SAML Single Sign-On

Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, such as an identity provider and a service provider.

SAML for single sign-on (SSO) allows users to authenticate through your company's identity provider when they login to SmartAdvocate. SSO allows a user to authenticate once and then access multiple products during their session without needing to authenticate with each product.

Here’s what we recommend you do before you set up SAML single sign-on:

1. Make sure the clock on your identity provider server is synchronized with NTP. SAML authentication requests are only valid for a limited time.

2. Plan for downtime to set up and test your SAML configuration.

Set up your Identity Provider (IdP)

1. Log in to your IdP (Auth0, Okta, Azure AD Or Duo).

2. Create a new SAML application or configure an existing one.

   1. Refer to the corresponding provider instructions.

   2. Auth0, Okta, Azure AD or Duo.

3. Write down the SAML metadata URL provided by the IdP.

Configuring SmartAdvocate

1. Make sure you're an admin for SmartAdvocate.

2. Verify that SmartAdvocate is running using the full domain name on your network and is accessible from the outside (full URL like https://www.samplewebsite.com/SA).

3. Configure the web.config file by setting the <sustainsys.saml2> section to include the following URIs: 
   return URL and service provider entity ID. 

   1. For example, for our east server, it would be:
      <sustainsys.saml2 entityId="https://east.smartadvocate.com/SA/Saml2" returnUrl="https://east.smartadvocate.com/SA/" />

   2. For other IIS instances, replace “east” with the appropriate subdomain name or use the full
      domain name with the SA location of the server client.

   3. Additionally, in the customer’s tenant Administrator Parameters configuration, their SAML settings should use the same URIs as above. That would be the following parameters:
      
      

      Open

      

4. Check that your SmartAdvocate and your identity provider use the HTTPS protocol to communicate and that the configured product base URL is the HTTPS one.

5. Add an identity provider record to the SmartAdvocate Picklist Maintenance page. Filter the page for Identity, select Identity Providers, and Add New Item.

6. Please give it a friendly name that will correspond to your IdP name.

7. Paste the SAML metadata URL, copied before from the IdP into the Entity ID field and Metadata location fields.

8. Make sure the Load Metadata check box is checked.

9. Leave everything else empty, and save the record.
   
   

   Open

   

Add SmartAdvocate user mapping with IdP user mapping (if users are different in both places)

1. Via Picklist Maintenance page, filter it for User Identity Mapping.

2. Add any users you might need by adding new records, selecting SA login username, IdP record, created earlier, and IdP username that will translate to the SmartAdvocate username during login.
   
   

Configure SmartAdvocate as a Service Provider on your IdP

Mapping should look similar to the one, shown below:

Please note the SAML2 endings in the Entity ID and ACS URLs.

Finishing Up SmartAdvocate configuration for SAML

Please modify your Admin parameters to reflect SAML settings similar to the settings below:

Return URL. Must have an IDP request parameter

Server clients: https://saserver.com/SA/login.aspx?idp={0}

To enforce single sign-on login only:

1. Go to Admin parameters.

2. Filter it by Login as a group and SSO as the description

3. Modify Usernames for users who can bypass the SSO/SAML rule if needed.

4. Modify the “Disable regular login” setting and set it to True. Please note that if you did not provide any usernames in step 3, and SAML login will fail, none can access your SmartAdvocate system.

Related Pages