SAML SSO Configuration

You can use the SSO Configuration application for configuring Security Assertion Markup Language (SAML) based Single Sign-On (SSO).

The SSO Configuration application enables you to configure SAML Single Sign-On for access to the Reltio platform and various other applications. Select the SSO Configuration application from the Security section of Console.

When you login into the SSO Configuration application of Console for the first time, you can choose to either configure SAML or file a Zendesk ticket for OpenID Connect (OIDC) configuration.

Note: By default, the SSO Configuration application requires the ROLE_ADMIN_TENANT role for accessing it. You must be a Tenant Administrator to perform the SSO configuration for other users. However, you may also create a custom role with access to SSO resources and grant this role to your security administrator to manage the SSO configuration.

Setting up SAML Based SSO Access

To configure Single Sign-On for the tenant, click the CONFIGURE SAML button. The SAML Configuration page appears. The SAML Configuration page can be divided into the following four sections:

  • Default Settings
  • Roles settings
  • Groups settings
  • IdP configuration

Provide details for the Default Settings:
  • Specify which SAML attribute will be mapped to the email ID in Reltio.
  • Specify the default roles that each new user will receive on logging into the tenant.
    Note: A new customer that logs into the tenant configured for SSO will be assigned only the default roles. If a customer adds or deletes roles in Reltio or IdP, the subsequent access attempts will be validated against the new roles and not default roles.
  • Specify the default group that each new user will receive on logging into the tenant.
Provide details for the Role and/or Group Settings:
  • Specify whether to manage roles and/or groups in IdP or in Reltio. You can make any of the following choices to manage roles and/or groups:
    • To manage role assignments in IdP → Select the Manage roles in IdP checkbox. De-selecting the Manage roles in IdP checkbox allows you to manage role assignments in Reltio.
      Note: When roles are managed in Reltio, IdP roles are not copied to Reltio and only Reltio roles are used. Otherwise, Reltio roles are ignored and roles are always copied from IdP.
    • To manage group assignments in IdP → Select the Manage groups in IdP checkbox. De-selecting the Manage groups in IdP checkbox allows you to manage group assignments in Reltio
      Note: The User group definition must be maintained in Reltio though you can manage the assignment of users to the user groups through the Identity Provider (IdP).
  • Specify which SAML attribute will be mapped to the user roles and/or groups in Reltio in the Role SAML attribute and Group SAML attribute fields.
  • Set a regular expression to be used to extract roles or groups from the SAML attribute in the Role regular expression and/or Group regular expression fields. You can either specify a regular expression or comma separated values (csv). By default, the comma separated values (csv) option is selected.
  • Click the CONFIGURE button in the top-right corner to configure SAML SSO based on your specifications.
Provide details for the IdP configuration:

You can upload your IdP SAML Metadata file to configure the Identity Provider (IdP) either by dropping the file or browsing for it.

Use the following steps to create, modify or delete the IdP configuration:
  • Upload a SAML metadata file and click CONFIGURE available in the top-right corner. When a SAML XML file is uploaded, the system will validate it for completeness and provide the user with:
    • Entity ID
    • Assertion Consumer Service (ACS) URL
    This information will allow the customer to configure their IdP. Alternatively, they can download the SP-METADATA.XML file which also contains this information.

  • You can modify or delete the SAML configuration, if required.

    • Update the configuration by clicking the UPDATE button on top. The editable SAML Configuration page appears. You can make your changes and click the CONFIGURE button to update the configuration.
    • Delete the SSO configuration if it already exists for the tenant by clicking the DELETE CONFIGURATION button.