions.
  4. If your application requires any additional attribute assertions, please access the admin panel and add these via the “Advanced Options” button on the “Add Application”.
  5. It is recommended to test your application by configuring a separate URL in addition to the normal authentication url, in order to test SAML while leaving the local authentication option available.
Support

If you require assistance, please email us at support@acceptto.com

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.