In this article 👇
👉 SAML authentication is included with the Scale and Enterprise plans. Find out more!
About SAML single sign-on
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, such as an identity provider and a service provider.
SAML for single sign-on (SSO) allows users to authenticate through your company's identity provider when they log in to Holaspirit. SSO allows a user to authenticate once and then access multiple products during their session without needing to authenticate with each. SSO only applies to user accounts from your verified domains.
If you manage users for a site with Google Workspace, check out this article.
Before you begin
Here's what you must do before you set up SAML single sign-on.
Make sure you're an admin for a Holaspirit organization.
Configuration is required in both system (Holaspirit and your IdP).
Available identity providers
Active Directory Federation Services (ADFS)
Microsoft Azure Active Directory
Google Cloud Identity
Or any provider that follows the SAML 2.0 specification
Available SAML attributes
When you set up your identity provider, this is the SAML attributes you use:
Map to your identity provider
In your IdP configuration you will have an "Attribute Mappings" section, that will tell which fields should be sent to Holaspirit.
Here is the list of fields that we will saved on Holaspirit:
Configure SAML SSO
Step 1: Copy details from your identity provider to your Holaspirit organization
From your organization, select Administration > Authentication.
Add domain(s) of your organization.
Select SAML in the drop down menu and add the SAML details you'll fill in the Identity Provider Login URL and the SAML Certificate provided by your SSO provider:
Issuer URL (Identity provider Entity ID or Azure AD Identifier)
This value is a URL containing information about the IdP so the Service Provider can validate that the SAML assertions it receives are issued from the correct IdP.
This value defines the URL your users will be redirected to when logging in.
This value begins with '-----BEGIN CERTIFICATE-----'.
This certificate contains the public key we'll use to verify that your identity provider has issued all received SAML authentication requests.
Save SAML configuration.
Once the information are saved, download the meta file. This page gives access to information required to set up the IdP.
Step 2: Copy URLs from your Holaspirit organization to your identity provider
Copy the URL in your IdP. Select Save in your identity provider when you copy the URLs.
The ACS (Assertion Consumer Service) should be : https://app.holaspirit.com/api/public/organizations/__your_organization_slug__/social/saml/acs
The SignOn URL should be : https://app.holaspirit.com/
The Relay state should be: https://app.holaspirit.com/api/public/organizations/__your_organization_slug__/social/saml/rs
The "__your_organization_slug__" part must match the one in your metadata URL.
For MS Azure, you can read the documentation : https://azure.microsoft.com/en-us/documentation/articles/active-directory-enterprise-apps-manage-sso/
Configure and enforce SAML single sign-on
SSO can be set up as either a convenience or required. If you enforce SSO, this will impact all Holaspirit users on your domains (the domains you defined in "Company domains" at the top of the page)
Use case: Forbid authentication with email / password to ensure users with access to Holaspirit must have valid credentials in the IdP to login.
To enforce SSO:
Login with SAML
Go to Administration > Authentication
Make sure SAML is configured in both system
Select Activate for all members
Enforced SSO is enabled.
Enforced SAML consequences:
Switching between different Holaspirit organisation is not available.
Users cannot create a new organization from the same email address.
Users cannot edit their email address. It is manage in the AD.
To access another organization, users must logout and login with the appropriate authentication method.
Users will automatically be redirected to the login page of the IdP when trying login with the wrong authentication mode or if they try to reset their password.
Administrator are not affected, and are always allowed to login with email and password.
For Okta users
In Single Sign On URL, add the ACS. It looks like: https://app.holaspirit.com/api/public/organizations/********/social/saml/acs)
In Audience URL, add the URL provided in the metadata file.
In the settings of your app, in General, SAML settings, be sure to add the following attribute statements.