Generic SSO Parameters

1 Minute to read

Article Summary

Share feedback

Thanks for sharing your feedback!

About this document

This document describes the generic SAFE SSO implementation and parameters that customers can use to configure their SSO integrations. This document supplements SAFEs documented SSO integrations as well as providing information allowing any SAML 2.0 based SSO integration to be configured.

Introduction

Single Sign-On (SSO) enables organizations to use the SAML 2.0 authentication provider for authenticating login into SAFE. SAFE Admin can onboard and manage users right from any SAML 2.0 enabled SSO platform, eliminating the need to maintain a separate user authentication mechanism for SAFE.

Generic SSO Process

Configuring SSO for the SAFE platform will follow the following generic steps

Configure your identity provider using either the SSO parameters in this document, or by following one of SAFEs published SSO guides.
Submit your XML metadata file and SSO-applicable email domain to the SAFE Service Desk
On receipt your XML metadata file and SSO-applicable email domain SAFE will configure your SSO details and respond to confirm that configuration has been completed for SAFE
Test that SSO works correctly.

SAFE Specific SSO Parameters

In order to configure SAFE SSO you will need the following SSO Parameters:

Entity ID and ACS URL / Reply URL

The Entity ID and Reply URL will vary based on the URL that you use to access the SAFE One platform

For us.safeone.ai:
- Entity ID: urn:amazon:cognito:sp:us-east-1_mSGKPnplt
- Reply URL: https://auth-app-us-1.safeone.ai/saml2/idpresponse
- Reply URL Validator: ^https:\/\/auth-app-us\.safeone\.ai\/saml2\/idpresponse$
For eu.safeone.ai:
- Entity ID: urn:amazon:cognito:sp:eu-central-1_a9ie8noFg
- Reply URL: https://auth-app-eu.safeone.ai/saml2/idpresponse
- Reply URL Validator: ^https:\/\/auth-app-eu\.safeone\.ai\/saml2\/idpresponse$
For ap.safeone.ai:
- Entity ID: urn:amazon:cognito:sp:ap-south-1_DRiTxOUzi
- Reply URL: https://auth-app-ap.safeone.ai/saml2/idpresponse
- Reply URL Validator: ^https:\/\/auth-app-ap\.safeone\.ai\/saml2\/idpresponse$
For au.safeone.ai:
- Entity ID: urn:amazon:cognito:sp:ap-southeast-2_nhgjNWGPx
- Reply URL: https://auth-app-au.safeone.ai/saml2/idpresponse
- Reply URL Validator: ^https:\/\/auth-app-au\.safeone\.ai\/saml2\/idpresponse$

Name ID Format

You must specify the Name ID Format as Email

Email Attribute Mapping

Use the following as your Email Attribute Mapping:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Additional Attribute Mapping

These are optional and only if the following attributes are available will be synced automatically to SAFE):

First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

FAQ

Does SAFE support IDP initiated SSO?

SAFEs SSO utilises AWS Cognito. At this time, AWS Cognito does not support IDP initiated SSO.

Was this article helpful?

What's Next

SSO Troubleshooting

Table of contents

About this document
Introduction
Generic SSO Process
SAFE Specific SSO Parameters
FAQ