SAML Guide

aplus+ supports sso authentication via saml this guide covers the configuration process and information that is required process aplus+ provides the service provider information as the system is provisioned an example of this is on the following page customer configures their idp and provides aplus+ with their metadata or the settings listed on the following page aplus+ completes the service provider configuration test the authentication process by accessing the aplus+ url aplus+ adds a test user to aplus+ and test the full authentication and aplus+ login process terms and abbreviations sso (single sign on) enables uses to securely log into applications (such as aplus+) using one set of credentials which are not shared with the applications and managed by a centralized idp saml (security assertion markup language) an open standard for transferring identity data idp (identity provider) the service which user’s log into using their login credentials x 509 certificate a digital certificate which defines the format of public key infrastructure (pki) certificates aplus+ stores the public key which is used to verify that authentication information from the idp can be trusted user mapping each user must exist in aplus+ already when they attempt to access the application the will be redirected to the idp where they authenticate and are redirected back to aplus+ for the process to complete successfully their aplus+ user code field must match the nameid provided in the saml response depending on requirements aplus+ can be configured to load the email address from the email attribute if provided in the saml response (instead of the nameid) and in this case the email must match the aplus+ user code value aplus+ service provider information configure the idp with the following details for aplus+ the aplus+ url usually takes the form of customer aplusattendance com where customer is a unique subdomain for the customer information example single sign on url https // customer aplusattendance com/ssoauth/?type=saml issuer / entity id https // customer aplusattendance com (user) start url https // customer aplusattendance com single sign on url may also be referred to as acs url or reply url recipient url and destination url options if available should be set to the single sign on url above identity provider information the customer can provide their idp metadata (xml file) or the following configuration settings can be provided separately information example sso url https //customer okta com/app/z9whecov/rto7tetv/sso/saml sso entity id (issuer) http //www okta com/rybs2m2dqeyl7url x 509 certificate begin certificate miidddccalygtbzmc6r2h62qmqn7alq+sggu0stfuk9f3cwwivayextg8 … lines of data … tfuk9f3cwwivaymiidr2h62qmqn7alq+sggu0sextg8ddccalygtbzmc6 end certificate