Enabling SSO for any account includes the configuration of a number of variables. A fundamental point to consider is the Identity Provider being used.
An identity provider is a service that manages identity information and authentication services for your users, e.g. SAML Identity Provider. It is from your Identity Provider that you will get the details required to configure SSO.
Once you decide to integrate Siteimprove with SSO you’ll need to step through the configuration as outlined below.
Note: You need to be a Siteimprove Administrator, Account Owner, or custom role with similar permissions, to configure SSO within the Siteimprove platform.
Setting up SSO for your Siteimprove solution
The following text explains how to set up Single Sign-On (SSO) using the SAML 2.0 protocol.
This article explains the same procedure you will find when logged into our system on the Siteimprove SSO configuration page (Requires login).
Setting up SSO consists of the following steps:
- Add Siteimprove to your SSO identity provider using the details on the SSO configuration page.
- Fill out your identity provider details on our configuration page and validate that it works.
- Change the login method of users from local account to SSO.
Step 1 - Add Siteimprove to your SSO identity provider using the details on the SSO configuration page.
Note: If you do not have access to your SSO provider, you may need to give your IT department access to Siteimprove to do this for you. We highly recommend that you create a specific IT user with a custom role for the following configuration steps. See this article on "How to create an IT user".
Service provider details
The Service Provider (SP) details from Siteimprove are needed within your Identity Provider (IDP). Your IDP should specify where these URLs should be placed within their setup. It is possible that your IDP uses different terms.
|Assertion Consumer URL||https://sso2.siteimprove.com/saml2/acs|
To make sure you place the URL’s in the right field, here are the explanations for the fields used.
- Metadata URL: This URL links to Siteimprove's Service Provider metadata that can be passed to your Identity Provider.
- Entity ID (Audience URI): The application-defined unique identifier that is the intended audience of the SAML assertion.
- Assertion Consumer URL (Single sign-on URL): The location where the SAML assertion is sent with a HTTP POST.
Note: The Metadata URL might not be necessary for your setup.
SSO attribute mappings
This step can be done in two ways.
- You can use your default mappings set by the IDP. Siteimprove supports the following attribute mappings. If your attribute mappings differ please read the second option
- You can also set up custom mappings. This means that both the IDP mappings and the values you input into the Siteimprove SSO configuration must be identical. Note: Custom mappings precede default mappings, meaning that you need to either use default mappings or custom mappings, a mix of both will not work.
Step 2 - Fill out your identity provider details on our configuration page and validate that it works
Navigate to the SSO service
Go to the Siteimprove SSO configuration page or follow these steps.
- Locate “Settings” in the left-hand menu
- Click on “Authentication and Security”
- Click on “Single sign-on”
- Locate the 'edit SSO configuration' button, click on it to proceed.
SAML 2.0 configuration page
Clicking 'edit SSO configuration' will display the SAML 2.0 configuration page this is the main page concerning any type of SSO setup/update.
SSO configuration fields
Here Siteimprove’s SSO requires information from your IDP.
This can either be done by copying a Metadata URL from your IDP (using the Metadata URL option) or by filling out all the fields manually as seen below (using the Manual setup option).
Note: Using the metadata URL option also sets up an automatic refresh of your Certificate, this will make it easier to maintain your SSO settings.
After filling the correct information in both the SP side and IDP side, you can now click the “Save and Validate configuration” button. This should either pass and enable SSO for your account or give an error and refer to a missing piece of information. If an error occurs, redo the steps, especially when you have used either or both the manual setup and custom attribute mapping.
Step 3 - Change the login method of users from local account to SSO.
When your SSO configuration is valid and SSO is enabled for your account, you can change your user's login method from 'local account' to SSO. We recommend that you "Test the SSO login with a small group of users" first. When these users can login correctly you can roll out the SSO login procedure for all necessary users. If you need any help setting up test users, please follow this short tutorial: setting up test users for SSO
For further information see the SSO V2 FAQ.
If you have any questions, do not hesitate to contact Technical Support.