Security Assertion Markup Language (SAML) is a mechanism used to authorize users in two or more web applications/websites. It could be used as Single Sign On (SSO) method in OnsiteSupport.
How Does It Work in OnsiteSupport
OnsiteSupport takes the role of service provider here that establishes connection with identity provider (LDAP, Active Directory) of your corporate network. You can use your own SAML server or choose SAML service like OneLogin, Okta, PingIdentity, as identify provider (IdP).
Once user is authorized in any of your application that uses SAML, he would be automatically logged in all other applications (CRM, email, internal system, etc). So authentication process is handled outside of OnsiteSupport.
Each time new user is added into your network, new user account is created in OnsiteSupport, but passwords are not stored in the system but only emails and Full Names.
No matter what login form you would use, users would sign in corporate network (authenticated with LDAP or Active Directory as an example). Once user is added in your corporate network, it's added automatically into your community by syncing the data.
Configuring SAML Implementation
Go to Administration » Applications and enable Single Sign-On. Then click Settings and select the SAML method.
If you are going to use system only within your company, so no public users would have access to it, choose the option to use only SSO and disable registration emails.
You would need 2 options to put on your IdP (SAML server or service provider) that are provided on settings page:
- Assertion Consumer Service URL - SSO URL of OnsiteSupport that is served as service provider in SAML;
- Single Logout Service URL - used to logout user from OnsiteSupport once logout process was done in another application.
You would need to take 3 options for your IdP to put in OnsiteSupport settings:
- External Login URL - used to forward you to external login form where user is authenticated;
- External Logout URL - used to logout user from all web applications once user logs out OnsiteSupport;
- Certificate Fingerprint - the SHA1 fingerprint of the SAML certificate that should be taken at your IdP.
You can pass other variables to be caught by the system set in the module settings like User ID, Email, First Name, Last Name.
Any user that signs in OnsiteSupport using SAML is assigned to "User" team.