Save as PDF

Generic SAML Configuration

Overview

SAML Authentication is a paid add-on feature and must be enabled prior to use. Contact your account manager, or accountmanagers@responsive.io, to enable it.

Responsive uses the secure and widely adopted industry standard Security Assertion Markup Language 2.0 (SAML 2.0) and supports SAML Authentication as an add-on feature.

Select the applicable tab for your edition of Responsive.

  • SAML Configuration in Identity Service Providers

    Based on the Environment you want to configure, provide the following content for the various fields in your Identity Service Provider.

    For Production Environment:

    RelayState

    Relay state can be seen in the "Saml SSO configuration" in Organization Settings- Security - SAML

    Audience / APP ID URI / Entity ID

    https://www.rfpio.com

    Recipient / 

    ACS Consumer URL /

    Login URL / 

    Sign-On URL

    https://app.rfpio.com/rfpserver/login/handle-saml-response

    ACS Consumer URL Validator

    https:\/\/app\.rfpio\.com\/rfpserver\/login\/handle- saml-response

     

    For Sandbox Environments:

    RelayState

    Relay state can be seen in the "Saml SSO configuration" in Organization Settings- Security - SAML

    Audience / APP ID URI / Entity ID

    https://www.rfpio.com

    Recipient / 

    ACS Consumer URL /

    Login URL / 

    Sign-On URL

    https://sb01.rfpio.com/rfpserver/login/handle-saml-response

    [or]

    https://sb02.rfpio.com/rfpserver/login/handle-saml-response

    [or]

    https://ms-sb.rfpio.com/rfpserver/login/handle-saml-response

    [or]

    https://google-sb.rfpio.com/rfpserver/login/handle-saml-response

    ACS Consumer URL Validator

    https:\/\/sb01\.rfpio\.com\/rfpserver\/login\/handle- saml-response

    [or]

    https:\/\/sb02\.rfpio\.com\/rfpserver\/login\/handle- saml-response

    [or]

    https:\/\/ms-sb\.rfpio\.com\/rfpserver\/login\/handle- saml-response

    [or]

    https:\/\/google-sb\.rfpio\.com\/rfpserver\/login\/handle- saml-response

     

    Map the attribute name by providing the below attribute values.

    Attribute Name

    Attribute Values

    first_name

    first_name

    last_name

    last_name

    job_title

    job_title

    phone

    phone

    location

    location

    You can also specify the Roles and Business Units (Primary Business Unit) in your IDP provider which helps in accessing the Responsive application directly from your IDP provider login.

    Map the attribute name by providing the below attribute values.

    Attribute Name  Attribute Value
    responsive_user_role

    <Specify the role name which you have mentioned in the Responsive application as attribute value>

    primary_business_unit

    <Specify the primary business unit name as the attribute value>

    Note: The role values should be entered exactly the same what have been specified in Responsive. The values are case sensitive. Similarly, business unit's values should be entered as the same in Responsive. If the business unit's values are different from the application, the user will be mapped to the default business unit.

    (Optional) If you find this below field, enter the public key.

    mceclip0.png

    If you want to generate a new set of public and private keys, use the below commands.

    • OpenSSLgenrsa -aes256 -out mykey1.pem
    • OpenSSLrsa -in mykey1.pem -pubout -out public_key1.pem -aes256
    • OpenSSLrsa -in mykey1.pem -out private_key1.pem

    Generate SAML Metadata in IDP

    Get the Metadata from IDP. The metadata will look like shown below (xml) :

    mceclip1.png

    Configuring SAML in Responsive

    1. Go to Organization Settings > Security > SSO and click Choose File to open the downloaded metadata or copy the XML.
      Note: Contact your account manager if the SAML SSO feature is not visible.
    2. Paste the XML in the Identity configuration field or choose the downloaded file.
      XML_screenshot.png
    3. Copy the SP Private key and paste it in the field (optional).
      mceclip5.png
    4. Click Validate to validate the configuration.
    5. Once validated, turn on the SAML toggle and click Submit.
      mceclip6.png

    Logging in to Responsive Using SAML

    You can log in using SAML in the following ways:

    • Login from your IDP
    • Login to app.rfpio.com using SAML
      mceclip7.png
    • Login using instance-specific URL. Contact your account manager to get an instance-specific URL which can be bookmarked in your browser.
    • Just in Time Provisioning.

    Just-in-Time Provisioning

    With Just-in-Time provisioning, you can use a SAML assertion to create regular and portal users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance. For example, if you recently added an employee to your organization and have provided access to Responsive in your SAML Identity Provider, you don't need to manually create the user in Responsive. When they log in with single sign-on for the 1st time, their account is automatically created for them, eliminating the time and effort with on-boarding the account. The new user can be assigned as Admin or Manager or Team Member role by defining the role in the SAML integration. User attribute can also be selected along with user role.

    mceclip0.png

    *None is an option for the admin users to restrict the new user to come into the application.

    mceclip1.png

    Points to remember: 

    • The IDP metadata must include a HTTP Redirect in order to be validated. In the example below, IDP indicates the customer's IDP and domain name indicates the customer's domain name.
      <SingleSignOnService
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
      Location="https://<IDP.DomainName>/auth/realms/<DomainName>/protocol/saml"
      />
    • The NameID format must be set to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, as opposed to transient with user attribute mapping.
    • Only POST payload in SAML response are supported.
  • Essentials features are subscription-based and may not be available for all users. Contact your account manager, or accountmanagers@responsive.io, for more details.

    SAML Configuration in Identity Service Providers

    Based on the Environment you want to configure, provide the following content for the various fields in your Identity Service Provider.

    For Production Environment:

    RelayState

    Relay state can be seen in the "Saml SSO configuration" in Organization Settings- Security - SAML

    Audience / APP ID URI / Entity ID

    https://www.rfpio.com

    Recipient / 

    ACS Consumer URL /

    Login URL / 

    Sign-On URL

    https://app.rfpio.com/rfpserver/login/handle-saml-response

    ACS Consumer URL Validator

    https:\/\/app\.rfpio\.com\/rfpserver\/login\/handle- saml-response

     

    For Sandbox Environments:

    RelayState

    Relay state can be seen in the "Saml SSO configuration" in Organization Settings- Security - SAML

    Audience / APP ID URI / Entity ID

    https://www.rfpio.com

    Recipient / 

    ACS Consumer URL /

    Login URL / 

    Sign-On URL

    https://sb01.rfpio.com/rfpserver/login/handle-saml-response

    [or]

    https://sb02.rfpio.com/rfpserver/login/handle-saml-response

    [or]

    https://ms-sb.rfpio.com/rfpserver/login/handle-saml-response

    [or]

    https://google-sb.rfpio.com/rfpserver/login/handle-saml-response

    ACS Consumer URL Validator

    https:\/\/sb01\.rfpio\.com\/rfpserver\/login\/handle- saml-response

    [or]

    https:\/\/sb02\.rfpio\.com\/rfpserver\/login\/handle- saml-response

    [or]

    https:\/\/ms-sb\.rfpio\.com\/rfpserver\/login\/handle- saml-response

    [or]

    https:\/\/google-sb\.rfpio\.com\/rfpserver\/login\/handle- saml-response

     

    Map the attribute name by providing the below attribute values.

    Attribute Name

    Attribute Values

    first_name

    first_name

    last_name

    last_name

    job_title

    job_title

    phone

    phone

    location

    location

    You can also specify the Roles and Business Units (Primary Business Unit) in your IDP provider which helps in accessing the Responsive application directly from your IDP provider login.

    Map the attribute name by providing the below attribute values.

    Attribute Name  Attribute Value
    responsive_user_role

    <Specify the role name which you have mentioned in the Responsive application as attribute value>

    primary_business_unit

    <Specify the primary business unit name as the attribute value>

    Note: The role values should be entered exactly the same what have been specified in Responsive. The values are case sensitive. Similarly, business unit's values should be entered as the same in Responsive. If the business unit's values are different from the application, the user will be mapped to the default business unit.

    (Optional) If you find this below field, enter the public key.

    mceclip0.png

    If you want to generate a new set of public and private keys, use the below commands.

    • OpenSSLgenrsa -aes256 -out mykey1.pem
    • OpenSSLrsa -in mykey1.pem -pubout -out public_key1.pem -aes256
    • OpenSSLrsa -in mykey1.pem -out private_key1.pem

    Generate SAML Metadata in IDP

    Get the Metadata from IDP. The metadata will look like shown below (xml) :

    mceclip1.png

    Configuring SAML in Responsive

    1. Go to Organization Settings > Security > SSO and click Choose File to open the downloaded metadata or copy the XML.
      Note: Contact your account manager if the SAML SSO feature is not visible.
    2. Paste the XML in the Identity configuration field or choose the downloaded file.
      XML_screenshot.png
    3. Copy the SP Private key and paste it in the field (optional).
      mceclip5.png
    4. Click Validate to validate the configuration.
    5. Once validated, turn on the SAML toggle and click Submit.
      mceclip6.png

    Logging in to Responsive Using SAML

    You can log in using SAML in the following ways:

    • Login from your IDP
    • Login to app.rfpio.com using SAML
      mceclip7.png
    • Login using instance-specific URL. Contact your account manager to get an instance-specific URL which can be bookmarked in your browser.
    • Just in Time Provisioning.

    Just-in-Time Provisioning

    With Just-in-Time provisioning, you can use a SAML assertion to create regular and portal users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance. For example, if you recently added an employee to your organization and have provided access to Responsive in your SAML Identity Provider, you don't need to manually create the user in Responsive. When they log in with single sign-on for the 1st time, their account is automatically created for them, eliminating the time and effort with on-boarding the account. The new user can be assigned as Admin or Manager or Team Member role by defining the role in the SAML integration. User attribute can also be selected along with user role.

    mceclip0.png

    *None is an option for the admin users to restrict the new user to come into the application.

    mceclip1.png

    Points to remember: 

    • The IDP metadata must include a HTTP Redirect in order to be validated. In the example below, IDP indicates the customer's IDP and domain name indicates the customer's domain name.
      <SingleSignOnService
      Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
      Location="https://<IDP.DomainName>/auth/realms/<DomainName>/protocol/saml"
      />
    • The NameID format must be set to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, as opposed to transient with user attribute mapping.
    • Only POST payload in SAML response are supported.

Was this article helpful?

/