The SAML Integrations plugin allows editors to link and embed sign-in-protected external content or services. If you have a SAML SSO solution in place, the Staffbase platform can use this to make sign-in-protected external content or services accessible to app users without an additional sign-in. The SAML method is also an alternative when it is not possible to use the JWT SSO.
Once the SSO connection has been configured in the SAML Integrations plugin, it is easy for your editors to make sign-in-protected content or services available to users.
Installing the SAML Integrations Plugin
- In the Studio, navigate to Content > Add plugin.
- Navigate to SAML Integrations and click Install.
The dialog to add a SAML integration opens.
- Provide a title for the integration.
- If your platform uses spaces, select the space All employees.
- Click Add SAML integration.
The SAML Integrations plugin has been added to the content menu and the first SSO connection has been added. The SSO connection is not configured yet.
Configuring the SSO Connection
The SAML Integrations plugin generates a public key and a private key which together verify that users requesting access to the sign-in-protected content or service are signed into the Staffbase app.
Requirements
- The content or service that you are embedding supports the IdP-initiated SSO flow that handles users’ access requests with the previously exchanged public key sent from Staffbase with each request.
- Check the following with the service provider:
- X-frame-options header is set to embedded.
- Embedded page is secured by HTTPS, especially on mobile devices, requirements for SSL certificates are high.
- Embedded page allows frames.
- Service allows one of the following sign-in methods:
- Just-in-time
- Pre-provisioning
- In the Studio, navigate to the SSO connection that you want to configure or add a new SSO connection.
- For Application Service Provider URL provide the URL of the service you want to embed.
- For Entity ID/ Audience URL, provide the URL which receives the information required for the SAML protocol.
- From the Signature Algorithm dropdown menu, select the type of signature algorithm you want to use. The signature algorithm is an encryption method that passes sign-in information between the Staffbase platform and the external system where the sign-in-protected content resides.
Warning: SHA-1 signature algorithm setting for SAML Integrations to be discontinued. Starting July 31, 2024, the signature algorithm option with the SHA-1 setting for configuring the SAML Integrations plugin will no longer be offered. - Click Save The public key and private key are generated.
- Note down the information from the fields Certificate and Identity Provider URL.
- Send the certificate and the identity provider URL to the service provider.
Once the service provider saves the certificate and the URL is saved as a trusted IdP, app users can access the content or service without additionally signing in.
The SSO connection is prepared and the content or service is ready to be embedded in your platform.
Next steps
Reach out to your editor to finalize the configuration for this content or service. The editor might want to configure visibility settings or the placement in the menu before publishing the content or service.
If external, embedded content is not displaying correctly in the Staffbase platform, make sure it has the correct cookie settings.
Beginning at the end of 2021, many browsers require the following settings for cookies:
Set-Cookie: session=a-session; SameSite=None; Secure
Technical Showcase for IT
Example of the exchanged information with a demo service provider platform.
How does the Embedding of Content Work?
The SAML Integrations plugin adds an iFrame to the platform and, after successful SAML authentication, loads the content or service inside this frame.
What Information Is Included in the SAML Token?
The SAML token sent by Staffbase contains the following information:
- External ID (Identifier in the user profile)
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier - First name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname - Last name
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname - Subject > NameID
information for the externalID (Identifier in the user profile) - Optionally, additional user profile information
For further information about optional user profile information, reach out to Staffbase Support or your Customer Success Manager.
Additional Helpful Information
- More information on SAML
- Test the security level of your SSL certificate to ensure embedding on mobile devices, for example, with a platform like this one: https://www.ssllabs.com/ssltest/analyze.html
If your result is A or A+ the embedding should work.
Comments
0 comments
Please sign in to leave a comment.