Setting up SAML SSO for your organization
This article applies to the Enterprise plan.
Overview of SAML SSO
SAML (Security Assertion Markup Language) Single Sign-On (SSO) is a protocol enabling users to authenticate once and gain access to multiple applications and services without needing to log in repeatedly. This is done by exchanging authentication and authorization data between an identity provider (IdP) and a service provider (SP). SAML SSO enhances security by centralizing authentication processes, reducing the risk of credential theft. It also improves user experience by eliminating multiple logins. It simplifies user management and access control, because it allows for permissions to be managed and revoked from a single point, reducing administrative overhead and ensuring compliance with security policies.
Prerequisites for configuring SAML SSO
Prior to setting up SAML SSO for your organization, ensure you have the following:
- Beefree Enterprise plan
- SAML Settings
SAML SSO configuration steps
Steps to take prior to sending your request to your Beefree Customer Success Manager.
- Set up your Identity Provider (IdP):
- Choose a compatible IdP, such as OneLogin or Azure AD.
- Create a new SAML application within your IdP to connect with Beefree.
- Generate and export your IdP metadata:
- Export the SAML metadata file from your IdP. This file typically includes important information such as the Single Sign-On URL, Single Logout URL, and the x509 certificate.
Checklist
Go through the following checklist to ensure you have all the necessary information prior to contacting your Beefree Customer Success Manager.
- Signing URL / SAML 2.0 Endpoint (HTTP):
- Example from SAML Metadata: `<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="<your-location>"/>`
- Note: Replace `<your-location>` with the URL needed.
- x509 Signing Certificate (.pem file)
-
Request Signature Method:
- Example: RSA-SHA256
- Service Provider Request Binding:
- Example: HTTP POST
- List of Email Domains:
- Example: bee.cloud, beefree.io
Request Signature Method
Obtaining your Request Signature Method is a prerequisite for one of the items in the checklist described in the following section. If you do not already have your Request Signature Method, take the following steps to obtain it and complete your checklist for your Beefree SSO configuration:
Take the following steps to locate your Request Signature Method:
- Locate the Metadata XML File: Obtain the XML file containing the Identity Provider (IDP) metadata. This file is usually provided by the IDP during the configuration of Single Sign-On (SSO).
- Open the XML File: Open the XML file using any text editor or XML viewer.
- Search for the Signature Method: Use the search functionality of your text editor (usually accessed via Ctrl+F or Cmd+F) to find the SignatureMethod element. Look for the Algorithm attribute within this element to identify the signature method.
XML
<IDPSSODescriptor> <!-- Other elements --> <KeyDescriptor> <!-- Other elements --> <SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256"/> </KeyDescriptor> </IDPSSODescriptor> |
Contact your Beefree Customer Success Manager
Once your SAML settings are configured, contact your Beefree Customer Success Manager to forward your SAML settings to the Beefree engineering team. They will activate SAML SSO for your Enterprise plan.
Complete your configuration
Complete your SAML SSO configuration by completing the following steps:
- Configure Service Provider (SP) details in your IdP:
- Assertion Consumer Service (ACS) URL:
- Input the ACS URL in your IdP configuration: `https://dev-5i55recuxv7xwvw8.us.auth0.com/login/callback?connection={yourConnectionName}`
- Note: Replace `{yourConnectionName}` with the specific connection name provided by Beefree.
- Entity ID:
- Enter the Entity ID: `urn:auth0:dev-5i55recuxv7xwvw8:{yourConnectionName}`Note: Replace `{yourConnectionName}` with the specific connection name provided by Beefree.
- Assertion Consumer Service (ACS) URL:
- Map the necessary SAML attributes:
- Configure the following attribute mappings in your IdP to ensure proper user provisioning:
JSON
{ "name": [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" ], "email": "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "user_id": [ "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" ] } |
3. Test your SAML SSO configuration:
-
- Use a test user to ensure that the SAML SSO setup is working correctly within your IdP before sending the configuration details to Beefree.
Additional considerations
Consider the following prior to configuring SAML SSO for your Beefree Enterprise account:
- When an email domain is configured to access Beefree with SAML SSO, users registered in Beefree with that domain who access other Beefree accounts will no longer be able to log in via other methods like Google or MS SSO or the standard way.
- The email domain configured in the Admin tool allows all users with that domain in their email addresses to access Beefree with SAML SSO but prevents access via other methods.
- Ensure you specify the correct and specific email domain (e.g., amazon.fr and not amazon.com) to avoid login issues.
- The only point of access for this configuration is through the SSO button on the Beefree login page. Users cannot access Beefree from their OneLogin dashboards, for example.
If you have any questions, feel free to contact us.
Comments
0 comments
Please sign in to leave a comment.