Single Sign On
- Scott McClure
- Carl Painter
- Elaine Williams
RapIDadmin supports single sign on through SAML 2.0. Setting up SSO may require help from your IT department or SAML identity provider (IdP) administrator.
How to enable SSO
The SSO administration settings are located in RapIDadmin and are available to users that are granted the RapIDadmin:Administration:Settings permission.
To access RapIDadmin select the user avatar > Switch Applications > RapIDadmin
Navigate to RapIDadmin > Administration > Settings to view the Sign Sign On settings.
All settings are required
Enable Single Sign On - This will enable the Sign Sign On feature for your account.
Default Tenant - Select the tenant that your users will be assigned to by default when they first log in. If there is an existing user with a matching email address, the tenant will not be updated for that user.
Identity Provider - Select SAML.
Metadata Document Url - This is a link to the metadata document that describes your identity provider settings. When you hit save, we will fetch this document to configure your connection.
Email Attribute - The URI of the email attribute found in the response from your IdP.
First Name Attribute - The URI of the first name attribute found in the response from your IdP.
Last Name Attribute - The URI of the last name attribute found in the response from your IdP.
Login Url - This is the URL that your users will navigate to in order to initiate the service provider-initiated login flow.
After you hit Save, you will see two values that you will need in order to configure your IdP
Signing Certificate - Your IdP will need the signing certificate to verify the signature of our SAML requests.
Callback Url - This is the URL that your IdP will use to redirect authenticated users along with their signed assertions.
Detailed Example of setup and testing with “Auth0”
RA Setup
Log into RapIDadmin
To access RapIDadmin select the user avatar > Switch Applications > RapIDadmin
Navigate to RapIDadmin > Administration > Settings to view the Sign Sign On settings.
Check the Enable Single Signon Checkbox
For lines 1 and 2 of 6
Choose your Default Tenant (Click on Magnifying glass, then your Tenant)
Select “SAML” as the Identity Provider (IDP)
Auth0 (Idp) Setup
Follow the steps below in “Auth0 Idp Setup” (below) to get the Metadata document url from Auth0
NOTE: Replace “Auth0” (Idp) setup instructions with your Idp’s setup instructions here.
Login or Sign up to Auth0: https://manage.auth0.com
Choose an Existing Application: Applications→Applications→<My TestSAML App>→Settings
or Create your own “Application” (“My TestSAML App” in this caase.)
Skip the “QuickStart” tab and go to “Addons”
Switch tabs in Auth0 to “Addons”
Enable “SAML2 Web App”
Copy the “Identity Provider Medadata” url from the usage tab of the “Addon: SAML2 Web App” by
Going to “Identity Provider Metadata:” (See screenshot below)
Hover over the “Download” link
Then right clicking and click on “Copy Link address”
Copy to RA's “Metadata Document Url” in green box below
NOTE: The “Download” link (Above) should have the word “Metadata” in it:
i.e.: https://vdstest.auth0.com/samlp/metadata/NcmaleogJudQ7O2RZa7z8CvHij325QwB
Click on “Save All”
Auth0: Switch from “Usage” tab to “Settings” tab.
Auth0: Applications→Applications→<My TestSAML App>→AddOns→SAML2 Web App→Settings
under the “Settings” Black Command window:
copy the http links for “email, given_name, family_name (From lines 6,8,9 in screenshot below) to the last 3 textboxes in RA (Screenshot above).
They look like the the followind static pre-configured attributes:
Email Attribute — http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
First Name Attribute — http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last Name Attribute — http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
Copy the “Login Url” from Ra to “Application Callback URL” in Auth0
Skip the “QuickStart” tab and go to “Settings”
Scroll down to “Allowed Callback URL’s”
Switch back to RA and Copy the Login Url found in the RA settings to the "Allowed Callback URLs" setting in Auth0 (you can add multiple with a comma separator)
Save changes (In Auth0)
Scroll down to bottom and click “Enable”
Applications→Applications→<My TestSAML App>→AddOns→SAML2 Web App→Settings
Update the callback url here also
Download the signing certificate from RA. Copy the text. Paste it between the "-----BEGIN CERTIFICATE-----\n" and "n-----END CERTIFICATE-----" markers in the "signingCert" property (near the bottom of the settings json)
Testing
Add some users to Auth0 (User Management→Users)
Make sure they have a first and last name added to their metadata in the Details section
There should be a few users already with examples
Then you should be able to log in to RA using the Login Url found in the RA settings