In this article you will learn:
- Which version of SAML is supported by Sherpany
- How to set up SSO with Sherpany
- Which security mechanisms of SAML are supported by Sherpany
- SSO authentication methods supported by Sherpany
- What Just-In-Time Provisioning is and how it works
- What MyDomain is and why it is useful
- Which SAML attributes are supported and which are required
Which version of SAML is supported by Sherpany?
Sherpany supports Security Assertion Markup Language (SAML 2.0) to offer Single-Sign-On to its customers. SAML is an open standard that allows identity providers (IdP - your IAM-System) to pass authorization credentials to service providers (SP - Sherpany).
More details of the SAML 2.0 can be found on the official website.
How to set up SSO with Sherpany?
Are you considering setting up SSO for Sherpany at your organisation? Simply contact us to get started. Our team is happy to support you.
In order to configure SAML login in Sherpany for your organization, the following steps will be taken:
You provide Sherpany with:
Email domains used in your organization: List of email domains which will be used in your organisation and are owned by your organisation so we can add them to the “allowed list”.
MyDomain url you would like to use
Sherpany creates the initial SAML configuration and shares the link to the SP configuration XML
Based on the provided SP configuration XML, you can setup the IdP part and share it with Sherpany:
→ Your configuration (either as an XML file or a link to the configuration)
→ SAML attributes mappings
Sherpany finishes the configuration and SAML is ready to be tested by you
Which security mechanisms of SAML are supported by Sherpany
By default Sherpany signs requests and wants the assertion to be signed but we also support message signing.
This can be configured however we recommend to keep at least the assertion or message signature mechanism.
Default hash function used for signing is SHA-256, but we additionally support SHA-1, SHA-384 and SHA-512.
If you have any security related questions contact us.
SSO authentication methods supported by Sherpany
What MyDomain is and why is it useful
MyDomain is required for setting up a single sign-on with Sherpany.
Using MyDomain, Sherpany defines a subdomain for enterprise customers. The subdomain name appears in all org URLs and replaces the general domain app.sherpany.com. For example, you can brand your URL by naming the subdomain with your company name, https://mydomain.my.sherpany.com/ .
MyDomain link allows users to skip the login part where the user selects SSO provider and can be shared i.e via Intranet pages.
Which SAML attributes are supported and which are required
Required SAML attributes
NameId - A unique identifier that does not change over time. Used to identify a user. By default Sherpany is looking into generic NameId field (urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified). However, we can map it to any other field in the assertion. “f.e. employee number, ObjectID…”
Email - must be globally unique in Sherpany
Optional SAML attributes
First Name - user’s first name
Last Name - user’s last name
Phone number - user’s phone number
The user’s metadata in Sherpany can be updated either on the user’s first login or on all consequent logins.