Configure SSOCircle as SAML Identity Provider

Configure SSOCircle as SAML Identity Provider

Configure SSOCircle as an identity provider by completing the following steps:

  1. Obtain SSOCircle metadata.

  2. Configure enterprise connection in Auth0.

  3. Configure SSOCircle as identity provider.

  4. Test connection.

Prerequisite

You must have a SSOCircle account.

Obtain SSOCircle metadata

  1. Navigate to SSOCircle's IDP page to see the metadata required for integration. You will be shown an XML file.

  2. From this page, you will need to save the following attributes:

    1. The Location URL for the SingleSignOnService attribute with an HTTP-Redirect type.

    2. The Location URL for the SingleLogoutService attribute with an HTTP-Redirect type.

  3. Download and save the SSOCircle CA Certificate.

Configure enterprise connection in Auth0

  1. Go to Dashboard > Authentication > Enterprise > SAMLP and click the plus icon to go to the page that allows you to create a new connection.

  2. Provide the appropriate configuration settings for this connection. The only mandatory fields are as follows:

    Setting Description
    Connection Name Connection name
    Sign In URL The Identity Provider Single Sign-On URL you noted from the Okta setup wizard
    X509 Signing Certificate Upload the certificate you downloaded from Okta.

  3. When setting up mappings, use the following JSON to properly map SAML attributes from SSO Circle:

    {
          "email": "EmailAddress",
          "given_name": "FirstName",
          "family_name": "LastName"
        }

    Was this helpful?

    /

  4. Click Save. In the next window, you'll be provided two options:

    1. If you are a domain administrator, click Continue for additional instructions on SAML identity provider configuration.

    2. If you are not, you can give your domain administrator the provided URL so that they can finish the configuration.

You can access the metadata for an Auth0 SAML connection using a URL with the following format: https://{yourDomain}/samlp/metadata?connection={yourConnectionName}.

You will need to provide this metadata to SSOCircle in the next step.

Configure SSOCircle as identity provider

  1. Log in to your SSOCircle account. You will be directed to your user profile, and to the left of that is a navigation bar.

  2. Click Manage Metadata.

  3. Select Add New Service Provider, and provide the following information to configure the new service provider which, in this case, is Auth0:

    Setting Description
    FQDN of the ServiceProvider auth0.com
    Attributes to send in assertion Check the box for EmailAddress
    Insert your metadata information: Paste in the XML metadata that you downloaded after you configured your Auth0 connection.

  4. Click Submit.

Test connection

Create Auth0 application

  1. Go to the Applications page on the Auth0 Dashboard and click + New Application.

  2. Provide some basic information about your new application. Choose Regular Web Applications as the application type.

  3. Click Create to finish configuration and begin the Application creation process. You will be directed to the application details page.

  4. Click Settings.

  5. In the Allowed Callback URL field, enter the list of allowed callback URLs includes those to which users will be redirected after authentication. The URL(s) entered here must match the callback URL in the HTML code you will create in a later step. Normally, you would enter a URL for your application, but to keep this example simple, users will simply be sent to the Auth0 JWT Tool.

  6. Click SAVE CHANGES.

  7. Return to the top of Settings and click Connections.

  8. Scroll to the Enterprise section. Find the row for the SAML connection you created above and turn on toggle to enable the SAML connection.

Test enterprise connection

  1. To test your connection, follow the steps in Test Enterprise Connections.

  2. During this process you will be asked to log in and consent.

  3. Additionally, if you see a message that says, "Your session has timed out," click the Return to Login page link below the message.

If logging in to your application doesn't work the first time, clear your browser's history and cookies before testing again. The browser may not be picking up the latest version of your HTML.

When troubleshooting SSO, it is often helpful to capture an HTTP trace of the interaction. There are many tools that will capture the HTTP traffic from your browser for analysis (search for "HTTP Trace" to find one appropriate for your needs). Once you have an HTTP tracer, capture the login sequence from start to finish and analyze the trace to see the sequence of GET requests to see where the error occurs. You should see:

  • A redirect from your original site to the IDP

  • A post of credentials (if you were asked to log in)

  • A redirect to the callback URL.

Ensure that your browser has enabled cookies and JavaScript.

Check to make sure that the callback URL specified in the HTML is also listed in the Allowed Callback URLs field in the Settings tab of the Auth0 Application.