Articles in this section

See more

How do I connect Grovo to my SAML 2.0 identity provider for single sign-on (SSO)?

Avatar
Client Success Team
  • Updated
Follow

In order to initiate a SAML Authentication Request, Grovo needs to know the following:

  1. EntityId - The location/URL of the IdP metadata.
  2. SingleSignOnService[Location/Binding] - Where to navigate the user in order to log in.
  3. X509 Certificate - A public key used in signed SAML Responses.

Additionally, the IdP will need to know the same pieces information to anticipate Authentication Requests are coming from a verified source.

 

IdP Metadata

Metadata is how both Service and Identity Providers describe how they behave. The following is a sample of an IdP Metadata: https://idp.ssocircle.com/

These are the areas of focus for a Master Administrator to jot down: 

EntityDescriptor - entityID 

<EntityDescriptor entityID="https://idp.ssocircle.com" xmlns="urn:oasis:names:tc:SAML:2.0:metadata">

KeyDescriptor use="signing"

<KeyDescriptor use="signing">
  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:X509Data>
      <ds:X509Certificate>
        MIIEYzCCAkugAwIBAgIDIAZmMA0GCSqGSIb3DQEBCwUAMC4xCzAJBgNVBAYTAkRF
        MRIwEAYDVQQKDAlTU09DaXJjbGUxCzAJBgNVBAMMAkNBMB4XDTE2MDgwMzE1MDMy
        M1oXDTI2MDMwNDE1MDMyM1owPTELMAkGA1UEBhMCREUxEjAQBgNVBAoTCVNTT0Np
        cmNsZTEaMBgGA1UEAxMRaWRwLnNzb2NpcmNsZS5jb20wggEiMA0GCSqGSIb3DQEB
        AQUAA4IBDwAwggEKAoIBAQCAwWJyOYhYmWZF2TJvm1VyZccs3ZJ0TsNcoazr2pTW
        cY8WTRbIV9d06zYjngvWibyiylewGXcYONB106ZNUdNgrmFd5194Wsyx6bPvnjZE
        ERny9LOfuwQaqDYeKhI6c+veXApnOfsY26u9Lqb9sga9JnCkUGRaoVrAVM3yfghv
        /Cg/QEg+I6SVES75tKdcLDTt/FwmAYDEBV8l52bcMDNF+JWtAuetI9/dWCBe9VTC
        asAr2Fxw1ZYTAiqGI9sW4kWS2ApedbqsgH3qqMlPA7tg9iKy8Yw/deEn0qQIx8Gl
        VnQFpDgzG9k+jwBoebAYfGvMcO/BDXD2pbWTN+DvbURlAgMBAAGjezB5MAkGA1Ud
        EwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmlj
        YXRlMB0GA1UdDgQWBBQhAmCewE7aonAvyJfjImCRZDtccTAfBgNVHSMEGDAWgBTA
        1nEA+0za6ppLItkOX5yEp8cQaTANBgkqhkiG9w0BAQsFAAOCAgEAAhC5/WsF9ztJ
        Hgo+x9KV9bqVS0MmsgpG26yOAqFYwOSPmUuYmJmHgmKGjKrj1fdCINtzcBHFFBC1
        maGJ33lMk2bM2THx22/O93f4RFnFab7t23jRFcF0amQUOsDvltfJw7XCal8JdgPU
        g6TNC4Fy9XYv0OAHc3oDp3vl1Yj8/1qBg6Rc39kehmD5v8SKYmpE7yFKxDF1ol9D
        KDG/LvClSvnuVP0b4BWdBAA9aJSFtdNGgEvpEUqGkJ1osLVqCMvSYsUtHmapaX3h
        iM9RbX38jsSgsl44Rar5Ioc7KXOOZFGfEKyyUqucYpjWCOXJELAVAzp7XTvA2q55
        u31hO0w8Yx4uEQKlmxDuZmxpMz4EWARyjHSAuDKEW1RJvUr6+5uA9qeOKxLiKN1j
        o6eWAcl6Wr9MreXR9kFpS6kHllfdVSrJES4ST0uh1Jp4EYgmiyMmFCbUpKXifpsN
        WCLDenE3hllF0+q3wIdu+4P82RIM71n7qVgnDnK29wnLhHDat9rkC62CIbonpkVY
        mnReX0jze+7twRanJOMCJ+lFg16BDvBcG8u0n/wIDkHHitBI7bU1k6c6DydLQ+69
        h8SCo6sO9YuD+/3xAGKad4ImZ6vTwlB4zDCpu6YgQWocWRXE+VkOb+RBfvP755PU
        aLfL63AFVlpOnEpIio5++UjNJRuPuAA=
      </ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</KeyDescriptor>

SingleSignOnService bindings

<SingleSignOnService 
  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
  Location="https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/publicidp"/>
<SingleSignOnService 
  Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
  Location="https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/publicidp"/>
<SingleSignOnService 
  Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
  Location="https://idp.ssocircle.com:443/sso/SSOSoap/metaAlias/publicidp"/>

 

Given this metadata, we now know the following:

  1. EntityId - https://idp.ssocircle.com
  2. SingleSignOnService[Location/Binding]
  3. X509 Certificate - 
    MIIEYzCCAkugAwIBAgIDIAZmMA0GCSqGSIb3DQEBCwUAMC4xCzAJBgNVBAYTAkRF
MRIwEAYDVQQKDAlTU09DaXJjbGUxCzAJBgNVBAMMAkNBMB4XDTE2MDgwMzE1MDMy
M1oXDTI2MDMwNDE1MDMyM1owPTELMAkGA1UEBhMCREUxEjAQBgNVBAoTCVNTT0Np
cmNsZTEaMBgGA1UEAxMRaWRwLnNzb2NpcmNsZS5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCAwWJyOYhYmWZF2TJvm1VyZccs3ZJ0TsNcoazr2pTW
cY8WTRbIV9d06zYjngvWibyiylewGXcYONB106ZNUdNgrmFd5194Wsyx6bPvnjZE
ERny9LOfuwQaqDYeKhI6c+veXApnOfsY26u9Lqb9sga9JnCkUGRaoVrAVM3yfghv
/Cg/QEg+I6SVES75tKdcLDTt/FwmAYDEBV8l52bcMDNF+JWtAuetI9/dWCBe9VTC
asAr2Fxw1ZYTAiqGI9sW4kWS2ApedbqsgH3qqMlPA7tg9iKy8Yw/deEn0qQIx8Gl
VnQFpDgzG9k+jwBoebAYfGvMcO/BDXD2pbWTN+DvbURlAgMBAAGjezB5MAkGA1Ud
EwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmlj
YXRlMB0GA1UdDgQWBBQhAmCewE7aonAvyJfjImCRZDtccTAfBgNVHSMEGDAWgBTA
1nEA+0za6ppLItkOX5yEp8cQaTANBgkqhkiG9w0BAQsFAAOCAgEAAhC5/WsF9ztJ
Hgo+x9KV9bqVS0MmsgpG26yOAqFYwOSPmUuYmJmHgmKGjKrj1fdCINtzcBHFFBC1
maGJ33lMk2bM2THx22/O93f4RFnFab7t23jRFcF0amQUOsDvltfJw7XCal8JdgPU
g6TNC4Fy9XYv0OAHc3oDp3vl1Yj8/1qBg6Rc39kehmD5v8SKYmpE7yFKxDF1ol9D
KDG/LvClSvnuVP0b4BWdBAA9aJSFtdNGgEvpEUqGkJ1osLVqCMvSYsUtHmapaX3h
iM9RbX38jsSgsl44Rar5Ioc7KXOOZFGfEKyyUqucYpjWCOXJELAVAzp7XTvA2q55
u31hO0w8Yx4uEQKlmxDuZmxpMz4EWARyjHSAuDKEW1RJvUr6+5uA9qeOKxLiKN1j
o6eWAcl6Wr9MreXR9kFpS6kHllfdVSrJES4ST0uh1Jp4EYgmiyMmFCbUpKXifpsN
WCLDenE3hllF0+q3wIdu+4P82RIM71n7qVgnDnK29wnLhHDat9rkC62CIbonpkVY
mnReX0jze+7twRanJOMCJ+lFg16BDvBcG8u0n/wIDkHHitBI7bU1k6c6DydLQ+69
h8SCo6sO9YuD+/3xAGKad4ImZ6vTwlB4zDCpu6YgQWocWRXE+VkOb+RBfvP755PU
aLfL63AFVlpOnEpIio5++UjNJRuPuAA=
 

Configuring Grovo (SP)

Now knowing the required values, the Master Administrator needs to configure Grovo, in:
"App Settings" > "Integrations" > "Authentication" > "SP Initiated SAML 2.0"

Below is a demo on how to fill out the form:

 

Configuring the IdP

Now that Grovo is configured, a link to the SP Metadata is now available to configure the IdP. The following is a sample of an SP Metadata: https://grovo.grovo.com/sso/saml2/metadata

EntityDescriptor - entityID 

<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" validUntil="2016-11-09T18:58:25Z" cacheDuration="PT604800S" entityID="http://grovo.grovo.com/sso/saml2/metadata">

KeyDescriptor use="signing"

<md:KeyDescriptor use="signing">
  <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
    <ds:X509Data>
      <ds:X509Certificate>
        MIICWwIBAAKBgQClvCDmfQYkAg4MC6YthKPA+X+n9jl3grRPQrCDGLGrRlzpCnTV
        DdMCarZrcYQo96NtKjKQMZyU2Hz6vDGy1hGUSm/L1rpKEhhTFxbQsMHapsR8eZ7N
        ept601NhC/LixYfe0YYuTxrEyk2JzFO45+/KMFbOTEKf7H2Iy/HhaOxcrwIDAQAB
        AoGALe3u6DEprHztS6VGzkJ95xK9r9xqnJYaRgTjSdFkG2UKhoKhUhHcskTEfQ4e
        ZAQMxEn3bUJydEVyjUHuO/NbN10bQAjRCmudDX6frrZgzZNzu4MX/H2JsOr9BI6W
        LK2Mjm6vx8dGNaqzBlIG9xg2xRT+kLwr4co5JCkKK9diXHECQQDT23RgwOyp8BA5
        GMsjWKhfuUUg/tVy0Bwro2FKYZ1v3W6vDRrilwvdnkny3cl8KT74Hg2/zJewFEC0
        BTKZbQ+rAkEAyER9SrbfqsBObg75Qqfr4bU4i/eepPSFk6xIxpM58xC+EIMwlh/N
        GKcA20ZjzcvwLIcKptbBTn8fv/40f0qzDQJAbGtbtIQm2ZT8iGvS0aT2jf5fjVI8
        5APy1rZG/OzVyEDW+wjG4H0SWnk+OOcdzMfC7PFccfJ/EmJa9oXObkws/wJAEkCT
        vrx+FBzkyQkaVKXjTLXsim0uC1Cx3+yi0V5XuLx85hpe0j/hvG50GIgIzpfYsuY3
        5U7LXXEenqv3cuaG/QJAa+G6oOc130BM02joeUlbSj8MzJmPdrwmakmj1vMO3mIP
        lxElzemFJ6b7avZGprNeUMZJBvQOgdhv/Z1co7C3Zw==
      </ds:X509Certificate>
    </ds:X509Data>
  </ds:KeyInfo>
</md:KeyDescriptor>

AssertionConsumerService

<md:AssertionConsumerService 
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" 
    Location="http://grovo.grovo.com/sso/saml2/saml-assertion" 
    index="1"/> 

Given this metadata, we now know the following:

  1. EntityId - http://grovo.grovo.com/sso/saml2/metadata
  2. SingleSignOnService[Location/Binding]
  3. X509 Certificate - 
    MIICWwIBAAKBgQClvCDmfQYkAg4MC6YthKPA+X+n9jl3grRPQrCDGLGrRlzpCnTV
DdMCarZrcYQo96NtKjKQMZyU2Hz6vDGy1hGUSm/L1rpKEhhTFxbQsMHapsR8eZ7N
ept601NhC/LixYfe0YYuTxrEyk2JzFO45+/KMFbOTEKf7H2Iy/HhaOxcrwIDAQAB
AoGALe3u6DEprHztS6VGzkJ95xK9r9xqnJYaRgTjSdFkG2UKhoKhUhHcskTEfQ4e
ZAQMxEn3bUJydEVyjUHuO/NbN10bQAjRCmudDX6frrZgzZNzu4MX/H2JsOr9BI6W
LK2Mjm6vx8dGNaqzBlIG9xg2xRT+kLwr4co5JCkKK9diXHECQQDT23RgwOyp8BA5
GMsjWKhfuUUg/tVy0Bwro2FKYZ1v3W6vDRrilwvdnkny3cl8KT74Hg2/zJewFEC0
BTKZbQ+rAkEAyER9SrbfqsBObg75Qqfr4bU4i/eepPSFk6xIxpM58xC+EIMwlh/N
GKcA20ZjzcvwLIcKptbBTn8fv/40f0qzDQJAbGtbtIQm2ZT8iGvS0aT2jf5fjVI8
5APy1rZG/OzVyEDW+wjG4H0SWnk+OOcdzMfC7PFccfJ/EmJa9oXObkws/wJAEkCT
vrx+FBzkyQkaVKXjTLXsim0uC1Cx3+yi0V5XuLx85hpe0j/hvG50GIgIzpfYsuY3
5U7LXXEenqv3cuaG/QJAa+G6oOc130BM02joeUlbSj8MzJmPdrwmakmj1vMO3mIP
lxElzemFJ6b7avZGprNeUMZJBvQOgdhv/Z1co7C3Zw==

Do not copy/paste these exact values.

SP metadata is different for each enterprise on Grovo. Your users are likely not Grovo employees, so please use the respective metadata link.

Once the IdP is configured, SSO integration is complete and ready to test.

 

Claims

  • We expect <saml:NameID> to provide us an email address.
  • We do not have any requirements to the NameID Format; but recommend urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
  • Example below:

<saml:NameID>

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
  foo@bar.com
</saml:NameID>
Just-in-Time Provisioning: Users that do not exist in Grovo will be created; given an Email Address, First Name, and Last Name. Their employee ID will default to their email address.

Comments

0 comments

Please sign in to leave a comment.