Generic SSO Parameters

  • 2 minute(s) read
Prev Next

About this document

This document describes the generic SAFE SSO implementation and parameters that customers can use to configure their SSO integrations. This document supplements SAFEs documented SSO integrations as well as providing information allowing any SAML 2.0 based SSO integration to be configured.

Introduction

Single Sign-On (SSO) enables organizations to use the SAML 2.0 authentication provider for authenticating login into SAFE. SAFE Admin can onboard and manage users right from any SAML 2.0 enabled SSO platform, eliminating the need to maintain a separate user authentication mechanism for SAFE.

Generic SSO Process

Configuring SSO for the SAFE platform will follow the following generic steps

  1. Configure your identity provider using either the SSO parameters in this document, or by following one of SAFEs published SSO guides.
  2. Submit your XML metadata file and SSO-applicable email domain to the SAFE Service Desk
  3. On receipt your XML metadata file and SSO-applicable email domain SAFE will configure your SSO details and respond to confirm that configuration has been completed for SAFE
  4. Test that SSO works correctly.

SAFE Specific SSO Parameters

In order to configure SAFE SSO you will need the following SSO Parameters:

Entity ID and ACS URL / Reply URL 

The Entity ID and Reply URL will vary based on the URL that you use to access the SAFE One platform

  • For us.safeone.ai:
    • Entity ID: urn:amazon:cognito:sp:us-east-1_gi48DCFhl
    • Reply URL: https://safe-auth-app-us.safeone.ai/saml2/idpresponse
    • Reply URL Validator: ^https:\/\/safe-auth-app-us\.safeone\.ai\/saml2\/idpresponse$
  • For eu.safeone.ai:
    • Entity ID: urn:amazon:cognito:sp:eu-central-1_ZttJhybLG
    • Reply URL: https://safe-auth-app-eu.safeone.ai/saml2/idpresponse
    • Reply URL Validator: ^https:\/\/safe-auth-app-eu\.safeone\.ai\/saml2\/idpresponse$
  • For ap.safeone.ai:
    • Entity ID: urn:amazon:cognito:sp:ap-south-1_7CQBtMlDY
    • Reply URL: https://safe-auth-app-ap.safeone.ai/saml2/idpresponse
    • Reply URL Validator: ^https:\/\/safe-auth-app-ap\.safeone\.ai\/saml2\/idpresponse$
  • For au.safeone.ai:
    • Entity ID: urn:amazon:cognito:sp:ap-southeast-2_mcBz0q4PQ
    • Reply URL: https://safe-auth-app-au.safeone.ai/saml2/idpresponse
    • Reply URL Validator:  ^https:\/\/safe-auth-app-au\.safeone\.ai\/saml2\/idpresponse$


Name ID Format

You must specify the Name ID Format as Email


Email Attribute Mapping 

Use the following as your Email Attribute Mapping:

http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress


Additional Attribute Mapping 

These are optional and only if the following attributes are available will be synced automatically to SAFE):

First Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname

Last Name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname

FAQ

1. Does SAFE support IDP initiated SSO?

Answer: SAFEs SSO utilises AWS Cognito. At this time, AWS Cognito does not support IDP initiated SSO.

2. What SAML binding does SAFE use (POST or REDIRECT)?

Answer: When the Service Provider (SAFE) sends an AuthnRequest to your Identity Provider, it uses the REDIRECT binding. Therefore, users must configure REDIRECT-HTTPS binding on their Identity Provider to ensure successful authentication.

3. How does MFA work when SAFE is configured with SSO?

Answer: After SAFE is configured with SSO, SAFE's native MFA is replaced by your Identity Provider's MFA configuration. If your Identity Provider uses MFA, users will be redirected to the Identity Provider to complete MFA authentication after entering their email address to log into SAFE.

4. Is Just-in-Time provisioning and role mapping supported through SSO?

Answer: No, Just-in-Time provisioning and role mapping are not supported through SSO. Users must be invited to the SAFE platform with an appropriate role assigned by another user with the Admin role.

5. Once SSO is enabled, what is the user creation/invite flow?

Answer: A SAFE Admin will manually create the account, assign a role, and then send an invitation that the end user must click to accept. When first-time users log into the platform, they will no longer be asked to create a SAFE-specific password or enroll in SAFE's native MFA, as these are handled by the Identity Provider. SAFE will automatically retrieve the user's first name, last name, and phone number from the Identity Provider, depending on the attributes configured there.

If you are using an "application group" concept in your Identity Provider to further limit who can access SAFE, then the user must also be a member of that group.

6. Is the referrer header included in the authentication request to your IdP?

Answer: No, the referrer header is not included in the AuthnRequest from SAFE.