Set up SAML in Serraview Configuration
Step 1. Client IT to send the Serraview Support team your SAML metadata file
For the Serraview Support team to assist with SSML configuration, the Client IT team must send them the following file:
- Generate and send Serraview the Client’s SAML metadata file.
Step 2. Configure the SAML settings in Serraview
The Serraview Support team will complete the configuration.
-
Sign into https://[client_instance].serraview.com using a Serraview account (non-SAML).
- Navigate to Configuration > General.
- Select SAML.
- Modify the SAML configuration as required. This area contains the configuration settings required to enable SAML. Most of these options are completed by the Client as the Identity Provider (IdP), but some are populated by Serraview as the Service Provider (SP).
Make changes carefully because this configuration will impact the user's ability to access Serraview.
|
Field |
Description |
|---|---|
|
Enable SSO |
Check the Enable SSO check box to enable SAML Authentication. The Name ID attribute is crucial for functionality of SAML in Serraview. This is the identifying attribute for a user. Make sure that this is configured at the IdP to a uniquely identifying attribute. |
|
SSO Name |
In the SSO Name field, enter an end-user friendly name that displays on the SSO Login button on the login page.
|
|
SAML Issuer |
In the SAML Issuer field enter the unique identifier of the IdP. |
|
Identity Provider SSO Service URL |
In the Identity Provider SSO Service URL field, enter the Assertion Consumer Service (ACS) URL. SAML requests will be directed to this ACS. |
|
SSO Service Binding |
From the SSO Service Binding type drop down select either:
This attribute specifies the transport binding to use when Serraview sends authentication requests to your IdP. |
|
Identity Provider Certificate |
In the Identity Provider Certificate field enter the public certificate. The public certificate used by the Serraview SP to verify the signature/decrypt messages received from your IdP. |
|
Sign Authentication Request |
This indicates if requests made by the Serraview SP should be signed by the SP based on what your IdP is expecting. |
|
Verify SAML Response Signature |
This indicates if your IdP SAML Response Signature must be verified by Serraview when it is received. We recommend this be used for increased security protection. |
|
Verify SAML Assertion Signature |
This indicates if your IdP SAML Assertion Signature on SAML assertion must be verified. We recommend this be used for increased security protection. Note: The IdP SAML Assertion Signature is configured as enabled on IdP by default. |
|
Verify SAML Assertion Encryption |
This indicates if the Serraview SP decrypts the SAML assertion from your IdP. We recommend this be used for increased security protection. |
|
First Name Attribute |
In the First Name Attribute field, enter a value that is the name of the SAML assertion attribute identifying the First Name of the user. |
|
Last Name Attribute |
In the Last Name Attribute field, enter a value that is the name of the SAML assertion attribute identifying the Last Name of the user. |
|
Email Attribute |
In the Email Attribute field, enter a value that is the name of the SAML Assertion attribute that will be used to identify the email address of the user. First Name, Last Name, Email Attribute will be used to automatically create a person record in Serraview in instances where an IdP authenticated person does not have a person record in Serraview. |
|
Service Provider Identifier |
Display Only - This contains the unique identifier to the Serraview SP instance. |
|
Serraview SSO URL |
Display Only - This contains the URL to the Serraview Assertion Consumer Service, used by IdP to send SAML responses. |
|
Serraview Certificate |
Display Only - This contains the Serraview application's public key used by the IdP to verify Serraview signature/decrypt SAML responses. |
|
Serraview Certificate Signature Method |
From the Serraview Certificate Signature Method drop-down select either:
This is the encryption method used to sign the Serraview SAML request. This matches the signature method in Serraview certificate. The value can be various based on the security requirement from your IdP. Whilst Serraview supports both SHA1 and SHA256, by default, Serraview generates the certificates of SHA256 signature method. |
|
Force SSO |
For more information, refer to the Do you want to force SSO? section below. |
5. Click the Update button.
Step 3. Serraview Support team to send the SAML metadata file
- We will generate and send the Client their SAML metadata file.
Step 4. Optional - Set up the Force SSO
After you are certain that all the setup has completed correctly and checked by the Serraview Support team, then you can select the Force SSO option. This means:
- Only SAML is used for authentication.
- Users will no longer be able to log into Serraview via the normal Username/Password method.
- When the user browses to the login page (https://[client_instance].serraview.com) they will automatically be directed to the SAML Login process and, if authenticated successfully, Serraview opens to them a moment later (they do not see a login screen).
For a user to successfully sign in with the Login Identifier (e.g. logon name, email address, employee number), the identifier needs to match what is in Serraview with what is in the Identity Provider(IdP) server on the client's side. If these do not match, a successful login token cannot be given to the user and the error message "Login Identifier is not provided for user" displays.
For more information on how to set the Login Identifier in Serraview, refer to Configure Default User Role and the Logon Identifier.