Accelerate the Value of Data

SSO customer configuration

Learn how to configure third-party IdP integration using SAML.

Configure third-party IdP integration using SAML. For details on this authentication method, see topic Security Assertion Markup Language (SAML) Single Sign On (SSO).

Information from Customer

Customers should raise a Support Ticket with:
  • SAML metadata (metadata.dita file) of the IdP used in the customer's organization
  • Tenant information (URL)
  • Roles will be managed in IdP or Reltio platform.
Note: When roles are managed in IdP, customers cannot add, remove, or modify user roles in Reltio platform.

SAML Metadata

To get SAML metadata (metadata.dita files) of the IdP used in your organization:
  • Microsoft Active Directory Federation Services (ADFS): You can download the SAML metadata document for your ADFS federation server from: https://yourservername/FederationMetadata/2007-06/FederationMetadata.dita
  • Okta: Once you have configured Reltio platform as an application in Okta, you can find the metadata document in the Admin section of the Okta dashboard. Choose the application, select the Sign On section, and look under the Settings for SAML. The URL should look like: https://app-domain.oktapreview.com/app/application-ID/sso/saml/metadata
  • Auth0: The metadata download document is obtained from the Auth0 dashboard: choose Clients, then choose Settings. Scroll down, choose Show Advanced Settings, and then look for your SAML Metadata URL. It should look like:https://your-domain-prefix.auth0.com/samlp/metadata/your-Auth0-client-ID
  • Ping Identity: For PingFederate, you can find instructions for downloading a metadata XML file in Provide general SAML metadata by file(see https://documentation.pingidentity.com/pingfederate/pf81/index.shtml#task_toExportSelectedMetadata.html#task_toExportSelectedMetadata).

Reltio platform team will configure SSO for the customer. Once Reltio platform has the configuration, customer should configure the IdP as explained in the External IdP Setup section.

SAML Metadata

External IdP Setup

In third party SAML IdP, configure the following:

  • Redirect or sign-in URL or ACS URL = customerURL/saml2/idpresponse
  • EntityID = urn:amazon:cognito:sp:userPoolId
Note: customerURL and userPoolId will be provided once Reltio platform completes the configuration. Alternatively, Reltio platform can provide sp-metadata.dita.
SAML Attributes: The following SAML attributes can be configured in IdP to be passed in the SAML Response XML:
  • email: The user will be created with this email address as a username.
  • roles: Comma-separated list of roles. The user will be assigned the roles specified in this attribute. This needs to be passed if the roles are managed by IdP. Otherwise the roles will be managed by Reltio Platform.

Sample Assertion XML expected in SAML request.

Sample Assertion XML

Download the Sample SAML Assertion for reference.

Verifying SAML Response

To verify that the SAML Response contains email and roles(if roles are managed in customer IdP):

  1. Open Firefox web browser (Chrome will not show POST parameters, so cannot extract SAMLResponse).
  2. Open New Private Window by pressing Ctl+Shift+P.
  3. Go to the tenant URL for which SSO is configured (for example, https://test.reltio.com/ui/2sJZnFlTqzLSBDEJ/). You will get redirected to the configured IdP’s login page.
  4. Press Ctl+Shift+I to open Firefox developer tool panel. In the developer tool, go to the Network tab.
  5. Log in using the IdP username and password. After successful login, you will be redirected to the Reltio platform.
  6. In the developer tool, on the Network tab, select idpResponse. You will see the Params tab in the right panel. Copy the value of SAMLResponse (make sure you copy the entire string which is very long).
  7. Go to https://www.base64decode.org/
  8. Paste the SAMLRequest value copied from developer tools panel and press Decode.
  9. In the Decoded XML, look for the following lowercase values: email, roles (if roles are managed in IdP).
  10. Verify that the values are displayed as expected.