Overview
Policy Passport implements single sign-on (SSO) using the SAML 2.0 protocol. Policy Passport can be configured to work with two kinds of Identity Providers (IDPs).
- internal IDP: the one you see when log in to <sub-domain>.policypassport.com
- external IDP: Companies provide an own IDP
Basic Authentication Flow
When the user tries to access the Policy Passport application in the browser, the Service Provider (SP) checks if the user is already authenticated. If not, then the user is redirected to the Identify Provider (IDP), which initiates the authentication (e.g. via username and password). After successful authentication, the user is redirected back to the Service Provider which grants access to the Policy Passport application. The IDP provides attributes, e.g. email address, to the Service Provider (SP) which are used to properly identify the user within Policy Passport.
Supported IDPs
Policy Passport is tested and works with IDPs which support the SAML 2.0 protocol, e.g.
IDP Name | IDP Documentation |
---|---|
Microsoft Active Directory Federation Services (AD FS) | https://msdn.microsoft.com/en-us/library/bb897402.aspx |
Microsoft Azure AD | https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp |
Google IDP | https://support.google.com/a/answer/6087519?hl=en |
Okta | https://www.okta.com/topic/saml/ |
Checklist external IDP
Prerequisites:
- IDP must support SAML 2.0
- client browser needs network access to IDP
Setup steps
- Customer provides Start URL e.g https://<IDP-URL>/adfs/ls
- Customer provides Public X.509 certificate file
- Policy Passport sets up a client account and configures to use the customer's IDP. Once setup the metadata of Policy Passport will be sent to the customer
- Customer imports the Policy Passport metadata and configures SAML attributes that Policy Passport requires.
- Customer tests the access to Policy Passport
- If successful, Policy Passport deactivates the access via username / password.
Attribute Mapping
Please ensure that the name of every SAML 2.0 attribute exactly matches the name Policy Passport SP expects.
Name | Format | Example | Comment |
---|---|---|---|
emailAddress | urn:oasis:names:tc:SAML:2.0:attrname-format:uri | john.doe@customer.com |
For Microsoft ADFS we provide custom rule mappings, see https://compliance.freshdesk.com/support/solutions/articles/12000059870-sso-with-adfs
Example SAML message
<saml2:AttributeStatement> <saml2:Attribute FriendlyName="emailAddress" Name="emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"> <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string"> john.doe@customer.com </saml2:AttributeValue> </saml2:Attribute> </saml2:AttributeStatement>
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article