Support Centre

  1. Support Centre
  2. Administration & Setup
  3. Advanced Configuration

Single Sign-on(SSO): Technical details you want to know

Deborah Alampi
Modified on: Thu, 4 May, 2023 at 9:19 AM

In this article you will learn:

  • Which version of SAML is supported by Sherpany
  • How to set up SSO with Sherpany
  • Which security mechanisms of SAML are supported by Sherpany
  • SSO authentication methods supported by Sherpany
  • What Just-In-Time Provisioning is and how it works
  • What MyDomain is and why it is useful
  • Which SAML attributes are supported and which are required

Which version of SAML is supported by Sherpany?

Sherpany supports Security Assertion Markup Language (SAML 2.0) to offer Single-Sign-On to its customers. SAML is an open standard that allows identity providers (IdP - your IAM-System) to pass authorization credentials to service providers (SP - Sherpany).

More details of the SAML 2.0 can be found on the official website


How to set up SSO with Sherpany?

Are you considering setting up SSO for Sherpany at your organisation? Simply contact us to get started. Our team is happy to support you. 

In order to configure SAML login in Sherpany for your organization, the following steps will be taken:

  1. You provide Sherpany with:

    1. Email domains used in your organization: List of email domains which will be used in your organisation and are owned by your organisation so we can add them to the “allowed list”.

    2. MyDomain url you would like to use

  2. Sherpany creates the initial SAML configuration and shares the link to the SP configuration XML

  3. Based on the provided SP configuration XML, you can setup the IdP part and share it with Sherpany:
    → Your configuration (either as an XML file or a link to the configuration)
    → SAML attributes mappings

  4. Sherpany finishes the configuration and SAML is ready to be tested by you


Which security mechanisms of SAML are supported by Sherpany

By default Sherpany signs requests and wants the assertion to be signed but we also support message signing.

This can be configured however we recommend to keep at least the assertion or message signature mechanism.

Default hash function used for signing is SHA-256, but we additionally support SHA-1, SHA-384 and SHA-512.

If you have any security related questions contact us.


SSO authentication methods supported by Sherpany

Methods

IdP Initiated SSO: Post
In this scenario, a user is logged on to the IdP and attempts to access a resource on a remote SP server. The SAML assertion is transported to the SP via HTTP POST.

Tip

If a user attempts to access Protected Resources without being first authenticated at the IdP site, Sherpany will simply redirect the user (http code 302 - NOT truly SP-Initiated SSO) to the IdP’s external SSO page for authentication purposes

DataFlow
  1. User A clicks on Platform URL.
  2. User A lands at Sherpany’s site (Protected Page).
  3. Sherpany’s application redirects user A (http code 302 – NOT SP-Initiated SSO), back to IdP’s external SSO login page.

    Important

    Sherpany’s application appends RelayState parameter to the client’s redirect connection URL

  4. User A gets authenticated at IdP site.
  5. IdP’s SSO system constructs SAML assertion and sends user A to Sherpany’s ACS (Assertion Consumer Service), along with RelayState parameter appended to the assertion.
  6. Sherpany’s Federation system decrypts and validates assertion.
  7. Sherpany’s Federation system sends user A to Sherpany Platform URL based on RelayState.
  8. User A gets logged into Sherpany’s Platform.
SP Initiated SSO: Post / Post
In this scenario a user attempts to access a protected resource directly on an SP Web site without being logged on. The user does not have an account on the SP site, but does have a federated account managed by a third-party IdP. The SP sends an authentication request to the IdP. Both the request and the returned SAML assertion are sent through the user’s browser via HTTP POST. 


 What Just-In-Time Provisioning is and how it works?

With Just-in-Time provisioning, you can use a SAML assertion to create users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance. For example, if you recently added an employee to your organization, you don't need to manually create the user in Sherpany. When they log in with a single sign-on, their account is automatically created for them, eliminating the time and effort with onboarding the account.


Information  

Sherpany supports only one room per Identity Provider configuration

What MyDomain is and why is it useful

MyDomain is required for setting up a single sign-on with Sherpany.

Using MyDomain, Sherpany defines a subdomain for enterprise customers. The subdomain name appears in all org URLs and replaces the general domain app.sherpany.com. For example, you can brand your URL by naming the subdomain with your company name, https://mydomain.my.sherpany.com/ .

MyDomain link allows users to skip the login part where the user selects SSO provider and can be shared i.e via Intranet pages.

Which SAML attributes are supported and which are required


Required SAML attributes

  • NameId - A unique identifier that does not change over time. Used to identify a user. By default Sherpany is looking into generic NameId field (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified). However, we can map it to any other field in the assertion. “f.e. employee number, ObjectID…”

  • Email - must be globally unique in Sherpany


Optional SAML attributes

  • First Name - user’s first name

  • Last Name - user’s last name

  • Phone number - user’s phone number


The user’s metadata in Sherpany can be updated either on the user’s first login or on all consequent logins.


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.

Related Articles