In this article, you will learn:
- Which version of SAML is supported by Sherpany,
- How to set up SSO with Sherpany,
- Which security mechanisms of SAML are supported by Sherpany,
- SSO authentication methods supported by Sherpany,
- What Just-In-Time Provisioning is and how it works,
- What MyDomain is and why it is useful,
- Which SAML attributes are supported and which are required,
- How to set up SSO for Sherpany in Entra ID.
Which version of SAML is supported by Sherpany?
Sherpany supports Security Assertion Markup Language (SAML 2.0) to offer Single-Sign-On to its customers. SAML is an open standard that allows identity providers (IdP - your IAM-System) to pass authorization credentials to service providers (SP - Sherpany).
More details of the SAML 2.0 can be found on the official website.
How to set up SSO with Sherpany?
Are you considering setting up SSO for Sherpany at your organisation? Simply contact us to get started. Our team is happy to support you.
In order to configure SAML login in Sherpany for your organization, the following steps will be taken:
You provide Sherpany with:
Email domains used in your organization: List of email domains which will be used in your organisation and are owned by your organisation so we can add them to the “allowed list”.
MyDomain url you would like to use
Sherpany creates the initial SAML configuration and shares the link to the SP configuration XML
Based on the provided SP configuration XML, you can setup the IdP part and share it with Sherpany:
→ Your configuration (either as an XML file or a link to the configuration)
→ SAML attributes mappingsSherpany finishes the configuration and SAML is ready to be tested by you
Which security mechanisms of SAML are supported by Sherpany
By default Sherpany signs requests and wants the assertion to be signed but we also support message signing.
This can be configured however we recommend to keep at least the assertion or message signature mechanism.
Default hash function used for signing is SHA-256, but we additionally support SHA-1, SHA-384 and SHA-512.
If you have any security related questions contact us.
SSO authentication methods supported by Sherpany
Methods
Tip
If a user attempts to access Protected Resources without being first authenticated at the IdP site, Sherpany will simply redirect the user (http code 302 - NOT truly SP-Initiated SSO) to the IdP’s external SSO page for authentication purposes
- User A clicks on Platform URL.
- User A lands at Sherpany’s site (Protected Page).
- Sherpany’s application redirects user A (http code 302 – NOT SP-Initiated SSO), back to IdP’s external SSO login page.
Important
Sherpany’s application appends RelayState parameter to the client’s redirect connection URL
- User A gets authenticated at IdP site.
- IdP’s SSO system constructs SAML assertion and sends user A to Sherpany’s ACS (Assertion Consumer Service), along with RelayState parameter appended to the assertion.
- Sherpany’s Federation system decrypts and validates assertion.
- Sherpany’s Federation system sends user A to Sherpany Platform URL based on RelayState.
- User A gets logged into Sherpany’s Platform.
What Just-In-Time Provisioning is and how it works?
With Just-in-Time provisioning, you can use a SAML assertion to create users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance. For example, if you recently added an employee to your organization, you don't need to manually create the user in Sherpany. When they log in with a single sign-on, their account is automatically created for them, eliminating the time and effort with onboarding the account.
Information
Sherpany supports only one room per Identity Provider configuration
What MyDomain is and why is it useful
MyDomain is required for setting up a single sign-on with Sherpany.
Using MyDomain, Sherpany defines a subdomain for enterprise customers. The subdomain name appears in all org URLs and replaces the general domain app.sherpany.com. For example, you can brand your URL by naming the subdomain with your company name, https://mydomain.my.sherpany.com/ .
MyDomain link allows users to skip the login part where the user selects SSO provider and can be shared i.e via Intranet pages.
Which SAML attributes are supported and which are required
Required SAML attributes
NameId - A unique identifier that does not change over time. Used to identify a user. By default Sherpany is looking into generic NameId field (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified). However, we can map it to any other field in the assertion. “f.e. employee number, ObjectID…”
Email - must be globally unique in Sherpany
Optional SAML attributes
First Name - user’s first name
Last Name - user’s last name
The user’s metadata in Sherpany can be updated either on the user’s first login or on all consequent logins.
How to set up SSO for Sherpany in Entra ID
- Create Enterprise application
- Enterprise application > create “Sherpany” as an application (Non-gallery),
- Upload Metadata file
- Go to Single Sign on the newly created Sherpany application,
- Upload the metadata file that has been provided to you by Sherpany,
- For “Sign on URL”, you can add the SSO URL (https://[COMPANY].my.sherpany.com). This will allow the users to just refresh their browser for re-authentication.
- Adjust the mapping
- Make sure that the mapping of the attributes is correct:
- IMPORTANT: Please use the Object ID as a value for the Name ID.
The object ID is a value created by Entra ID automatically. It will be used as an ID for the SSO interface, therefore this value mustn’t change.
Check Certificate Settings
Go to section 3 “SAML Signing Certificate” and click on “Edit”,
Make sure you have set “Sign SAML response and assertion” under “Signing option”. Sherpany requires that the response is signed, and this setting enables it.
Send the configuration to Sherpany
Copy the link to the metadata and download the metadata file from Entra ID:
Send this information to Sherpany.
