Configure SAML on your environment
SAML enables single sign-on (SSO) by authenticating users once and granting access to multiple applications, enhancing security and simplifying login. Follow the steps below to configure SSO with the SAML 2.0 standard.
To configure your environment as Service Provider in SAML, go to [ENVIRONMENT] → Authentication → SSO → Service Provider → Authentication protocols. If you do no see SAML under this page, please make sure it is enabled in the builder and published to the environment.
SAML enablement
SAML enablement
Setting a custom domain after going live, especially with active SSO connections, can be challenging. We recommend planning ahead and setting custom domains early to avoid cookie issues and enhance your brand. This applies to both Hosted and Embedded Frontegg customers. [Learn more about Custom Domains.]
Step 1: Add an ACS URL
Your ACS URL will contain your custom or Fronteggdomain followed by /auth/saml/callback. (see above note regarding custom domains).
If you opt to not configure a custom domain, use your frontegg subdomain followed by /auth/saml/callback for your ACS URL.
Step 2: Add an SP Entity ID
Organizations normally use an SP Entity ID to configure their identity provider. We recommend using your application's name for this field.
Step 3: Add a redirect URL
If you are using the hosted login method, your redirect URL should be:
https://[your-frontegg-domain].frontegg.com/oauth/account/saml/callback.
If you are using the embedded login method, the redirect URL should be:
[your-application-url]/account/saml/callback, for example: http://localhost:3000/account/saml/callback.
Allow your customers to add their IdP connection or apply it for them
After configuring SAML in the Frontegg portal, you can allow your end users to apply their own SSO connection or apply the connection details from their IdP for them (via your [ENVIRONMENT] ➜ Management → Accounts → [ACCOUNT] → SSO tab ➜ Configurations).
Enable SSO tab for the self-service (admin portal)
Enable the SSO tab for your users in the Workspace area of the portal. Subsequently, your users can follow the instructions to add their IdP connection as per the instructions [here].
Apply an SSO connection from your environment's management page
To apply an SSO connection on your customers' behalf, go to your Management → Accounts → [ACCOUNT] → SSO tab ➜ Configurations, and click 'add new'. Alternatively, you can also perform this action via API.
Users group-to-role mapping
Often, end users logging in via SSO to your application need their application roles mapped to the groups assigned to them on the IdP side. By default, all users logging in through a specific SSO configuration receive the default role. If they belong to a group mapped to an additional role, they will receive that role in addition to the default SSO role.
Enabling continuous group checks
Enabling continuous group checks
By default, user groups from the IdP are checked only during the first SSO login. To enable group checks on every user login, submit a request for your environment.
The names of the users groups on the SAML connection must be entered exactly as they will be received from the IdP in the end user's SAMLResponse. If the IdP sends group IDs instead of names, these IDs must be mapped in the SSO configuration in the self-service portal.
Enable SAML signature using SP certificate (optional)
Some Identity Providers might require a SAML signature to ensure the connection's authenticity— When a Service Provider (SP) sends a SAML request, the Identity Provider (IdP) must verify that it genuinely comes from the SP and hasn't been altered. Different IdPs have various methods for this verification, with some using a SAML request signing certificate.
To use SAML signature functionality for the SSO configuration, follow the below steps:
- Get your environment SP certificate via this API and send it to your customer so that they can add it to their IdP's SAML application.
- Mark the SSO configuration on Frontegg's side with
signRequest:trueusing the [update SSO configuration] API.