SAML SSO
Last updated
Last updated
Single sign-on (SSO) allows users of your Cryptlex account to log in using your existing SAML-enabled identity provider, such as Active Directory, OneLogin, Auth0, Okta, and many more. This reduces the number of passwords your users need to manage. It also makes provisioning new users a breeze.
To get started, go to Settings > Account page in the admin portal and click the Configure SAML SSO button. This will display the SAML SSO settings dialog where you can add details of your identity provider.
Cryptlex supports the SAML 2.0 standard, which provides a few ways to streamline configuration. Although each identity provider will have different interfaces and nuances, most provide configuration metadata as a URL. Since each identity provider is unique, we will only cover using Cryptlex with a generic SAML identity provider in this article.
The easiest way to configure SSO is to use a link to your identity provider's metadata file. Simply enter the URL in the SAML IdP Metadata URL input box and click Save. Cryptlex will download the configuration file, parse it, and configure everything.
The SAML identity provider must be configured to provide four attributes: Email, FirstName, LastName, and Role. These attributes allow Cryptlex to properly identify the user and automatically provision users.
Every user in your Cryptlex account is required to have a valid email address, even when using SSO. Since the identity provider is responsible for managing user information, it must send the user's email address to Cryptlex in its assertion. Identity providers use different naming conventions, so Cryptlex will look for an email address in the following attributes (case-insensitive) sequentially:
EmailAddress
User.email
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Just like email addresses, identity providers may send the first name in several common fields. To provide out-of-the-box compatibility with most identity providers, Cryptlex will try to find the first name in the following attributes (case-insensitive):
FirstName
first_name
User.FirstName
Cryptlex looks for the last name in the following attributes (case-insensitive):
LastName
last_name
User.LastName
If your identity provider supports custom attributes, you can set the Role attribute to automatically provision users with roles created in Cryptlex. Cryptlex looks for the role in the following attributes (case-insensitive):
Role
You can easily map the roles created in Cryptlex (service provider roles) with your existing roles in the identity provider. Then depending on the identity provider role in the SAML assertion, Cryptlex will use the corresponding service provider role when auto-provisioning the user.