Single Sign-On is an authentication system that enables users to securely login to multiple independent software systems by logging in only once into a managed authentication system. This means your users need to remember only one user ID and password but without any risk to your security.
The managed authentication system is called Identity Provider (or IdP, example G-Suite) and the applications that rely on this Identity Provider are called Service Providers (SP, example Synup).
Setting up SSO for your Synup account ensures that your employees can log in into Synup using an identity provider of your choice, such as G-Suite, and not have to create another login ID and password for Synup separately.
To learn more about SSO and how SAML SSO works with Synup, please read this article.
Step-by-step configuration guide to set up SAML SSO in your Synup account
If you wish to set up SAML SSO for your Synup account, ensure you have admin access.
To set up SSO:
- Click on your profile icon on the top right of the screen and select Settings
- Navigate to People → Single Sign-On and Click on Enable SSO
- Once you click on Enable SSO, four new fields appear.
- Copy the ACS URL and Entity ID from Synup and provide it to your IdP to configure your SSO.
- Assertion Consumer Service (ACS) URL: You need to provide your identity provider this URL. This is the public endpoint exposed by the Service Provider (in this case, Synup) that the IdP will post the SAML response to. Note - This is an auto-generated URL/link by Synup.
- Entity ID: This entity ID is a unique identifier for your Synup account. Your IdP will use this to enable your employees to login into your Synup account. Note - This is an auto-generated URL/link by Synup.
- On the IdP side, once you configure Synup as a Service Provider, you will be given values for these two entries that you need to configure in your Synup account:
- Certificate: If a user logs in successfully, the response from your IdP to Synup needs to be validated. This is the public portion of the certificate used to sign the SAML response so Synup can validate the IdP response before the user logs in.
- Identity Provider URL: Users who have not signed into Synup yet will be directed to this URL from your IdP to validate their credentials and sign in.
- Copy values in step 4 from Synup and paste them into relevant fields in your IdP’s page.
- Copy values in step 5 from your IdP and paste them in the SSO configuration page in Synup.
- Click on “Save SSO Details” to save this configuration and ensure your details are saved with the IdP too.
- Once the details are saved, add the following attributes as part of your SAML app to enable access for first-time sign-ins.
Adding Attributes in your Identity Provider
As part of your SSO configuration process, you will need to add two Synup attributes “first_name” and “last_name” in the SAML app on your Identity Provider’s side, for example, Google.
This will ensure that new users signing into Synup using your SSO will be able to do so seamlessly and start using their account without further steps to set it up.
If Google is your Identity Provider, follow these steps
- Login to your Administrator Console on Google
- Navigate to Apps
- Select the Synup IdP app you created in Google designating Synup as a service provider.
- Navigate to the section “SAML Attribute Mapping” and click on “Add Mapping”:
- Under Google Directory Attributes select “First Name” and “Last Name”
- Under App Attributes, enter “first_name” and “last_name” without the quotes. These are case-sensitive. If properly configured, it should look like the image below.
- Click on Save and if properly configured, your Synup configuration in Google console will look like this
This will ensure that Synup can create new users when someone signs in using SSO for the first time and they can start using our platform immediately.
For any other Identity Provider, you will need to log in to their administrator console but follow the same steps for mapping attributes. Please reach out to us if you need help.
Once you’ve followed the above steps, you can test your SSO setup.
Testing your SSO setup
Clicking on the “Test SSO integration” button brings you to the testing page which shows you
- Your current sign-in status using an Identity Provider
- Your ACS URL
- Your Service Provider Entity ID and
- Your IdP URL
To test this setup,
- Click on “Sign in with Identity Provider”
- You will be directed to your Identity Provider’s login page. For example, if you use G-Suite, you will be sent to G-Suite’s page. Enter your login credentials for Google and click on Sign In.
If the SSO has been configured correctly and if you have entered your credentials for your IdP correctly (in this example, your G-Suite login ID and password), the SSO Test page will display the message “Your sign-in was successful”