What is SAML 2.0 Single Sign On?

Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions from another platform. This single sign-on (SSO) login standard has significant advantages over logging in using a username/password:

• No need to type in credentials
• No need to remember and renew passwords
• No weak passwords

Most organizations already know the identity of users because they are logged in to their Active Directory domain or intranet. It makes sense to use this information to log users into other applications, including our platform, and one of the more elegant ways of doing this is by using SAML.

How does it work?

SAML SSO allows for the transfer of a user's identity from one location (identity provider) to another (service provider) through a digital exchange of XML documents. The process goes as follows: a user logs into an identity provider and attempts to access a remote application, the application redirects the user back to the identity provider for authentication, after which the identity provider sends a signed XML document containing the user's information to the service provider. The service provider, already familiar with the identity provider, verifies the document with a certificate fingerprint and grants the user access to the app.

SAML Settings in CoreX

Mandatory Configuration Parameters

These are to be provided by the IdP provider and set in Uberall:

• IdP Entity Id: A unique name for the SAML entity (ex: Azure). This name will be added to the SP Response URL, which needs to be input into the IdP service provider. The name must be alphanumeric and have no spaces.
• IdP SSO URL: The location where users will be redirected for logging in. This should be the client's platform URL.
• Certificate: The client should provide the certificate information from their IdP provider, in the form of an alphanumerical string (x.509 certificate).
• Base URL: This should be https://uberall.com unless there's a whitelabel setup, in which case it should be the base URL of the active Whitelabel domain.

Uberall-provided Configuration Parameters

These are to be consumed by the IdP provider:

• Metadata Endpoint: The application-defined unique identifier that is the intended audience of the SAML assertion.
• SSO URL or ACS Endpoint: The location where the SAML assertion is sent with a HTTP POST request and where the client's IdP will redirect an authenticated user after successful sign-in.

Creating and updating users via Just-in-time (JIT) provisioning

Uberall allows creating or updating users on the fly. In order to do this, the following attributes need to be provided in the XML assertion.

Mandatory fields

These are required to identify the user

• FirstName - user's first name
• LastName - user's last name
• Email - user's emails
• Identifier - a stable and unique user identifier according to the clients internal system

Optional fields

These can ensure the user gets the intended access control and permissions

• Role  - the Uberall user role. If the role is present, we do not make any role assumptions outlined under “Extra rules” section. 
• Locations - the Uberall location ids which need to be assigned. Applicable for Users with Role LOCATION_MANAGER.
• Businesses - the Uberall business ids of the businesses which need to be assigned. Applicable for Users with Role ACCOUNT_MANAGER or BUSINESS_MANAGER.
• Groups - the Uberall group ids which can be associated with the user.
• Features - a list of the features which need to be enabled for the user.
• WLIdentifier - the Uberall whitelabel identifier which needs to be assigned to the user in case of multiple WLs in the SP. We will fallback to the default white labeled ID if none is provided.

Extra rules

These are to be considered and make User creation and automation easier

• Passing multiple values in Businesses → creates a BUSINSS_MANAGER and assigns the businesses.
• Passing a single value in Businesses → creates a BUSINESS_MANAGER and assigns the business.
• Passing Locations OR Groups → create a LOCATION_MANAGER and assigns the location(s) or group(s)