Skip to main content

SAML Application Integrations

Overview

The Security Assertion Markup Language (SAML) integration screen allows you to add your identity provider (IdP)'s information and set its authorization and configuration details. This will enable a passwordless authentication solution for your organization's users (who have logged into the service provider's site). Thus, you can log in to your SP account by leveraging your biometrics. The biometric options include Touch ID / Face ID and LiveID.

For detailed information about SAML and to review the full protocol specification, see Security Assertion Markup Language (SAML) V2.0 Technical Overview

1Kosmos as Identity Provider

1Kosmos can integrate with SAML applications by acting as an Identity Provider (IdP) that provides single sign-on (SSO) to external Service Provider (SP) applications.

The service provider (SP) initiates the SAML sign-in flow with 1Kosmos when the user goes to sign-in, or when the user attempts to visit a protected resource:

  1. The SP generates a SAML Request, which triggers the authentication flow with 1Kosmos as the IdP.
  2. The user enters their log-in details.
  3. 1Kosmos generates a SAML Response containing the assertion of the authenticated user. In addition, a SAML Response may contain additional information, such as user profile information and group/role information, depending on what the Service Provider can support.
  4. The authenticated user is returned to the external Service Provider's application

Please see Identity Provider (IdP) Configuration for more information on setting your Identity Provider in AdminX.

SAML Integration in AdminX

Add a New SAML Application

note

The guide will follow the process for adding a generic SAML application.

See SSO Integrations in AdminX for a list of pre-built integrations

To get started, navigate to your AdminX control panel and log in as a tenant or community administrator.

Navigate to the Applications page. Click Add Application.

From the Add new applications page, scroll down to your service provider.

If your service provider is not listed, select SAML2.0 Generic (located in the Custom app section) and click Add Integration.

Review the information listed on the page. You will need to have completed the steps outlined in Identity Provider (IdP) Configuration before continuing with your SAML application integration.

Click Add Application to continue.

Enter an application name, and select an instance type.

Enter the Application access URL given by your Service Provider (SP). The URL should look something like: https://mydomain.company.com/sso/saml

Click Next to continue.

Under Step 2: SAML Settings, add the following attributes settings:

  • Metadata: Upload a SAML metadata file if one is available from your service provider

Assertion Statement (NameID):

  • Format: urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
  • Value: enter an attribute, such as email

In the Claims Mapping section, click Add new.

Add the following attributes and their formats as specified by your Service Provider. An example of claims mapping is provided below:

  • Attribute: email Format: User.Email
  • Attribute: username Format: User.Username
  • Attribute: firstname Format: first_name
  • Attribute: lastname Format: last_name

Click Next to continue.

In the Advanced Options tab, enter and select the following details:

Entity ID: Enter the entity ID. For example, https://mydomain.company.com

In the Assertion Consumer Service section, perform the following steps:

  • Method: POST.
  • URL: Enter the SAML assertion consumer URL given by your SAML service provider. The URL should look something like https://mydomain.company.com/sso/saml

In the Select the checkbox for each request/response that should be signed section, perform any steps as specified by your service provider.

  • Signing Certificate: Upload a public-key .pem file if one has been provided by your service provider.

Click Save to finish adding your SAML application.

Testing the Connection

In your browser, enter the target application domain URL. You will be redirected to your BlockID Admin console's single sign-on page.

Login with BlockID by scanning the QR code with the BlockID Mobile Application or by entering your username, password, and OTP.

After authenticating, you will be logged into the target application, confirming the SAML integration has worked successfully.