Skip to main content

Configuring SAML Authentication for Single Sign-On (SSO)

Overview

This guide outlines how to enable SAML-based Single Sign-On (SSO) for seamless access to our application. SAML (Security Assertion Markup Language) is a standard for exchanging authentication and authorization data between an identity provider and a service provider.

login screen

Prerequisites

Ensure you have administrative access to your SAML identity provider and can update the service provider settings.

Configuration Details

Service Provider (SP) Configuration

Provide the following details to your identity provider:

  • Entity ID: A unique identifier for your service provider.
    https://paperbox-env.firebaseapp.com/__/auth/handler

    env being acc or prd

  • Assertion Consumer Service (ACS) URL: Where the SAML response is sent.
    https://paperbox-env.firebaseapp.com/__/auth/handler

    env being acc or prd

Identity Provider (IdP) Configuration

Collect these details from your identity provider:

  • SAML Login URL: Where SAML authentication requests are sent.
    Example: https://login.microsoftonline.com/tenantId/saml2

    tenantId being your Microsoft Tenant/Directory identifier

  • X.509 Certificate: The public certificate from your IdP for verifying SAML responses.

    -----BEGIN CERTIFICATE-----
    ...
    -----END CERTIFICATE-----

Requested Attributes

The application requires the following attribute in the SAML assertion:

  • User Email Attribute: This is often denoted as user.mail.

User Roles

Users will be assigned roles based on the following:

  • Standard Roles: user and admin

Configuration Steps

Accompanied by examples using Microsoft Entra (Formerly Azure Active Directory)

  1. Configure Your Identity Provider:

    • Access your IdP's admin console and create a new SAML application. Set the redirect URI to the correct SP URL. app registration settings

      Microsoft Entra -> App Registration -> Authentication

    • Enter the SP configuration details: Entity ID and ACS URL. app registration settings

      Microsoft Entra -> Enterprise Apps -> Single Sign On

    • Set the attribute release policy to include user.mail. app registration settings

      Microsoft Entra -> Enterprise Apps -> Single Sign On

    • Obtain the IdP metadata, which includes the SAML Login URL and X.509 Certificate. app registration settings

      Microsoft Entra -> Enterprise Apps -> Single Sign On

    • Configure the SP roles user and admin. app registration settings

      Microsoft Entra -> App Registration -> Roles

  2. Contact Paperbox (SP):

    • We will configure our SP with the IdP information.
    • Conduct a test authentication to confirm the setup (given we have a test account).
    • Check that user roles (user, admin) are correctly assigned based on the SAML assertions.

  3. Testing and Validation:

    • Perform test logins to confirm SSO functionality.
    • Ensure user attributes are accurately received and processed.
    • Assign roles to your users. app registration settings

      Microsoft Entra -> Enterprise Apps -> Users and Groups

Conclusion

Integrating SAML SSO enhances user experience by streamlining access and improving security. Follow these steps to implement SAML authentication effectively in your Paperbox Workspace.