SAML Authentication is provided as an add-on feature.
SAML Configuration in Identity Provider
Provide the following content for "various fields" in your Identity Service Provider.
RelayState |
Relay state can be seen in the "Saml SSO configuration" in Organization Settings- Security - SAML |
Audience / APP ID URI / Entity ID |
https://www.rfpio.com |
Recipient / ACS Consumer URL / Login URL / Sign-On URL |
https://app.rfpio.com/rfpserver/login/handle-saml-response |
ACS Consumer URL Validator |
https:\/\/app\.rfpio\.com\/rfpserver\/login\/handle- saml-response |
Map the attribute name by providing the below attribute values.
Attribute Name |
Attribute Values |
first_name |
first_name |
last_name |
last_name |
job_title |
job_title |
phone |
phone |
location |
location |
You can also specify the Roles and Business Units (Primary Business Unit) in your IDP provider which helps in accessing RFPIO application directly from your IDP provider login.
Map the attribute name by providing the below attribute values.
Attribute Name | Attribute Value |
rfpio_user_role |
<Specify the role name which you have mentioned in the RFPIO application as attribute value> |
primary_business_unit |
<Specify the primary business unit name as the attribute value> |
Note: The role values should be entered exactly the same what have been specified in RFPIO. The values are case sensitive. Similarly, business unit's values should be entered as the same in RFPIO. If the business unit's values are different from the application, the user will be mapped to the default business unit.
(Optional) If you find this below field, enter the public key.
If you wish to generate a new set of public and private keys, use the below commands.
- OpenSSLgenrsa -aes256 -out mykey1.pem
- OpenSSLrsa -in mykey1.pem -pubout -out public_key1.pem -aes256
- OpenSSLrsa -in mykey1.pem -out private_key1.pem
Generate SAML Metadata in IDP
Get the Metadata from IDP. The metadata will look like shown below (xml) :
SAML Configuration in RFPIO
Login to https://app.rfpio.com and click Organization Settings.
Within the Organization Settings, go to Security - SSO, then click CHOOSE FILE to open the downloaded metadata or copy the XML.
*If the SAML SSO feature is not visible, contact your account manager.
Paste the XML below the identity configuration or choose the downloaded file.
Copy paste the private key(optional).
Click VALIDATE to validate the configuration.
The user can see if the identity configuration is validated. Once validated, the user can enable and click SUBMIT.
The configuration is complete and the user can now use SAML for authentication.
RFPIO - SAML Login
The user can Login to RFPIO using SAML in the following ways:
- Login from your IDP
- Login to app.rfpio.com using SAML
- Login using instance specific URL.
- Just in Time Provisioning
Login to app.rfpio.com using SAML
Provide your Email address and click Sign-in Using SAML.
Login using instance specific URL
Contact your account manager to get instance specific URL which can be bookmarked in your browser.
Just-in-Time Provisioning
With Just-in-Time provisioning, you can use a SAML assertion to create regular and portal users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance. For example, if you recently added an employee to your organization and have provided access to RFPIO in your SAML Identity Provider, you don't need to manually create the user in RFPIO. When they log in with single sign-on for the 1st time, their account is automatically created for them, eliminating the time and effort with on-boarding the account. The new user can be assigned as Admin or Manager or Team Member role by defining the role in the SAML integration. User attribute can also be selected along with user role.
*None is an option for the admin users to restrict the new user to come into the application.
Points to remember:
1) The IDP metadata must include a HTTP Redirect in order to be validated
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://<IDP.DomainName>/auth/realms/<DomainName>/protocol/saml"
/>
where, IDP indicates the customer's IDP and domain name indicates the customer's domain name.
2) The NameID format must be set to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, as opposed to transient with user attribute mapping.
3) Only POST payload in SAML response are supported.