How to configure SAML2 authentication?

About this article

This article is explaining how to configure and set up SAML2 as the authentication method and the article is targeted to owners or partners on the tenant. 

There's two ways of configuring SAML2 authentication, both covered below in this article:

• Manual configuration
• Dynamic configuration

 

Pre-requisites

Updated to Templafy Hive Admin or Owner rights on the tenant Customer's metadata (EntityID, SingleSignOn URL, and Signing Certificate) or metadata URL at hand

 

Set up authentication method 

1. Go to Account tab in the left-side menu of the Admin Center
2. Go to Authentication tab
3. Click on Add authentication method
4. Type in the name of the Authentication Id
5. When using multiple authentication methods,  you will be asked to assign a user-friendly name to the Login Button
6. Select SAML2 in the drop-down
7. Follow instructions below based on the configuation selected (manual/dynamic)
8. Click Save

 

Authentication Method Id

The Authentication method ID is a unique and non-editable value used to identify the authentication method itself. This is a required field and can be referenced as an installation parameter in Templafy Desktop deployment or distributed via Registry key. By doing so, users will not have to select an authentication method each time Refresh Token is being renewed and the login shall succeed quietly without their interaction

 

Login Button Name

This name will be shown to the users when logging into Templafy. Users will be asked to select their respective authentication method. It is therefore imperative to give it a meaningful and distinctive name to better guide them through the login process. To get more information how this is displayed to the users, kindly refer to the article Multiple authentication methods- end user perspective

 

Configuration mode 

Manual configuration

By opting in for manual configuration, you have two options:

1. Enter the correct required fields in the configuration manually by copy-pasting them from the metadata XML file provided by the customer
2. Use the Fetch metadata button to extract the information for you by inserting the specified URL.

 

• Metadata location = URL where you can access the metadata specific to the application
• Entity ID = Uniquely identifies the application. IdP sends the identifier to the application as the Audience parameter of the SAML token. The application is expected to validate it. 
• Single sign-on service URL = URL used by IdP to authenticate and sign on the user.
• Primary signing certificate (Base64) = Certificate used to sign the SAML tokens that are sent to the application. You need this certificate to set up the trust between IdP and the application. 
• Secondary signing certificate (Base64) = Newly generated certificate by IdP can be uploaded here beforehand and Templafy will default to this certificate once the customer performs the switch. 

A guide explaining what metadata is relevant to extract and how to decipher the file can be found in SAML2 setup - w. guide to client metadata.wml or .cert file

 

Dynamic configuration

When opting in for dynamic configuration, the metadata is loaded dynamically when the authentication method is used. The difference between manual and dynamic option is that you don't have to maintain the metadata when it's changed on the IdP's side.

For example, if a new singing certificate was generated on the customer's side, Templafy will be able to fetch the information in real time without any Owner/Partner interaction. No manual change to the metadata in the authentication method settings is required.

 

 

• Metadata location = URL where you can access the metadata specific to the application
• Entity ID = Uniquely identifies the application. IdP sends the identifier to the application as the Audience parameter of the SAML token. The application is expected to validate it. 
• Show advanced option lets you apply a discriminator claim value which can be added as an extra layer of security, ensuring that only people from certain department or country can successfully log in.

Advanced options

At the bottom of the settings page you will find the Advanced options section.
Here you can restrict access to specified email domains in the Restricted domains setting. Or you can restrict access based on discriminator claims.

 

Note: Templafy does not directly provide multi-factor authentication capabilities, however, customers are enabled to do so when they opt-in for SSO. Multi-factor authentication option is specific to the IdP and Templafy doesn’t act as an IdP in the context of Single Sign-on.

 

Related articles

E-mail authentication guide AzureAD authentication guide Supported claims and claims rules SSO discriminator claims Templafy One How to use discriminator claims for SAML2 or Azure AD authentication methods?