Configure SAML SSO overview
Access Type: Organization Settings - Editor
Premium Feature: SSO
Single Sign-On (SSO) is an authentication process that allows users to access multiple applications or systems with one set of login credentials. In this article, we will provide a general overview for how to configure SSO using the SAML 2.0 standard protocol.
For your convenience, Didomi offers dedicated resources for the following identity providers
If your organization's identity provider is not on the above list please continue with the instructions presented below.
SP-initiated vs IdP-initiated
SSO can either be initiated from the Service Provider (SP-initiated SSO) or initiated from the Identity Provider (IdP-initiated SSO).
SP-initiated SSO
Starts at the Service Provider (SP) when the user attempts access to a specific application.
IdP-initiated SSO
Starts at the Identity Provider (IdP) and is oftentimes a centralized dashboard or portal from which which the user selects the application to access.
The Didomi SAML SSO solution is SP-initiated. Ensure that this initiation is reflected accordingly in your organization's identity provider (i.e. your organization's IdP may ask you to provide this configuration).
Retrieve SSO SAML identifiers
To start, your organization needs to retrieve the SSO SAML identifiers from the Didomi console to continue setup in your identity provider.
Click My organization and selecting Single Sign-on from the drop-down menu.
Use the provided fields in the Get your SSO SAML identifiers step to record the following:
Configured issuer
Your organization's identity provider's unique identifier within the Didomi console.
Login URL
Where user will be redirected after successful login on the identity provider.
Logout URL
Where user will be redirected after successful logout on the identity provider.
Click Continue when finished.
Configure identity provider
With your organization's copied SSO SAML identifiers from the Didomi console, navigate to your identity provider and input the values in the corresponding fields.
When finished, locate where your organization configures the email claim with the identity provider and configure the following:
Note: Configuring the email claim is a required step and your organization's SSO SAML configuration will not be complete if this step is not performed.
Name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Name format
URI Reference
Value
user.email
Retrieve identity provider metadata
Once the configuration within the identity provider is complete, locate the following metadata and copy the values:
X509 certificate
The SAML Signing Certificate from your identity provider in CER base64 format.
Login URL
Sign In (or login) URL from your identity provider.
Logout URL
Logout URL from your identity provider.
Note: This field may be optional for some identity providers. In this case the Login URL will be used instead.
Add identity provider metadata
With the metadata from your identity provider copied, navigate back to the SSO configuration within the Didomi console and input those values in the provided fields for the Setup SSO settings step.
Click Continue when finished.
Test and complete SSO configuration
Didomi will verify the identity provider metadata. When successful, utilize the Domain(s) field to add email domains to which the SAML authentication will be restricted (i.e. only users whose emails have this domain will be allowed to login with SSO SAML).
For security, the domain added to the Domain(s) field must match the email domain of the user performing the configuration (e.g. didomi.io can only be added if the user adding it is signed into the Didomi console using an @didomi.io email address.
To add more than one domain, please contact the Didomi support team via chat or email at [email protected].
Click Save settings.
When finished, follow your identity provider's instructions on managing a user's access to the Didomi console application.
Last updated