Note: | You can access or edit the single sign-on configuration page only if you can edit the Company Information, that is, have the Manage Company Capabilities permission under Settings > Access Profiles > Administrative Permissions > Account Controls. |
Field | Description | ||||
Choose Single Sign-On Type | |||||
Sign-On Using | Select the sign-on type from the drop-down list. Default: None. Security Assertion Markup Language 2.0 (SAML 2.0) is an XML-based standard for exchanging authentication and authorization data between security domains. Integration Cloud (Service Provider) must enroll with an Identity Provider (IdP) and obtain an Identity Provider URL. | ||||
Requestor Details | |||||
Authentication Service URL | This URL is the SAML SSO link and is used to trigger the SAML based single sign-on. Use this link to login to Integration Cloud using your Identity Provider.
| ||||
Assertion Consumer Service URL | This is the URL which consumes the SAML response from the Identity Provider. You need to apply this URL in the relevant field in the Identity Provider SAML configuration page.
| ||||
RelayState for Identity Provider initiated SSO | RelayState is a parameter used by SAML protocol implementations to identify the specific resource at the resource provider, in an Identity Provider initiated single sign-on scenario.
| ||||
Identity Provider Configuration | |||||
SAML Request Issuer URL | The Integration Cloud (Service Provider) URL used to access this tenant. This URL acts as the Service Provider ID.
| ||||
Identity Provider Details | Specify how you want to define the Identity Provider details. Select Enter Manually if you want to manually enter the URL that uniquely identifies Integration Cloud in your SAML Identity Provider in the Issuer field. Select Load From Identity Provider Metadata and select the metadata file to upload the IdP details. | ||||
Issuer | A URL that uniquely identifies Integration Cloud in your SAML Identity Provider. Integration Cloud (Service Provider) must enroll with an Identity Provider and obtain an Issuer URL. If you have selected Enter Manually for Identity Provider Details, copy the URL provided by the IdP here after setting up Integration Cloud configuration in the IdP.
If you have selected Load From Identity Provider Metadata for Identity Provider Details and uploaded the IdP file, the Issuer field will be automatically populated. | ||||
Identity Provider Certificate | This is the authentication certificate (a valid x509 issuer certificate) issued by your Identity Provider and is required to sign and verify SAML messages. If you have selected Enter Manually for Identity Provider Details, select Browse and upload a file that contains the Identity Provider’s certificate. If you have selected Load From Identity Provider Metadata for Identity Provider Details and uploaded the IdP file, the IdP certificate will be automatically uploaded. | ||||
Identity Provider Login URL | This is the URL used to log in to the Identity Provider. If you have selected Enter Manually for Identity Provider Details, type the URL that will be used to log in to the Identity Provider.
If you have selected Load From Identity Provider Metadata for Identity Provider Details and uploaded the IdP file, the IdP login URL will be automatically populated. | ||||
User ID Type | Determines the type of identifier. Assertion contains user's Integration Cloud username - Select this option if your Identity Provider passes the username (User Profile > Basic tab) in the SAML assertion to identify the user. Assertion contains the Federation ID from the User Object - The Federation ID acts as a user's authentication across multiple IT systems or organizations. A federated identity means linking a person's electronic identity and attributes stored across multiple distinct identity management systems. Select this option if your Identity Provider passes the Federation ID (<User Profile> > Basic tab), to identify the user. You can add the Federation ID (<User Profile> > Basic tab) to each user’s profile after you have configured single sign-on. | ||||
User ID Location | Specifies an attribute tag that defines the location of the User ID. This is the location in the assertion where a user should be identified. Select Subject if the User ID is located in the <Subject> statement of the assertion. Select Attribute if the User ID is specified in an <AttributeValue>, located in the <Attribute> of the assertion. If you have selected Attribute, specify the attribute that contains the User ID in the Attribute for User ID field. If the User ID attribute is empty or does not match an existing user, then either login fails or a new user is created, depending on the Create Users setting. | ||||
Attribute for User ID | This field appears if you have selected Attribute in the User ID Location field. Specify the attribute that contains the User ID. If the User ID attribute is empty or does not match an existing user, then either login fails or a new user is created, depending on the Create Users setting. | ||||
Create Users | Select this option to create a new user when the User ID is not recognized. When selected, additional options appear where you can specify the attribute to use for the First Name, Last Name, Email, and Access Profile. Attribute for First Name - The name of the SAML attribute that designates the user's first name. Attribute for Last Name - The name of the SAML attribute that designates the user's last name. Attribute for Email - The name of the SAML attribute that designates the user's email address. Default Access Profile - This field is used to specify the default Access Profile for the created user. Attribute for Access Profile - The name of the SAML attribute that designates the user's access profile. The attribute must contain the ID of the Access Profile. You can get the ID of the Access Profile from the Access Profiles screen (Settings > Access Profiles). |
Note: | You must select Email Address as the NameID Format in the Identity Provider SSO Configuration screen. |