Single Sign-On Integration with SAML Guide
SAML Integration for Microsoft Entra ID(Azure AD)
Introduction to SAML 2.0
What is SAML 2.0?
Security Assertion Markup Language (SAML) 2.0 is an open standard for authentication and authorization between an Identity Provider (IdP) and a Service Provider (SP). It enables Single Sign-On (SSO) by allowing users to authenticate with their IdP and gain access to various services (like Timus) without needing separate credentials for each.
How SAML 2.0 Works
User Requests Access: A user attempts to access a service (e.g., Timus).Service Provider Redirects to IdP: The service provider redirects the user to the IdP for authentication.User Authenticates: The user logs in using their IdP credentials.IdP Sends Assertion: Upon successful authentication, the IdP sends a SAML assertion back to the service provider, containing user attributes and authentication information.Access Granted: The service provider processes the SAML assertion, and if valid, grants the user access.
Common Configuration Elements
When configuring SAML for Timus, you'll typically encounter the following key parameters:Service URL: This is the IdP login URL that the user enters. When a user attempts to sign in, they are redirected to this URL for authentication.Identifier: Issuer value provided by the IdP. It ensures that the SAML response is intended for your service.X.509 Certificate: Used to verify the authenticity of SAML assertions. This certificate is provided by the IdP and needs to be configured in Timus.Audience ID: This value must be identical to the Issuer provided by the IdP. If the Audience ID doesn't match the Issuer, the authentication request will fail because Microsoft expects these values to align for proper validation.Timus Single Sign-On URL: This URL is used by the IdP to send authentication responses bak to Timus. You should enter https://auth.timuscloud.com/user/external/saml for prod, https://auth-beta-us-01.timuscloud.com/user/external/saml for beta.
Mapping User Attributes
User attributes such as firstname, lastname, and nameID(email) are critical in SAML configurations. These attributes are mapped between the IdP and Timus to ensure that the correct user information is transmitted during authentication. This is usually done in the "Attributes & Claims" section of the IdP configuration.
Encryption (Optional)
For enhanced security, SAML assertions can be encrypted, which requires the exchange of encryption keys between Timus and the Identity Provider (IdP). Specifically, you will need to input a private key into Timus, while providing the corresponding public key to the IdP. This setup ensures that sensitive information within the SAML assertion is securely encrypted during transmission, safeguarding it against unauthorized access.
Testing and Verification
After completing the configuration steps, it's important to remind users that their first login must be initiated through the application in your Identity Provider (IdP). This initial login via the application is necessary to create the user account within Timus. Once the user is created, they will be able to sign into Timus. Direct sign-in to Timus without first accessing it through the IdP application will not work, as the user account needs to be established through the SAML integration process.
Support and Troubleshooting
Error Handling: If users face issues during sign-in, verify the SAML response from the IdP, ensuring that all fields are correctly mapped and the certificate is valid.Notes:A SAML integration credentials (Identifier and Service URL) can only be used in one SDN. Therefore, the same SAML integration should not be configured in multiple SDNs. If this occurs, an error message should be displayed in the interface to inform the admin.
Last updated