/ /
Generic SAML configuration
Updated 3 months ago

Overview

SAML Authentication is a paid add-on feature and must be enabled prior to use. Contact the Customer Success team at customersuccess@responsive.io to enable it.

Responsive uses the secure and widely adopted industry standard Security Assertion Markup Language 2.0 (SAML 2.0) and supports SAML Authentication as an add-on feature.

Our single sign-on (SSO) implementation integrates easily with any large identity provider that supports SAML 2.0.

Configuring SAML in ISPs

Based on the environment you want to configure, provide the following content for the various fields in your Identity Service Provider (ISP).

For Production Environment:

RelayStateRelay state can be seen in the "Saml SSO configuration" in Organization Settings- Security - SAML
Audience / APP ID URI / Entity IDhttps://www.rfpio.com

Recipient / 

ACS Consumer URL /

Login URL / 

Sign-On URL

https://app.rfpio.com/rfpserver/login/handle-saml-response
ACS Consumer URL Validatorhttps:\/\/app\.rfpio\.com\/rfpserver\/login\/handle- saml-response

 

For Sandbox Environments:

RelayStateRelay state can be seen in the "Saml SSO configuration" in Organization Settings- Security - SAML
Audience / APP ID URI / Entity IDhttps://www.rfpio.com

Recipient / 

ACS Consumer URL /

Login URL / 

Sign-On URL

https://sb01.rfpio.com/rfpserver/login/handle-saml-response

[or]

https://sb02.rfpio.com/rfpserver/login/handle-saml-response

[or]

https://ms-sb.rfpio.com/rfpserver/login/handle-saml-response

[or]

https://google-sb.rfpio.com/rfpserver/login/handle-saml-response

ACS Consumer URL Validator

https:\/\/sb01\.rfpio\.com\/rfpserver\/login\/handle- saml-response

[or]

https:\/\/sb02\.rfpio\.com\/rfpserver\/login\/handle- saml-response

[or]

https:\/\/ms-sb\.rfpio\.com\/rfpserver\/login\/handle- saml-response

[or]

https:\/\/google-sb\.rfpio\.com\/rfpserver\/login\/handle- saml-response

 

Map the attribute name by providing the below attribute values.

Attribute Name

Attribute Values

first_name

first_name

last_name

last_name

job_title

job_title

phone

phone

location

location

You can also specify the Roles and Business Units (Primary Business Unit) in your IDP provider which helps in accessing the Responsive application directly from your IDP provider login.

Map the attribute name by providing the below attribute values.

Attribute Name Attribute Value
responsive_user_role<Specify the role name which you have mentioned in the Responsive application as attribute value>
primary_business_unit<Specify the primary business unit name as the attribute value>

Note: The role values should be entered exactly the same what have been specified in Responsive. The values are case sensitive. Similarly, business unit's values should be entered as the same in Responsive. If the business unit's values are different from the application, the user will be mapped to the default business unit.

(Optional) If you find this below field, enter the public key.

mceclip0.png

If you want to generate a new set of public and private keys, use the below commands.

  • OpenSSLgenrsa -aes256 -out mykey1.pem
  • OpenSSLrsa -in mykey1.pem -pubout -out public_key1.pem -aes256
  • OpenSSLrsa -in mykey1.pem -out private_key1.pem

Generate SAML Metadata in IDP

Get the Metadata from IDP. The metadata will look like shown below (xml) :

mceclip1.png

Configuring SAML in Responsive

  1. Go to Organization Settings > My Organization > Security > SSO/SCIM and click Upload Configuration File to open the downloaded metadata or copy the XML.
    Note: Contact your account manager if the SAML SSO feature is not visible.
  2. Paste the XML in the Identity configuration field or choose the downloaded file.
  3. Copy the SP Private key and paste it in the field (optional).
  4. Click Validate to validate the configuration.
  5. Once validated, turn on the SAML toggle and click Save.
     

Logging in to Responsive using SAML

You can log in using SAML in the following ways:

  • Login from your IDP
  • Login to app.rfpio.com using SAML
    mceclip7.png
  • Login using instance-specific URL. Contact your account manager to get an instance-specific URL which can be bookmarked in your browser.
  • Just in Time Provisioning.

Just-in-Time provisioning

With Just-in-Time provisioning, you can use a SAML assertion to create regular and portal users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance. For example, if you recently added an employee to your organization and have provided access to Responsive in your SAML Identity Provider, you don't need to manually create the user in Responsive. When they log in with single sign-on for the 1st time, their account is automatically created for them, eliminating the time and effort with on-boarding the account. The new user can be assigned as Admin or Manager or Team Member role by defining the role in the SAML integration. User attribute can also be selected along with user role.

*None is an option for the admin users to restrict the new user to come into the application.

Points to remember:

  • The IDP metadata must include a HTTP Redirect in order to be validated. In the example below, IDP indicates the customer's IDP and domain name indicates the customer's domain name.
    <SingleSignOnService
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    Location="https://<IDP.DomainName>/auth/realms/<DomainName>/protocol/saml"
    />
  • The NameID format must be set to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, as opposed to transient with user attribute mapping.
  • Only POST payload in SAML response are supported.
Was this article helpful?