Enabling SAML, provides a way for your users to use a single login to access both their internal systems and ConceptShare.
Using SAML (Security Assertion Markup Language), ConceptShare can contact your identity provider to authenticate users who are trying to access the account. This is how a company would enable web browser single sign-on (SSO).
This makes accessing ConceptShare easy for your users, while allowing your company to control usernames, passwords and other information used to identify, authenticate and authorize users through your Identity Provider (IdP).
Identity Provider [IdP] – This is the service that validates identities and submits the validated identity to the ConceptShare via an Assertion. Common IdPs are LDAP systems, Active Directory Federation Services (ADFS), and PingFederate. You can configure against most SAML providers, but ConceptShare is specifically tested against ADFS 2.0.
Service Provider [SP] – This is the system that provides some service to the end-users. Common SP’s are ConceptShare, Salesforce, and Google Apps.
Signing Certificate - This is a certificate (.CER) file generated by your system which allows us to validate digitally signed assertions from your system.
Encrypting Certificate – This is a (.CER) certificate provided by the IdP to allow us to decrypt information sent as part of an assertion.
To access your SAML Settings, click on Settings, then click on the Account option.
Click on the SAML Settings option.
You will be presented with the following settings and two options for how to establish them:
- You can indicate a URL to config XML. This is the location for the XML file prepared by your IT team with the configuration settings. Enter the URL and click the Load Settings button. If this option is used it will complete all the other fields. This is the preferred method as it leaves less room for error and is less work for the ConceptShare admin entering the information.
- Click Save at the top right and your settings will update.
Two: Manual entry
- Is SAML enabled: Toggle between Yes and No When enabled, on the login page your users will be presented with a “Login with SAML” link that will redirect them to login using their IdP credentials. !Note: enabling SAML will override your Settings choices to force SSL if it was not already selected.
- SSO Binding: Select which method should be used for authentication requests: HTTP-POST or HTTP-Redirect REDIRECT binding is suitable for short messages; longer messages such as those containing signed SAML elements should be bound with POST.
- SSO Endpoint: The URL where SSO requests from ConceptShare should be sent.
- IP Filter: Leave blank if you wish to have all users authenticated via SAML, or if you wish to have only certain IPs authenticated add them to the list (comma separated for multiple IPs). This can be useful if there are only certain ConceptShare users you wish to authenticate such as employees, but not contracted vendors or other third parties. Or if you only want users to be able to use SSO from within the office’s Networks, but not from other locations. In the case they attempt to access from an IP range other than those designated they would be presented with the normal login fields of email and ConceptShare password.
- Signing Enabled: Toggle between Yes and No. This enforces validation of all received SAML authentication responses by the supplied certificate below. If Yes, certificate details must be uploaded.
- Signing Certificate Details: Click the Browse button to choose your Signing Certificate.
- Encrypting Enabled: Toggle between Yes and No. This will be a certificate (*.CER) file to use for decrypting SAML responses from the Identity Provider (IdP). If Yes, certificate details must be uploaded.
- Encrypting Certificate Details: Click the Browse button to choose your encrypting Certificate file.
- To complete your setup and apply the settings select the Save button at the top right.
You can request our SAML Metadata from the following URL, it contains the necessary certificates and endpoints:
Customize the phrasing on the login screen and the location that you direct your users for help.
Yes: will ensure that users can not login using a manually generated password. It can then be customized to have that applied to all users or specific domains only
No: users can use SAML to login, or use a manually created password subject to the constraints specified in the account settings
Yes: Make the creation of users smooth for your account by creating them upon authentication if they were not already existing ConceptShare users.
Use the Default account role and Default project role drop-down menu, to specify what default roles are assigned to these new users. It’s advisable to use a role with limited access as an account administrator can always update them to a more appropriate role if further access is needed.
Users who have been marked Inactive can not use this method to have their ConceptShare user reactivated.
NOTE: If your email domain is changing make the changes to the ConceptShare user name BEFORE the users authenticate, else a new and entirely independent user will be created and the two entities cannot be merged.
No: Users must have an active user in ConceptShare before they are able to authenticate
When a users email address changes make the appropriate changes in your Identity Manager, then update the email address attached to the resource in ConceptShare. This will trigger an email from ConceptShare to the new email address to confirm the change. Until the change is confirmed the user will be unable to login to ConceptShare.
If the original email is lost, you can resend the confirmation by submitting the email change again.
You are now aware of how to configure your account to offer single sign on via SAML. This is a fast solution to access ConceptShare using existing, managed, secure credentials.