**Advanced configuration: please rope in all pertinent IT resources before proceeding.
SSO Integrations
A Single Sign-On Integration can be achieved through the use of the SAML 2 authentication protocol. The process is relatively simple to set up if your institution supports authentication via a SAML 2 Identity Provider (IDP) and you've identified your IT personnel that govern such resources. To start the process please contact your customer success representative or reach out to support@suitable.co.
If you are utilizing Azure, follow these instructions instead.
Metadata
The following are environments with respective Entity IDs for Suitable's test and production metadata:
Test
- Entity ID
- https://sandbox.suitable.co/saml
- Metadata
Production
- Entity ID
- https://app.suitable.co/saml
- Metadata
Required Identity & Attributes
Once the metadata has been injected into your IDP, you will need to ensure the following attributes and claims are configured to be released in SAML Assertions.
The following claims are required to be included in the SAML response:
| Claim | Value |
|---|---|
|
NameID (Must exist in the Subject of the SAML Assertion) |
The value is recommended to be one of the following:
|
The following attributes are required to be included in the SAML response:
| Directory Field | Attribute Identifier* |
|---|---|
| urn:oid:0.9.2342.19200300.100.1.3 | |
| urn:oid:1.3.6.1.4.1.5923.1.1.1.6 | |
| First name | urn:oid:2.5.4.42 |
| Last name | urn:oid:2.5.4.4 |
*The above identifiers are the defaults that we typically expect for each attribute, however we do have the ability to customize the identifiers based on your configuration.
Optional Attributes
The following attributes are recommended to be included in the SAML response:
| Directory Field | Attribute Identifier* |
|---|---|
| Role | urn:oid:1.3.6.1.4.1.5923.1.1.1.5 |
*The above identifiers are the defaults that we typically expect for each attribute, however we do have the ability to customize the identifiers based on your configuration.
Encryption (Optional)
If your IDP requires encryption on assertions you must ensure one of the following encryption and key transport algorithm pairs are used:
| Encryption Algorithm | Key Transport Algorithm |
|---|---|
| AES256-CBC | RSA-OAEP |
| AES128-CBC | RSA-OAEP |
| AES256-CBC | RSA-1.5 |
| AES128-CBC | RSA-1.5 |
Initialization
To properly trigger SSO you will need to navigate to your institution's specific initialization url— depending on the environment. Please use the following url for the respective environment you are accessing.
Test
- https://sandbox.suitable.co/saml/institutions/<YOUR_INSTITUTION_ID>/login
Production
- https://app.suitable.co/saml/institutions/<YOUR_INSTITUTION_ID>/login
NOTE: <YOUR_INSTITUTION_ID> will be provided for the respective environment via your technical point of contact.
If you have additional questions, chat with us below or send us an email at support@suitable.co.
Comments
0 comments
Article is closed for comments.