- Print
- DarkLight
- PDF
Overview
Security Assertion Markup Language (SAML) 2.0 is an open standard that facilitates single sign-on (SSO) to provide authentication and authorization to any resources in the Syniti Knowledge Platform (SKP) using your organization’s identity provider (IdP). SAML 2.0 uses eXtensible Markup Language (XML) to encode the assertions, user information, and messages. With SAML SSO, once you log in to the SKP, you are automatically authenticated to different modules and services without needing to log in again.
The following IdPs are supported for SAML SSO, but are not limited to:
Microsoft Entra ID (formerly Azure Active Directory). Refer to Configuring SAML SSO with Microsoft Entra ID for information on SSO integration with the SKP.
Okta
PingFederate
SiteMinder
Note
Any identity provider using the SAML 2.0 protocol is also supported.
Configure SAML SSO using an IdP
You can use your organization’s IdP to configure SAML SSO with the SKP. This section describes the data required from your organization’s IdP and the SKP to set up the SAML SSO feature for accessing the SKP.
Note
This article is intended for your organization’s Administrator who also has an Administrator account in the SKP.
Prerequisites
Currently, only the Microsoft Entra ID’s URL (https://login.microsoftonline.com
) is trusted within Syniti’s network and security policies. To trust your organization’s IdP URL, you have to submit a request to Syniti Support.
You must be an SKP Administrator for your tenant that uses the SKP-initiated sign-on page to configure the SAML settings in the SKP.
Note
This SKP Administrator account must be the initial administrator account that uses a trusted domain sent to you during the provisioning process by Syniti’s Customer Success team.
If you require additional domains to get added and activated in your tenant for using the SKP-initiated sign-on page, you must submit a request to Syniti Support.
Ensure that you have an Administrator account in your IdP.
Your IdP uses a 2-hour or longer lifespan for session tokens and identity tokens.
For testing purposes, ensure that you create a temporary user account in your organization domain.
Each SAML authentication request is valid for a limited time. Therefore, ensure that your IdP server’s time is synchronized with Network Time Protocol (NTP).
Note
Based on your organization’s IdP, the below SSO configuration may differ.
Set Up the IdP
Create a new application in your organization’s IdP for the SKP.
Enter the following data to your IdP using the below Syniti SAML Metadata URLs that match your SKP tenant region:
Entity ID
Assertion Consumer Service URL
Single Logout Service URL
SAML Certificate
SKP Tenant Region
Entity ID
Assertion Consumer Service URL
Single Logout Service URL
Syniti’s SAML Certificate
Americas
syniti.com
https://api.syniti.com/oauth/signin/callback
https://api.syniti.com/oauth/signout/callback
Use the certificate information from the following Syniti’s SAML metadata URL: https://api.syniti.com/saml/metadata.xml
Australia
syniti.au
https://api.syniti.au/oauth/signin/callback
https://api.syniti.au/oauth/signout/callback
Use the certificate information from the following Syniti’s SAML metadata URL:
EMEA
syniti.eu
https://api.syniti.eu/oauth/signin/callback
https://api.syniti.eu/oauth/signout/callback
Use the certificate information from the following Syniti’s SAML metadata URL:
Canada
syniti.ca
https://api.syniti.ca/oauth/signin/callback
https://api.syniti.ca/oauth/signout/callback
Use the certificate information from the following Syniti’s SAML metadata URL:
Add the required users or user groups with the temporary user account to the new application.
Save the new application created for the SKP in your organization’s IdP.
After saving the IdP configuration, obtain your organization’s IdP Metadata URL or .xml file. The Metadata URL or .xml file must contain the following details of your organization’s IdP:
Entity ID
Assertion Consumer Service or SSO URL
Single Logout Service URL
SAML Certificate
User Metadata Attributes
Set Up SAML SSO in the SKP
Log into the SKP using the Syniti provisioned administrator account to access and log in using the SKP-initiated sign-on page.
SKP-initiated sign-on page
Select Admin from the Profile menu to access the Admin module of the SKP.
In the Admin menu, click Single Sign-On.
Click Configure SSO. The Edit Single Sign On dialog box is displayed.
Select the SAML 2.0 option to enable the fields related to SAML SSO configuration.
Important!
Once you save your SAML SSO configuration, you cannot switch to the OpenID Connect (OIDC) protocol. Ensure that you select the SSO protocol correctly.
To switch to the OIDC protocol, you must contact Syniti Support.
In the SSO Configuration Name field, enter a unique name for your organization.
In the Metadata URL field, enter the Metadata URL that you’ve obtained from your organization’s IdP.
If you prefer to use the metadata .xml file, click the Switch to Metadata XML File button and enter the Metadata’s XML code that you’ve obtained from your organization’s metadata .xml file.
Note
Syniti recommends using a URL link for the Metadata so that the metadata be can automatically monitored for updates.
In the User Metadata Attributes section, enter the below URLs to the corresponding fields on the page:
Field Name in the SKP
Description
Example SAML Attribute URL in the Metadata
Name
The Display Name endpoint of the user.
http://schemas.microsoft.com/identity/claims/displayname
Email Address
The Email Address endpoint of the user.
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Identifier
The Primary Identifier endpoint for the user in the directory. It must be immutable and globally unique.
http://schemas.microsoft.com/identity/claims/objectidentifier
Note
You can obtain the above attributes from your organization’s Metadata URL or .xml file.
Select Save to complete your SSO configuration in the SKP.
On the Single Sign-On page, turn on the Active toggle button to activate the SSO configuration for your organization.
Verify Your SAML SSO Configuration
When you turn on the Active toggle button on the Single Sign-On page, Syniti enables the SSO feature for the users of your organization’s tenant in the SKP. This process does not log out the existing users in the SKP.
You don’t need to create a user account for the test user in the SKP, as your organization’s IdP controls and manages the access required for your users in the SKP. The SKP validates the email address used for signing in to its database and lets you sign in to the SKP. If the entered email address is new, a new user is assigned to the Default User Group created in the SKP.
Note
By default, only the Viewer user group is assigned to the Default User Group for new tenants. Edit the user group to update the Default User Group assignment. If no user groups are set as a Default User Group, users will not be granted access to the SKP.
Complete the following steps to verify the SAML SSO configuration:
Open a new incognito or private window in your browser.
Log into the SKP using the email address of the temporary user account. The IdP-initiated sign-on page is displayed.
Complete the login process and confirm you are signed in.
If you experience a login error, refer to Troubleshoot Your SAML SSO Configuration to troubleshoot your SSO configuration and test again in an incognito window.
Next Steps
Now that you have configured and verified your SAML SSO configuration, you can proceed with identifying or adding the required users with appropriate roles in your IdP’s directory.
After identifying or adding the required users to your IdP’s directory, you must invite or assign them to the newly created application for the SKP.