Overview
Currently, only authentication of existing users is supported via SAML 2.0. New team members cannot be automatically created by logging in through a SAML 2.0 provider. An admin will still need to create/invite the team member through the Stella Connect platform.
Step 1. Configure your Identity Provider
Below are the settings you will need to configure a new app within your Identity Provider, if you are unsure of your subdomain please reach out to your Client Services Manager.
Global Settings
You may not need all of these data points depending on your identity provider
Setting | Value |
Audience URI/Entity ID | https://{your_subdomain}.stellaconnect.net/ |
Assertion Consumer Service (ACS) URL* | https://{your_subdomain}.stellaconnect.net/employees/auth/saml/callback |
Name ID format | Email Address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) |
Application username or Subject Type** | Username or Email |
Start URL | https://{your_subdomain}.stellaconnect.net |
Signed Response | Checked |
* Same for Recipient and Destination URLs
** Choose the field in your IdP where the email address or custom employee ID that is setup in Stella Connect can be found
Setting | Value |
SSO URL | https://{your_subdomain}.stellaconnect.net/employees/auth/saml/callback |
Audience URI (SP Entity ID) | https://{your_subdomain}.stellaconnect.net/ |
Default RelayState | Blank |
Name ID format | |
Application Username | Okta Username / Primary Email |
Steps: Admin> Applications> Create New App> Platform = Web, SAML 2.0
Setting | Value |
Audience/Entity ID | https://{your_subdomain}.stellaconnect.net/ |
Consumer URL | https://{your_subdomain}.stellaconnect.net/employees/auth/saml/callback |
Name ID format | |
User ID (Key-pair Value) | Username / Primary Email |
Setting | Value |
Entity ID | https://{your_subdomain}.stellaconnect.net/ |
Assertion Consumer Service (ACS) URL* | https://{your_subdomain}.stellaconnect.net/employees/auth/saml/callback |
SAML Signing (Encryption Certificate) | Blank |
Steps: Admin> Applications> Add Application> New SAML Application
* Same for Recipient and Destination URLs
Step 2. Provide Your Configuration to StellaService
The identity provider should generate a couple of pieces of data that will need to be supplied to the services team, which can be reached at connectsupport@stellaservice.com. You will be asked to provide:
- Identity Provider Single Sign-On/Login URL
- X.509 Certificate
Step 3. Test the Configuration
Once the configuration has been setup within Stella Connect, you will be able to test the Single Sign-on by visiting https://{your_subdomain}.stellaconnect.net/employees/sign_in?sso=true and clicking Sign in with provider.
Step 4. Go Live
When you are completed with testing, just contact us and we will enable your SAML configuration to be the default and ONLY login option for all team members. At this point, all team members that visit the login page for Stella Connect will be immediately redirected to the Identity Provider for login.
Next Section: Integration Instructions
Comments
0 comments
Please sign in to leave a comment.