Enabling SAML, provides a way for your users to use a single login to access both their internal systems and ConceptShare.
Using SAML (Security Assertion Markup Language), ConceptShare can contact your identity provider to authenticate users who are trying to access the account. This is how a company would enable web browser single sign-on (SSO).
This makes accessing ConceptShare easy for your users, while allowing your company to control usernames, passwords and other information used to identify, authenticate and authorize users through your Identity Provider (IdP).
Identity Provider [IdP] – This is the service that validates identities and submits the validated identity to the ConceptShare via an Assertion. Common IdPs are LDAP systems, Active Directory Federation Services (ADFS), and PingFederate. You can configure against most SAML providers, but ConceptShare is specifically tested against ADFS 2.0.
Service Provider [SP] – This is the system that provides some service to the end-users. Common SP’s are ConceptShare, Salesforce, and Google Apps.
Signing Certificate - This is a certificate (.CER) file generated by your system which allows us to validate digitally signed assertions from your system.
Encrypting Certificate – This is a (.CER) certificate provided by the IdP to allow us to decrypt information sent as part of an assertion.
To access your SAML Settings, click on Settings, then click on the Account option.
Click on the SAML Settings option.
You will be presented with the following settings and two options for how to establish them:
- You can indicate a URL to config XML. This is the location for the XML file prepared by your IT team with the configuration settings. Enter the URL and click the Load Settings button. If this option is used it will complete all the other fields. This is the preferred method as it leaves less room for error and is less work for the ConceptShare admin entering the information.
- Click Save at the top right and your settings will update.
Two: Manual entry
- Is SAML enabled: Toggle between Yes and No When enabled, on the login page your users will be presented with a “Login with SAML” link that will redirect them to login using their IdP credentials. !Note: enabling SAML will override your Settings choices to force SSL if it was not already selected.
- SSO Binding: Select which method should be used for authentication requests: HTTP-POST or HTTP-Redirect REDIRECT binding is suitable for short messages; longer messages such as those containing signed SAML elements should be bound with POST.
- SSO Endpoint: The URL where SSO requests from ConceptShare should be sent.
- IP Filter: Leave blank if you wish to have all users authenticated via SAML, or if you wish to have only certain IPs authenticated add them to the list (comma separated for multiple IPs). This can be useful if there are only certain ConceptShare users you wish to authenticate such as employees, but not contracted vendors or other third parties. Or if you only want users to be able to use SSO from within the office’s Networks, but not from other locations. In the case they attempt to access from an IP range other than those designated they would be presented with the normal login fields of email and ConceptShare password.
- Signing Enabled: Toggle between Yes and No. This enforces validation of all received SAML authentication responses by the supplied certificate below. If Yes, certificate details must be uploaded.
- Signing Certificate Details: Click the Browse button to choose your Signing Certificate.
- Encrypting Enabled: Toggle between Yes and No. This will be a certificate (*.CER) file to use for decrypting SAML responses from the Identity Provider (IdP). If Yes, certificate details must be uploaded.
- Encrypting Certificate Details: Click the Browse button to choose your encrypting Certificate file.
- To complete your setup and apply the settings select the Save button at the top right.
You can request our SAML Metadata from the following URL, it contains the necessary certificates and endpoints:
When a users email address changes make the appropriate changes in your Identity Manager, then update the email address attached to the resource in ConceptShare. This will trigger an email from ConceptShare to the new email address to confirm the change. Until the change is confirmed the user will be unable to login to ConceptShare.
If the original email is lost, you can resend the confirmation by submitting the email change again.
You are now aware of how to configure your account to offer Single Sign on via SAML. This is a fast solution to access ConceptShare using existing, managed, secure credentials.