About this article
This article is explaining how to configure and set up SAML2 as the authentication method and the article is targeted to owners or partners on the tenant.
There's two ways of configuring SAML2 authentication, both covered below in this article:
Pre-requisites
|
Set up authentication method
- Go to
Account
tab in the left-side menu of the Admin Center - Go to
Authentication
tab - Click on
Add authentication method
- Type in the name of the Authentication Id
- When using multiple authentication methods, you will be asked to assign a user-friendly name to the Login Button
- Select
SAML2
in the drop-down - Follow instructions below based on the configuation selected (manual/dynamic)
- Click
Save
Authentication Method Id
The Authentication method ID is a unique and non-editable value used to identify the authentication method itself. This is a required field and can be referenced as an installation parameter in Templafy Desktop deployment or distributed via Registry key. By doing so, users will not have to select an authentication method each time Refresh Token is being renewed and the login shall succeed quietly without their interaction
Login Button Name
This name will be shown to the users when logging into Templafy. Users will be asked to select their respective authentication method. It is therefore imperative to give it a meaningful and distinctive name to better guide them through the login process. To get more information how this is displayed to the users, kindly refer to the article Multiple authentication methods- end user perspective
Configuration mode
Manual configuration
By opting in for manual configuration, you have two options:
- Enter the correct required fields in the configuration manually by copy-pasting them from the metadata XML file provided by the customer
- Use the
Fetch metadata
button to extract the information for you by inserting the specified URL.
- Metadata location = URL where you can access the metadata specific to the application
- Entity ID = Uniquely identifies the application. IdP sends the identifier to the application as the Audience parameter of the SAML token. The application is expected to validate it.
- Single sign-on service URL = URL used by IdP to authenticate and sign on the user.
- Primary signing certificate (Base64) = Certificate used to sign the SAML tokens that are sent to the application. You need this certificate to set up the trust between IdP and the application.
- Secondary signing certificate (Base64) = Newly generated certificate by IdP can be uploaded here beforehand and Templafy will default to this certificate once the customer performs the switch.
|
Dynamic configuration
When opting in for dynamic configuration, the metadata is loaded dynamically when the authentication method is used. The difference between manual and dynamic option is that you don't have to maintain the metadata when it's changed on the IdP's side.
For example, if a new singing certificate was generated on the customer's side, Templafy will be able to fetch the information in real time without any Owner/Partner interaction. No manual change to the metadata in the authentication method settings is required.
- Metadata location = URL where you can access the metadata specific to the application
- Entity ID = Uniquely identifies the application. IdP sends the identifier to the application as the Audience parameter of the SAML token. The application is expected to validate it.
Show advanced
option lets you apply a discriminator claim value which can be added as an extra layer of security, ensuring that only people from certain department or country can successfully log in.
Advanced options
At the bottom of the settings page you will find the Advanced options
section.
Here you can restrict access to specified email domains in the Restricted domains
setting. Or you can restrict access based on discriminator claims.
|
Comments
0 comments
Article is closed for comments.