Recent Searches

    Popular Articles

      Articles
      View all
        Topics
        View all
          Tickets
          View all
            no results

            Sorry! nothing found for

            Single sign-on (SSO) with ELLO

            Modified on Tue, 19 Nov 2019 at 03:29 PM

            Overview


            ELLO implements single sign-on (SSO) using the SAML 2.0 protocol. ELLO can be configured to work with two kinds of Identity Providers (IDPs). 


            Basic Authentication Flow

            When the user tries to access the  ELLOapplication in the browser, the Service Provider (SP) checks if the user is already authenticated. If not, then the user is redirected to the Identify Provider (IDP), which initiates the authentication (e.g. via username and password). After successful authentication, the user is redirected back to the Service Provider which grants access to the ELLO application. The IDP provides attributes, e.g. email address, to the Service Provider (SP) which are used to properly identify the user within ELLO.

            SSO Authentication Flow

            Supported IDPs

            ELLO is tested and works with IDPs which support the SAML 2.0 protocol, e.g.


            IDP NameIDP Documentation
            Microsoft Active Directory Federation Services (AD FS)https://msdn.microsoft.com/en-us/library/bb897402.aspx
            Microsoft Azure ADhttps://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-federation-saml-idp
            Google IDPhttps://support.google.com/a/answer/6087519?hl=en
            Oktahttps://www.okta.com/topic/saml/


            Checklist external IDP


            Prerequisites:


            • IDP must support SAML 2.0
            • client browser needs network access to IDP


            Setup steps

            1. Customer provides Start URL e.g https://<IDP-URL>/adfs/ls
            2. Customer provides Public X.509 certificate file
            3. ELLO sets up a client account and configures to use the customer's IDP. Once setup the metadata of ELLO will be sent to the customer 
            4. Customer imports the ELLO metadata and configures SAML attributes that ELLO requires. 
            5. Customer tests the access to ELLO
            6. If successful, ELLO deactivates the access via username / password. 


            Attribute Mapping


            Please ensure that the name of every SAML 2.0 attribute exactly matches the name ELLO SP expects. 


            NameFormatExampleComment
            emailAddressurn:oasis:names:tc:SAML:2.0:attrname-format:urijohn.doe@customer.com


            For Microsoft ADFS we provide custom rule mappings, see https://compliance.freshdesk.com/support/solutions/articles/12000059870-sso-with-adfs


            Example SAML message


            <saml2:AttributeStatement>
    <saml2:Attribute FriendlyName="emailAddress" Name="emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri">
          <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">
          john.doe@customer.com
          </saml2:AttributeValue>
   </saml2:Attribute>
</saml2:AttributeStatement>

            Was this article helpful?

            That’s Great!

            Thank you for your feedback

            Sorry! We couldn't be helpful

            Thank you for your feedback

            Let us know how can we improve this article!

            Select atleast one of the reasons

            Feedback sent

            We appreciate your effort and will try to fix the article

            Preview
            0 of 0