Integrating your Single Sign-On (SSO) Authentication – Suitable

**Advanced configuration: please rope in all pertinent IT resources before proceeding.

SSO Integrations

A Single Sign-On Integration can be achieved through the use of the SAML 2 authentication protocol. The process is relatively simple to set up if your institution supports authentication via a SAML 2 Identity Provider (IDP) and you've identified your IT personnel that govern such resources. To start the process please contact your customer success representative or reach out to support@suitable.co.

Metadata

The following are environments with respective Entity IDs for Suitable's test and production metadata:

Test

Entity ID
- https://sandbox.suitable.co/saml
Metadata
- InCommon Distribution (Preferred)
- Secondary Distribution

Production

Entity ID
- https://app.suitable.co/saml
Metadata
- InCommon Distribution (Preferred)
- Secondary Distribution

Once the metadata has been injected into your IDP, you will need to ensure the correct attributes are configured within the SAML Assertion. Below are required attributes:

NameID - Must exist in the Subject of the SAML Assertion. The value is recommended to be one of the following:
1. Institution Email
2. ePPN

Encryption (Optional)

If your IDP requires encryption on assertions you must ensure one of the following encryption and key transport algorithm pairs are used:

Encryption Algorithm	Key Transport Algorithm
AES256-CBC	RSA-OAEP
AES128-CBC	RSA-OAEP
AES256-CBC	RSA-1.5
AES128-CBC	RSA-1.5

Auto Provisioning (Optional)

When auto provisioning is enabled, users will be able to gain access to Suitable through your IDP without an account created for them ahead of time. This can be achieved by including the following attributes in the SAML response:

Attribute	Identifier*
First name (required)	urn:oid:2.5.4.42
Last name (required)	urn:oid:2.5.4.4
Contact email (optional unless ePPN is not a valid email address)	urn:oid:0.9.2342.19200300.100.1.3
Role (optional but recommended. If not provided, all users will be provisioned as students)	urn:oid:1.3.6.1.4.1.5923.1.1.1.5

*The above identifiers are the defaults that we typically expect for each attribute, however we do have the ability to customize the identifiers based on your configuration.

Initialization

To properly trigger SSO you will need to navigate to your institution's specific initialization url— depending on the environment. Please use the following url for the respective environment you are accessing.

Test

https://sandbox.suitable.co/saml/institutions/<YOUR_INSTITUTION_ID>/login

Production

https://app.suitable.co/saml/institutions/<YOUR_INSTITUTION_ID>/login

NOTE: <YOUR_INSTITUTION_ID> will be provided for the respective environment via your technical point of contact.

If you have additional questions, chat with us below or send us an email at support@suitable.co.

Related articles