Skip to main content
SAML SSO On-boarding Instructions

This document describes how to replace 4U Platform’s default email-based authentication system with Single Sign On (SSO) using SAML.

Updated over 11 months ago

Overview

SSO allows users to authenticate within your system and obtain access to the 4U Platform without a second sign-in. 4U offers SSO capabilities via the Security Assertion Markup Language (SAML) 2.0 open standard.

In brief, SAML facilitates exchanging authentication and authorization data across two systems consisting of a Service Provider (SP) and an Identity Provider (IdP). For our purposes, the 4U Platform is the SP and your authentication system is the IdP. We use email addresses as the “Name Id” to identify users during SSO authentication.

Examples of IdPs include: Microsoft Active Directory Federation Service, Okta, OneLogin, Ping Identity, Oracle Identity Federation, and many others. But regardless of whether or not your specific authentication system is mentioned here, we support all SAML-capable systems and the general process is always the same.

User Login Experiences

There are two different SSO login experiences that are supported:

  1. IdP-initiated sign on: the user uses an internal link to your authentication system that then automatically redirects to the 4U Platform upon successful authentication. If the user is already authenticated within your system, then they are immediately sent to the 4U Platform without needing to provide their credentials a second time.


    - The way users connect will be specific to the details of your system but they might connect via a link similar to: https://saml.your-domain.com/idp/startSSO.ping?PartnerSpId=https%3A%2F%2Fwww.4uplatform.com%2F


    - You can optionally specify a “RelayState” that indicates where on the 4U Platform site users should be directed to after a successful authentication.

  2. SP-initiated sign on: the user comes to the 4U Platform website and provides their email address. The user is then automatically redirected to your authentication system, provides their appropriate SSO credentials, and is redirected back to the 4U site as a logged in user. If the user is already authenticated within your system, they will not be prompted for their credentials a second time.

Either (or both) approaches work. Some clients choose to provide a link for their users that performs IdP-initiated sign on. Others choose to have their users navigate to the 4U Platform and provide their email to initiate SSO. The benefit of the first approach is that users do not need to enter their email address on the 4U Platform to initiate SSO. As such, the IdP-initiated login is easier for the user and generally preferred.

ℹ️ By default, we do not automatically add users to the 4U Platform who have authenticated via SSO (aka “just-in-time provisioning”). User accounts must be separately created within the 4U Platform by your 4U admin in order to successfully log into the 4U Platform. If you want to support the bulk automatic creation of user accounts within the 4U Platform, please contact security@4uplatform.com.

ℹ️ We do not currently support Single Log Out (SLO). However, a session timeout is configured within the 4U Platform. Once the session timeout expires, the user will automatically be logged out and reverified via SSO. Your current session timeout can be viewed by your 4U Admin in the Security Settings section of the 4U Platform. If you would like to change your session timeout length, please contact security@4uplatform.com. If SLO is an important feature for you, we always appreciate feedback and use that in order to inform and prioritize our roadmap.

General Deployment Procedure

Our general workflow for enabling SSO is as follows:

  1. We provide our SP XML metadata (you can find our prod and non-prod versions in the links below). This is non-sensitive data that simply describes our SAML endpoints and configurations. It includes a SPSSODescriptor XML element that contains:
    - Entity Id: https://www.4uplatform.com/
    - Assertion Consumer Service (ACS) Endpoint: https://api.4uplatform.com/auth/saml2/acs
    - Single Logout Service (SLS) endpoint: https://api.4uplatform.com/auth/saml2/sls
    - Name ID Format: we use email address to refer to users
    - Additional User Attributes: (not applicable for most SSO integrations)

  2. You configure SSO for 4U within your IdP (the details of how to do that are specific to your system).

  3. You provide us with your IdP XML metadata (generated within your IdP solution). This xml file is analogous to the one we provide you but describes your IdP configuration via an IDPSSODescriptor XML element. It includes:
    - Entity Id: Identifies your IdP
    - Single Sign On Server: specifies endpoint
    - Single Logout Server: specifies endpoint
    - X509 Certificate: public key used to verify authentication responses

  4. We coordinate a “go live” date and time during which:

ℹ️ Optionally, we can first configure and test SSO within a non-prod systems integration testing (SIT) environment prior to doing so in production. We have had some clients go straight to production and others first deploy in non-prod. Note that the configurations that you’ll need to perform for each environment are different. We will also need to coordinate the setup of the appropriate users for testing in in our non-prod environment.

4U Platform Service Provider Metadata

Our production SP metadata XML for https://www.4uplatform.com is available at: https://api.4uplatform.com/auth/saml2/metadata

When performing a non-production integration to our https://www.sit.stage.4uplatform.com environment, you’ll also need the corresponding staging metadata XML: https://api.sit.stage.4uplatform.com/auth/saml2/metadata.

Feedback

We’re always interested in feedback! If there is anything about this documentation that you feel could be clearer or was missing or just generally confused you, please let us know.

Did this answer your question?