SSO customer configuration
Learn how to configure third-party IdP integration using SAML.
Configure third-party IdP integration using SAML. For details on this authentication method, see topic Security Assertion Markup Language (SAML) Single Sign On (SSO).
Information from Customer
Customers should raise a Support Ticket with:
- SAML metadata (
metadata.ditafile) of the IdP used in the customer's organization - Tenant information (URL)
- Roles will be managed in IdP or Reltio platform.
Note: When roles are managed in IdP, customers cannot add, remove, or modify
user roles in Reltio platform.
SAML Metadata
To get SAML metadata (
metadata.dita files) of the IdP used
in your organization:
- Microsoft Active Directory Federation Services (ADFS): You can download the SAML metadata document for your ADFS federation server from: https://yourservername/FederationMetadata/2007-06/FederationMetadata.dita
- Okta: Once you have configured Reltio platform as an application in Okta, you can find the metadata document in the Admin section of the Okta dashboard. Choose the application, select the Sign On section, and look under the Settings for SAML. The URL should look like: https://app-domain.oktapreview.com/app/application-ID/sso/saml/metadata
- Auth0:
The metadata download document is obtained from the Auth0 dashboard: choose Clients, then choose Settings. Scroll down, choose Show Advanced Settings, and then look for your
SAML Metadata URL. It should look like:
https://your-domain-prefix.auth0.com/samlp/metadata/your-Auth0-client-ID - Ping Identity: For PingFederate, you can find instructions for downloading a metadata XML file in Provide general SAML metadata by file(see https://documentation.pingidentity.com/pingfederate/pf81/index.shtml#task_toExportSelectedMetadata.html#task_toExportSelectedMetadata).
Reltio platform team will configure SSO for the customer. Once Reltio platform has the configuration, customer should configure the IdP as explained in the External IdP Setup section.
SAML Metadata
External IdP Setup
In third party SAML IdP, configure the following:
Redirect or sign-in URL or ACS URL=customerURL/saml2/idpresponseEntityID=urn:amazon:cognito:sp:userPoolId
Note:
customerURL and userPoolId will be provided
once Reltio platform completes the configuration. Alternatively, Reltio platform can provide
sp-metadata.dita.SAML Attributes: The following SAML attributes can be configured in IdP to be passed in the SAML Response XML:
email: The user will be created with this email address as a username.roles: Comma-separated list of roles. The user will be assigned the roles specified in this attribute. This needs to be passed if the roles are managed by IdP. Otherwise the roles will be managed by Reltio Platform.
Sample Assertion XML expected in SAML request.
Sample Assertion XML
Download the Sample SAML Assertion for reference.
Verifying SAML Response
To verify that the SAML Response contains email and roles(if roles are managed in customer IdP):
- Open Firefox web browser (Chrome will not show
POSTparameters, so cannot extract SAMLResponse). - Open New Private Window by pressing Ctl+Shift+P.
- Go to the tenant URL for which SSO is configured (for example, https://test.reltio.com/ui/2sJZnFlTqzLSBDEJ/). You will get redirected to the configured IdP’s login page.
- Press Ctl+Shift+I to open Firefox developer tool panel. In the developer tool,
go to the Network tab.
- Log in using the IdP username and password. After successful login, you will be redirected to the Reltio platform.
- In the developer tool, on the Network tab, select
idpResponse. You will see the Params tab in the right panel. Copy the value ofSAMLResponse(make sure you copy the entire string which is very long). - Go to https://www.base64decode.org/
- Paste the SAMLRequest value copied from developer tools panel and press Decode.
- In the Decoded XML, look for the following lowercase values:
email,roles(if roles are managed in IdP). - Verify that the values are displayed as expected.