Overview
SAML Authentication is a paid add-on feature and must be enabled prior to use. Contact your account manager, or accountmanagers@responsive.io, to enable it.
Responsive uses the secure and widely adopted industry standard Security Assertion Markup Language 2.0 (SAML 2.0) and supports SAML Authentication as an add-on feature.
Our single sign-on (SSO) implementation integrates easily with any large identity provider that supports SAML 2.0.
Select the applicable tab for your edition of Responsive.
-
Configuring SAML in ISPs
Based on the environment you want to configure, provide the following content for the various fields in your Identity Service Provider (ISP).
For Production Environment:
RelayState
Relay state can be seen in the "Saml SSO configuration" in Organization Settings- Security - SAML
Audience / APP ID URI / Entity ID
https://www.rfpio.com
Recipient /
ACS Consumer URL /
Login URL /
Sign-On URL
https://app.rfpio.com/rfpserver/login/handle-saml-response
ACS Consumer URL Validator
https:\/\/app\.rfpio\.com\/rfpserver\/login\/handle- saml-response
For Sandbox Environments:
RelayState
Relay state can be seen in the "Saml SSO configuration" in Organization Settings- Security - SAML
Audience / APP ID URI / Entity ID
https://www.rfpio.com
Recipient /
ACS Consumer URL /
Login URL /
Sign-On URL
https://sb01.rfpio.com/rfpserver/login/handle-saml-response
[or]
https://sb02.rfpio.com/rfpserver/login/handle-saml-response
[or]
https://ms-sb.rfpio.com/rfpserver/login/handle-saml-response
[or]
https://google-sb.rfpio.com/rfpserver/login/handle-saml-response
ACS Consumer URL Validator
https:\/\/sb01\.rfpio\.com\/rfpserver\/login\/handle- saml-response
[or]
https:\/\/sb02\.rfpio\.com\/rfpserver\/login\/handle- saml-response
[or]
https:\/\/ms-sb\.rfpio\.com\/rfpserver\/login\/handle- saml-response
[or]
https:\/\/google-sb\.rfpio\.com\/rfpserver\/login\/handle- saml-response
Map the attribute name by providing the below attribute values.
Attribute Name
Attribute Values
first_name
first_name
last_name
last_name
job_title
job_title
phone
phone
location
location
You can also specify the Roles and Business Units (Primary Business Unit) in your IDP provider which helps in accessing the Responsive application directly from your IDP provider login.
Map the attribute name by providing the below attribute values.
Attribute Name Attribute Value responsive_user_role <Specify the role name which you have mentioned in the Responsive application as attribute value>
primary_business_unit <Specify the primary business unit name as the attribute value>
Note: The role values should be entered exactly the same what have been specified in Responsive. The values are case sensitive. Similarly, business unit's values should be entered as the same in Responsive. If the business unit's values are different from the application, the user will be mapped to the default business unit.
(Optional) If you find this below field, enter the public key.
If you want to generate a new set of public and private keys, use the below commands.
- OpenSSLgenrsa -aes256 -out mykey1.pem
- OpenSSLrsa -in mykey1.pem -pubout -out public_key1.pem -aes256
- OpenSSLrsa -in mykey1.pem -out private_key1.pem
Generate SAML Metadata in IDP
Get the Metadata from IDP. The metadata will look like shown below (xml) :
Configuring SAML in Responsive
- Go to Organization Settings > My Organization > Security > SSO/SCIM and click Upload Configuration File to open the downloaded metadata or copy the XML.
Note: Contact your account manager if the SAML SSO feature is not visible. - Paste the XML in the Identity configuration field or choose the downloaded file.
- Copy the SP Private key and paste it in the field (optional).
- Click Validate to validate the configuration.
- Once validated, turn on the SAML toggle and click Save.
Logging in to Responsive using SAML
You can log in using SAML in the following ways:
- Login from your IDP
- Login to app.rfpio.com using SAML
- Login using instance-specific URL. Contact your account manager to get an instance-specific URL which can be bookmarked in your browser.
- Just in Time Provisioning.
Just-in-Time provisioning
With Just-in-Time provisioning, you can use a SAML assertion to create regular and portal users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance. For example, if you recently added an employee to your organization and have provided access to Responsive in your SAML Identity Provider, you don't need to manually create the user in Responsive. When they log in with single sign-on for the 1st time, their account is automatically created for them, eliminating the time and effort with on-boarding the account. The new user can be assigned as Admin or Manager or Team Member role by defining the role in the SAML integration. User attribute can also be selected along with user role.
*None is an option for the admin users to restrict the new user to come into the application.
Points to remember:
- The IDP metadata must include a HTTP Redirect in order to be validated. In the example below, IDP indicates the customer's IDP and domain name indicates the customer's domain name.
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://<IDP.DomainName>/auth/realms/<DomainName>/protocol/saml"
/> - The NameID format must be set to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, as opposed to transient with user attribute mapping.
- Only POST payload in SAML response are supported.
-
Essentials features are subscription-based and may not be available for all users. Contact your account manager, or accountmanagers@responsive.io, for more details.
Configuring SAML ISPs
Based on the Environment you want to configure, provide the following content for the various fields in your Identity Service Provider.
For Production Environment:
RelayState
Relay state can be seen in the "Saml SSO configuration" in Organization Settings- Security - SAML
Audience / APP ID URI / Entity ID
https://www.rfpio.com
Recipient /
ACS Consumer URL /
Login URL /
Sign-On URL
https://app.rfpio.com/rfpserver/login/handle-saml-response
ACS Consumer URL Validator
https:\/\/app\.rfpio\.com\/rfpserver\/login\/handle- saml-response
For Sandbox Environments:
RelayState
Relay state can be seen in the "Saml SSO configuration" in Organization Settings- Security - SAML
Audience / APP ID URI / Entity ID
https://www.rfpio.com
Recipient /
ACS Consumer URL /
Login URL /
Sign-On URL
https://sb01.rfpio.com/rfpserver/login/handle-saml-response
[or]
https://sb02.rfpio.com/rfpserver/login/handle-saml-response
[or]
https://ms-sb.rfpio.com/rfpserver/login/handle-saml-response
[or]
https://google-sb.rfpio.com/rfpserver/login/handle-saml-response
ACS Consumer URL Validator
https:\/\/sb01\.rfpio\.com\/rfpserver\/login\/handle- saml-response
[or]
https:\/\/sb02\.rfpio\.com\/rfpserver\/login\/handle- saml-response
[or]
https:\/\/ms-sb\.rfpio\.com\/rfpserver\/login\/handle- saml-response
[or]
https:\/\/google-sb\.rfpio\.com\/rfpserver\/login\/handle- saml-response
Map the attribute name by providing the below attribute values.
Attribute Name
Attribute Values
first_name
first_name
last_name
last_name
job_title
job_title
phone
phone
location
location
You can also specify the Roles and Business Units (Primary Business Unit) in your IDP provider which helps in accessing the Responsive application directly from your IDP provider login.
Map the attribute name by providing the below attribute values.
Attribute Name Attribute Value responsive_user_role <Specify the role name which you have mentioned in the Responsive application as attribute value>
primary_business_unit <Specify the primary business unit name as the attribute value>
Note: The role values should be entered exactly the same what have been specified in Responsive. The values are case sensitive. Similarly, business unit's values should be entered as the same in Responsive. If the business unit's values are different from the application, the user will be mapped to the default business unit.
(Optional) If you find this below field, enter the public key.
If you want to generate a new set of public and private keys, use the below commands.
- OpenSSLgenrsa -aes256 -out mykey1.pem
- OpenSSLrsa -in mykey1.pem -pubout -out public_key1.pem -aes256
- OpenSSLrsa -in mykey1.pem -out private_key1.pem
Generate SAML Metadata in IDP
Get the Metadata from IDP. The metadata will look like shown below (xml) :
Configuring SAML in Responsive
- Go to Organization Settings > My Organization > Security > SSO/SCIM and click Upload Configuration File to open the downloaded metadata or copy the XML.
Note: Contact your account manager if the SAML SSO feature is not visible. - Paste the XML in the Identity configuration field or choose the downloaded file.
- Copy the SP Private key and paste it in the field (optional).
- Click Validate to validate the configuration.
- Once validated, turn on the SAML toggle and click Save.
Logging in to Responsive using SAML
You can log in using SAML in the following ways:
- Login from your IDP
- Login to app.rfpio.com using SAML
- Login using instance-specific URL. Contact your account manager to get an instance-specific URL which can be bookmarked in your browser.
- Just in Time Provisioning.
Just-in-Time provisioning
With Just-in-Time provisioning, you can use a SAML assertion to create regular and portal users on the fly the first time they try to log in. This eliminates the need to create user accounts in advance. For example, if you recently added an employee to your organization and have provided access to Responsive in your SAML Identity Provider, you don't need to manually create the user in Responsive. When they log in with single sign-on for the 1st time, their account is automatically created for them, eliminating the time and effort with on-boarding the account. The new user can be assigned as Admin or Manager or Team Member role by defining the role in the SAML integration. User attribute can also be selected along with user role.
*None is an option for the admin users to restrict the new user to come into the application.
Points to remember:
- The IDP metadata must include a HTTP Redirect in order to be validated. In the example below, IDP indicates the customer's IDP and domain name indicates the customer's domain name.
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://<IDP.DomainName>/auth/realms/<DomainName>/protocol/saml"
/> - The NameID format must be set to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress, as opposed to transient with user attribute mapping.
- Only POST payload in SAML response are supported.