Use ºÚÁϺ£½Ç91Èë¿Ú SAML Single Sign On (SSO) to give your users convenient but secure access to all their web applications with a single set of credentials. When you connect a SAML SSO application to ºÚÁϺ£½Ç91Èë¿Ú, here are a few notes you need to take into consideration before and after you configure an SSO connector.
Pre Configuration
Customizing Display Options
- You can customize application display options. You can use the default service provider logo, use the Color Indicator, or upload a custom logo. Learn how to customize display options.
Using Certificates
- A public certificate and private key pair are required to successfully connect applications with ºÚÁϺ£½Ç91Èë¿Ú. After you activate an application, we automatically generate a public certificate and private key pair for you. You can use this pair or upload your own.
- Learn how to generate a public certificate and private key pair and manage them.
- ºÚÁϺ£½Ç91Èë¿Ú SAML SSO connectors support SHA-256 certificates by default. Although ºÚÁϺ£½Ç91Èë¿Ú supports SHA-1 certificates, if the service provider supports it, we recommend using SHA-256 for stronger security.
Exporting ºÚÁϺ£½Ç91Èë¿Ú Metadata
- When you configure SAML applications, you have two options to export ºÚÁϺ£½Ç91Èë¿Ú metadata and upload it to the service provider.
- Export a ºÚÁϺ£½Ç91Èë¿Ú metadata file.
- From Applications, select the option next to the application name, click export metadata in the top right corner, save the file, then upload the metadata file to the service provider.
- From the Application’s Details Panel, select the SSO tab, then click Export Metadata under ºÚÁϺ£½Ç91Èë¿Ú Metadata.
- Copy the Metadata URL.
- From the Application’s Details Panel, select the SSO tab, then click Copy Metadata URL. This will copy the URL to the clipboard.
- Export a ºÚÁϺ£½Ç91Èë¿Ú metadata file.
Configuring Attributes
- Though they aren’t required, you can add supplemental user, constant, and group attributes in the SAML 2.0 Connector and in pre-built connectors that may be used to support functionality like provisioning. Make sure the attributes are supported by the service provider.
Connecting Applications
- You can connect SAML applications to ºÚÁϺ£½Ç91Èë¿Ú by configuring one of our many pre-built SAML connectors or by configuring our SAML 2.0 connector.
- Learn how to configure ºÚÁϺ£½Ç91Èë¿Ú's SAML 2.0 custom connector or prebuilt connectors.
Post Configuration
Troubleshooting
- See SAML SSO Troubleshooting if a SAML SSO connector isn't working.
Authorizing Users
- Users are implicitly denied access to applications. After you connect an application to ºÚÁϺ£½Ç91Èë¿Ú, you must authorize user access to that application.
Provisioning Users
- You can use Just-In-Time provisioning with the SAML 2.0 Connector and some of our pre-built connectors. This reduces the steps in provisioning users to SAML applications.
Managing User Portal Session Duration
- You can configure the User Portal Session Duration for your organization. This affects how often users have to log in to their User Portal and applications.
Deleting or Deactivating a SAML SSO Application
- Deactivate a SAML SSO application and temporarily suspend user access to an application.
- Delete a SAML SSO application and permanently remove it from the User Portal and Admin Portal.
Using Conditional Access Policies with Applications
- Add an extra layer of security when users access applications. You can restrict or deny access based on conditions that you set. For example, after a user logs in to the User Portal, require Multi-factor Authentication when they access certain applications or deny access when they access an application from an unapproved network. Learn more in Get Started: Conditional Access Policies.