Prerequisites
Non-Microsoft/Google SSO integration with the Terminus platform requires additional technical configuration, and may have additional costs associated. If you would like to learn more about SSO configuration for your account, please reach out to your Terminus Account Manager, or Customer Success Manager.
Overview
In addition to Microsoft/Google SSO, Terminus supports the SAML 2.0 authentication framework for additional 3rd party SSO providers. SAML is an open standard for exchanging authentication and authorization data between an identity provider and a service provider. Most notably, it addresses web browser single sign-on (SSO) for enterprise companies.
Terminus supports both SP-initiated and Identity Provider (IdP) initiated SAML integrations. For SP initiated SAML, we require certain credentials from your SAML admin for setup. For IdP initiated SAML, we will work with your team to provide the credentials to add Terminus as an approved application to your IdP.
What are the requirements for integrating SAML (non-Microsoft/Google)?
We require the following inputs to successfully set up a SAML integration with the Terminus platform:
- Terminus customer provides the following information for their SAML application:
- The Identity Provider Single Sign-On URL
- The Identity Provider Issuer (URI)
- The x.509 Certificate
- Required attribute mappings for the following fields:
- firstName
- lastName
- OR the customer provides a SAML metadata (.XML) file which contains the mentioned information above
- OR the customer provides the inputs for an OpenID Connect application:
- The Identity Provider Issuer
- The Identity Provider's OAuth 2.0 authorization endpoint
- The Identity Provider's token endpoint
- The Identity Provider's JSON Web Key Set document (JWKS endpoint)
- The Identity Provider's Userinfo endpoint
Additionally, we require a list of email domains that will use SAML logins in the event of an SP-initiated login attempt.
- E.g. “abc.com, def.com”
After our integration teams receive this information, they will coordinate with your systems teams on next steps!
Setting Up the SAML Application
During the SAML Enablement Process, a Terminus Account Manager or Customer Success Manager will loop in one of our Data Engineers to assist with setup. At this point in the process, a Terminus representative will send you a copy of the new SAML IdP's metadata file. You will be asked to create a SAML Application within your Identity and Access Management (IAM) tool with the following specifications.
-
Ensure the Relay State is set as /home/oidc_client/0oa14fzyspF3Fbu5g4x7/aln177a159h7Zf52X0g8
-
Full Relay State URL (if needed): https://osec.terminusplatform.com/home/oidc_client/0oa14fzyspF3Fbu5g4x7/aln177a159h7Zf52X0g8
-
-
Verify user attributes are configured as follows in SAML app (values must match exactly!):
Attribute Name |
Mapped Value |
subjectNameId |
user.subjectNameId |
firstName |
user.firstName |
lastName |
user.lastName |
|
user.email |
If using Ping as your identity and access management system, then you’ll also need to add the following attribute:
Attribute Name |
Mapped Value |
SAML_SUBJECT |
user.email |
Additional Integration Information
SAML authentication at Terminus is typically configured by providing your IdP's metadata and certificate information, so that Terminus can validate SAML requests for your organization.
Terminus also provides the option to disable all other login methods (username & password, Google/O365 Sign-in, etc.), so that only your chosen SSO login is allowed for your Terminus instance.
If you would like to learn more about our SSO/SAML integration or wish to set it up for your company, please submit a support request via the Terminus Help Center
Comments
0 comments
Article is closed for comments.