Skip to main content

Configuring SSO with SAML

Last updated 29/02/2024

Working with SAML

If you have not added an Authentication record before, please refer to the introduction on Authentications to have an understanding of the fields on the Authentications form.

With an authentication type of SAML, the following fields will be shown:
  • Entity ID
  • Identity Scope ID
  • Identity Scope Name
  • Identity Scope Email
  • Metadata URL
  • Private Key Pass Phrase
  • Private Key
  • Certificate

The Entity ID value is the entity identification that has been registered with the application provider.

Example
  • spn:71ba88b9-c6eb-4cb8-94d8-4a80299a0549

The Identity Scope ID value is the name of the ID attribute. Refer to your provider for more information.

Examples
  • objectidentifier
  • http://schemas.microsoft.com/identity/claims/objectidentifier

The Identity Scope Name value is the name of the Name attribute. Refer to your provider for more information.

Examples
  • displayName
  • http://schemas.microsoft.com/identity/claims/displayName

The Identity Scope Email value is the name of the Email attribute. Refer to your provider for more information.

Examples
  • email
  • http://schemas.microsoft.com/identity/claims/emailaddress

The Metadata URL value is the provider's endpoint for the Federation Metadata document.

Example
  • https://login.microsoftonline.com/c1cdf3d1-5e78-4a7b-94a0-924f9b9a7800/federationmetadata/2007-06/federationmetadata.xml

The Private Key Pass Phrase value is the password to encrypt an automatically generated Private Key, from which a generated Certificate will be created as well. If this field is left blank, the Private Key and Certificate field values need to be provided manually.

Example
  • TestPassPhrase

The Private Key is the value to use during the SAML authentication process. The value should be a PEM encoded RSA Private Key.

Example

    -----BEGIN RSA PRIVATE KEY-----
    Proc-Type: 4,ENCRYPTED
    DEK-Info: AES-128-CBC,b8e7f85a79cc630b49ac4aeeac63ab1b

    S6lGf/Idj2ZoqhsssFWXp7kXzhbrbsCYYq3wgK4bx2tQdKCvzld9AptSoQaXeevQ SA92NkmnGxrj6TKSekWN4iwHR2AkGh9uAzilZ9MOWDxNWrH0GatCJbucEd0/TuG2 nDpF4xmiN5+zU5xslKhggUgrJ0qiuwcNArgamIXxni143sQMyieuAmg58j2X3cHX cn7zaOl3geUiI6q1vDR80Rwaojv84o3OdAKYnjeJ6qWEn11yMh7Do6RPgEvq7RJ9 t3ZC0t1WCxOFE8eacxbbHUFbTA3giZucFk1kBnpZW03czzl7153YrDrJ6W1n9+P9 ttGqTCYetGJfVJBURQDlt4p3eBptWd91EJUB5VIvvWAq5yoX7VOTqOx+iL/Sf1AI pseI9jxigTIGCBCyAS+SgZzac0C5//9lL6sOPrmVrrQE6CfEdboOGdj/C9++joFV q9cIFSgCPuMQtzsqLrgJS3sxullulY4xsF/NDuG977IUYnvuO4FgWBtoeIbmF0LK lviJIjY6N6givOyBljCpsrBp/SPhU8MeN2u5XG9gItYrhE6x+3nmXa/B7LhRXvTo D72jcNdBA+fmPP0k5jx1Dgak7NOMt4TFkdOG6l7kqO3jLFykcrDOKvxZIrSAQCmo 6xgDpLpj94etF6KYHJejSJq+dVg9dAipPbeNCgiQqOeqokOeiAVplL0iEe+vCXg/ j7GeT7qJNjn0Hup1Dy7v9vJ3I45hvhmyJQ5uPjamN3sDhKemKxSPQHNqL9eyLE6i 1JIu0QnToAlamkicjy/EmIWoa1aHMv5MPhng+mohyh5Q+PdMvPe/8NZRXhFrybf3 MAKsHmmEBJkXqXrc5g5hs0c/EBFN/PlBtyBEQJgjMvb/ov+1dqQNpC0ZPHVWi1LJ g2nioy8t6IPGZup6cMjj0k7XsggvcfcoJUy3C7UQelGgz2hoMJy3VrhX8wT9GhGq T6CGjZLOduQpHlPODMXzdoT+Ek7kE/P9oKWMsg8ZfZlDwx/uOsMgpzrfMyC5LC4N 8PwFW4aKZ2zbgmvAfmIPlgFi47U+Nzf1COM+5LRmUWc4kUi1n4gcvxaynHuKxpHe CCcihvxylMHPzMTqFIFMnR2fjU28azz3GyxFVsWA6Ms+29Lq/x9N9LOWJfDlk2VD RXg/3HML9hRkY8pnOY1erNutyS1X6cmZyfF/hB8k7gAL2i2wyStTt6BXj7B5rRc4 DUiIRO6jtW/PzrFGa2AfoPObAGhFR6+0jwigj2JYwpCfk3by1EsJwoHbYgQbYDTn Q18uAScJxtZzLsnAFVVJWEkdCqMl2ohRy1My9i4ca7b8wTSI+intRVl6TmMmq6VQ oNkakoafSaCvWm7F0PEo/u4QtSwUoyxXt3gpPpJDScDp8jY2vhserHL7EK19OtfS j+4p1hD/B1ooCOYs1D4B/2obbtptuC4fJMqSzl1cQEPyINKX5Qs3y5L+JRyC+JwN RiSOOIx/M/4Y3s5yJjObYMkbk26yBfkYsit3aSloA4+7is64953yn12rvaPxILln v0RI3GXKU9DmixeCs9q0Djo2YKcHaX4xSls0lPiKWM9ogfZ+Bl5FAlT2zBwn5Sv5
    -----END RSA PRIVATE KEY-----

The Certificate is the value generated from the associated private key to use during the SAML authentication process. The value should be a PEM encoded CERTIFICATE.

Example

    -----BEGIN CERTIFICATE----- MIIC8zCCAdugAwIBAgIQBXITqViWlunsKJdEf7IYgzANBgkqhkiG9w0BAQsFADAa MRgwFgYDVQQDEw9TQU1MQXV0aFNlcnZpY2UwHhcNMjQwMjEzMDYzNzU0WhcNMjUw MjEyMDYzNzU0WjAaMRgwFgYDVQQDEw9TQU1MQXV0aFNlcnZpY2UwggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDJY2jzyX1mCGUUo/+rg/elQsJ+7Y2aJfwr DBSGxuO83Ir6e1Da332L2D9uVhKJtzqedzJB20jJE8CSoQvTy+SIOcXJTDwPe7wZ s8rT/Nv4v9rBAa9jJ/RSOw4yDtQ50OjAsnmslN/RdKnING13z89NWwUc7opm4BNx a5mbukTp23VB1jqG3PteOkaMsvqpEgUV6COQ+sNvUbY3rj4IGVidrZPjNL7AoJ7+ LsBbWsyLi1NcNE/QE1Ywhcuv26OvYRVx6/W5HAEb3v37e27lBjrOoHKam4Z3M0Xz 32Eh6E5HfFFDppkG7dZ7nLHzqulDDgdGZiu6E06kGcnr31DViAwhAgMBAAGjNTAz MA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDATAMBgNVHRMBAf8E AjAAMA0GCSqGSIb3DQEBCwUAA4IBAQA5TVc0w+OHEP1HgXZ9FDYUxSOjzEmGdd+I AR7SazbT87syLv/IgIBzd8RWZ/0RFb0RbfVStKboyU2z7AFUre0Rkdx7ALdpIELL tXgoMg1TKPneNZSzMV16jEkbCla4LXo8LZm8zpQr9vdbSvqOetcXVJ2NDmtqN5uY toI/im5Cz8HLikCrY4+v/RktF2NUUUlt2V+wyS/nxcGal4L/ly9LS/2wxUV2TfSd WA4f4dRefrhjcPim4XPsHxw0D+Q/pDj7CmtqCkAvNmyZZabHA3pXW/y1HBW+UMCp wobZjbTfazW1REW3RN1qdzMssB2JSzPQ6lipApc2qvaUoEX0NnKf
    -----END CERTIFICATE-----

Add an Authentication Using SAML

1. Click the Add Item button.


Add Item button
Figure 1 - Add Item button

2. Type a name in the Name field.

3. Optional: Click the lookup icon in the Icon field, navigate your files and open an image file.

info
An icon makes it easy to know that the user is logged in from an identity provider such as Microsoft or Google etc.

Add an authentication
Figure 2 - Add an authentication

4. Click the lookup icon in the Authentication Type field and select SAML.

5. Type your Entity identification in the Entity ID field.

6. Type the field name for the ID that will be returned about the user in the Identity Scope ID field.

7. Optional: Type the field name for the name that will be returned about the user in the Identity Scope Name field.

8. Optional: Type the field name for the email that will be returned about the user in the Identity Scope Email field.

info
The Identity Scope Name and Identity Scope Email fields are dependent on the scope of data requested from your provider using the provided Identity Scope endpoint.

9. Type the provider's endpoint for the Federation Metadata document in the Metadata URL field.

10. Optional: Type a password to encrypt the Private Key that will be generated by Five for SAML use.

info
If provided, Five will generate a Private Key and Certificate automatically to be used in the SAML authentication process.

Add the SAML values
Figure 3 - Add the SAML values

info

If you do not provide a value in the Private Key Pass Phrase field, you will need to generate a Private Key and Certificate in the PEM format and paste the values in the corresponding fields, as shown in the image below.


Private Key and Certificate values
Figure 4 - Private Key and Certificate values

11. Optional: Click the Allow User Creation switch.

info

If you have the Allow User Creation switched to false, you will need to ensure the user exists in your application before the provider can verify the user, otherwise if the switch is true, the provider can verify the user for you and if the user does not already exist in your application, they will be created automatically.


12. Click the lookup icon in the Role field and select the role you want the users to be created with.

Tips
  • You will need to have the Application View switch turned on in the Roles form for the role to be available in the Role field!
  • The Role field is only available when the Allow User Creation switch is on. If the switch is off the user will need to be created manually in your application.

Allow user creation
Figure 5 - Allow user creation

13. Click the Save button in the form app bar.


Save button
Figure 6 - Save button

info
To know how to use the authentication with SSO, please refer to the How to Use an Authentication.