Skip to content

Instantly share code, notes, and snippets.

@davecap

davecap/test.md Secret

Last active February 24, 2016 22:20
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save davecap/d3d4eded0fe144cd9d4c to your computer and use it in GitHub Desktop.
Save davecap/d3d4eded0fe144cd9d4c to your computer and use it in GitHub Desktop.
Download ZIP
test
Raw
test.md

Single sign-on is a feature for enterprise SolveBio accounts. SolveBio supports SAML authentication and is compatible with many identity providers such as OneLogin, Ping Identity, Ping Federate, Okta, Bitium, Centrify, Clearlogin, and Auth0. To get started, you’ll need to configure a SolveBio SSO connection with your identity provider.

SAML SSO must be enabled by SolveBio Support. Please email support@solvebio.com for more information.

To configure your own identity provider (IdP) solution, please follow these parameters:

  • SolveBio supports IdP-initiated flow and SP-initiated flow. For SP-initiated login, go to: https://<accountdomain>.solvebio.com
  • SSO post-back URL (also known as the Assertion Consumer Service URL): https://<accountdomain>.solvebio.com/api/auth/saml/acs
  • Entity ID: https://<accountdomain>.solvebio.com/
  • SAML Logout Endpoint: https://<accountdomain>.solvebio.com/api/auth/logout
  • Audience (if required): https://<accountdomain>.solvebio.com

Replace with the unique subdomain provided to you by SolveBio Support.

The following attributes and settings must be configured for your SAML ACS request:

NameID (i.e. username)

We require that the NameID contain the user’s email address or some other Unique Identifier that stays persistent. Please verify that your NameID format matches the example included below.

<saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="accountdomain.solvebio.com" SPNameQualifier="https://www.solvebio.com/">Your Unique Identifier</saml:NameID>
</saml:Subject>

Email Attribute (Required)

 <saml:Attribute Name="email"
 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xsi:type="xs:anyType">user@youremail.com</saml:AttributeValue>
 </saml:Attribute>

Full Name Attribute (Optional)

 <saml:Attribute Name="full_name"
 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
     <saml:AttributeValue xsi:type="xs:anyType">Full Name</saml:AttributeValue>
 </saml:Attribute>

X.509 Certificates (Required)

SolveBio requires that the SAML response is signed. You will need to paste a valid X.509 (.pem) certificate to verify your identity. This must be securely provided to SolveBio Support. SolveBio will provide you with an SP certificate.

End-to-End Encryption Key (Optional)

If you require an end-to-end encryption key with your IDP, SolveBio Support can optionally provide one to you.

User Provisioning & Deprovisioning

Provisioning — SolveBio supports Just-in-Time provisioning which allows your users to create new accounts on the fly when they first try to login to SolveBio using SSO. When they login for the first time using their SSO credentials, an account will automatically be created for them using their IdP username, email, and full name.

Users provisioned through SAML SSO will not be able to set a password or log in with their username and password, unless your account is configured this way.

Deprovisioning – If a user has left your team and you'd like to restrict their login access, an Admin or Owner will need to disable their account via the Team Settings page in SolveBio. SolveBio does not currently support automatic deprovisioning through your IdP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment