Table of Contents

Single Sign On (SSO) Setup

Nolan Garrido Updated by Nolan Garrido

Basic Single Sign-On Setup

CaliberMind uses Auth0 as our IdP and SSO provider. In order to get Single Sign On (SSO) configured with CaliberMind, we will need a few things from you and you will need a few things from us.

First, you'll need to provide us the Service Provider (SP) SAML federation configuration in an XML format. This metadata should contain, at a minimum:

  • SSO/SLO endpoint (login): this is the endpoint used for IDP assertion request consumption
  • IDP (Signing) Certificate: can be provided separately

Note for Okta users: follow these instructions to get the above information.

Once we have this data, we will configure the SSO connection and provide you with an endpoint which will point to an XML file containing:

  • SP Entity Id/Provider Id
  • SP Certificate
  • Assertion Consumer Service URL
  • Name Id Format

IdP-Initiated SSO flow (Advanced)

For IdP-Initiated Single Sign-On, we will provide you with a callback URL. This endpoint accepts an IdP-Initiated Sign On SAMLResponse from a SAML Identity Provider. The connection corresponding to the identity provider is specified in the querystring.

Parameter

Description

connection REQUIRED

The name of the identity provider configured (provided by CaliberMind).

SAMLResponse REQUIRED

An IdP-Initiated Sign On SAML Response.

Risks of using an IdP-Initiated SSO flow

IdP-Initiated flows carry a security risk and are therefore NOT recommended. Make sure you understand the risks before enabling IdP-Initiated SSO.

In an IdP-initiated flow neither Auth0 (which receives the unsolicited response from the Identity Provider) nor the application (that receives the unsolicited response generated by Auth0) can verify that the user actually started the flow. Because of this, enabling this flow opens the possibility of an Login CSRF attack, where an attacker can trick a legitimate user into unknowingly logging into the application with the identity of the attacker.

The recommendation is to use SP-Initiated flows whenever possible.

How did we do?

Administration and SSO - Start Here!

Manage Users - Viewing, Inviting, Updating Users and Roles

Contact