Generic SSO Parameters
  • 1 Minute to read
  • PDF

Generic SSO Parameters

  • PDF

Article summary

About this document

This document describes the generic SAFE SSO implementation and parameters that customers can use to configure their SSO integrations. This document supplements SAFEs documented SSO integrations as well as providing information allowing any SAML 2.0 based SSO integration to be configured.

Introduction

Single Sign-On (SSO) enables organizations to use the SAML 2.0 authentication provider for authenticating login into SAFE. SAFE Admin can onboard and manage users right from any SAML 2.0 enabled SSO platform, eliminating the need to maintain a separate user authentication mechanism for SAFE.

Generic SSO Process

Configuring SSO for the SAFE platform will follow the following generic steps

  1. Configure your identity provider using either the SSO parameters in this document, or by following one of SAFEs published SSO guides.
  2. Submit your XML metadata file and SSO-applicable email domain to the SAFE Service Desk
  3. On receipt your XML metadata file and SSO-applicable email domain SAFE will configure your SSO details and respond to confirm that configuration has been completed for SAFE
  4. Test that SSO works correctly.

SAFE Specific SSO Parameters

In order to configure SAFE SSO you will need the following SSO Parameters:

Entity ID and ACS URL / Reply URL 

The Entity ID and Reply URL will vary based on the URL that you use to access the SAFE One platform

  • For us.safeone.ai:
    • Entity ID: urn:amazon:cognito:sp:us-east-1_gi48DCFhl
    • Reply URL: https://safe-auth-app-us.safeone.ai/saml2/idpresponse
    • Reply URL Validator: ^https:\/\/safe-auth-app-us\.safeone\.ai\/saml2\/idpresponse$
  • For eu.safeone.ai:
    • Entity ID: urn:amazon:cognito:sp:eu-central-1_ZttJhybLG
    • Reply URL: https://safe-auth-app-eu.safeone.ai/saml2/idpresponse
    • Reply URL Validator: ^https:\/\/safe-auth-app-eu\.safeone\.ai\/saml2\/idpresponse$
  • For ap.safeone.ai:
    • Entity ID: urn:amazon:cognito:sp:ap-south-1_7CQBtMlDY
    • Reply URL: https://safe-auth-app-ap.safeone.ai/saml2/idpresponse
    • Reply URL Validator: ^https:\/\/safe-auth-app-ap\.safeone\.ai\/saml2\/idpresponse$
  • For au.safeone.ai:
    • Entity ID: urn:amazon:cognito:sp:ap-southeast-2_mcBz0q4PQ
    • Reply URL: https://safe-auth-app-au.safeone.ai/saml2/idpresponse
    • Reply URL Validator:  ^https:\/\/safe-auth-app-au\.safeone\.ai\/saml2\/idpresponse$


Name ID Format

You must specify the Name ID Format as Email


Email Attribute Mapping 

Use the following as your Email Attribute Mapping:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress


Additional Attribute Mapping 

These are optional and only if the following attributes are available will be synced automatically to SAFE):

First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

FAQ

Does SAFE support IDP initiated SSO?

SAFEs SSO utilises AWS Cognito. At this time, AWS Cognito does not support IDP initiated SSO.



Was this article helpful?