In order to initiate a SAML Authentication Request, Grovo needs to know the following:
- EntityId - The location/URL of the IdP metadata.
- SingleSignOnService[Location/Binding] - Where to navigate the user in order to log in.
- X509 Certificate - A public key used in signed SAML Responses.
Additionally, the IdP will need to know the same pieces information to anticipate Authentication Requests are coming from a verified source.
IdP Metadata
Metadata is how both Service and Identity Providers describe how they behave. The following is a sample of an IdP Metadata: https://idp.ssocircle.com/
These are the areas of focus for a Master Administrator to jot down:
EntityDescriptor - entityID
<EntityDescriptor
entityID="https://idp.ssocircle.com"
xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
KeyDescriptor use="signing"
<KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIIEYzCCAkugAwIBAgIDIAZmMA0GCSqGSIb3DQEBCwUAMC4xCzAJBgNVBAYTAkRF
MRIwEAYDVQQKDAlTU09DaXJjbGUxCzAJBgNVBAMMAkNBMB4XDTE2MDgwMzE1MDMy
M1oXDTI2MDMwNDE1MDMyM1owPTELMAkGA1UEBhMCREUxEjAQBgNVBAoTCVNTT0Np
cmNsZTEaMBgGA1UEAxMRaWRwLnNzb2NpcmNsZS5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQCAwWJyOYhYmWZF2TJvm1VyZccs3ZJ0TsNcoazr2pTW
cY8WTRbIV9d06zYjngvWibyiylewGXcYONB106ZNUdNgrmFd5194Wsyx6bPvnjZE
ERny9LOfuwQaqDYeKhI6c+veXApnOfsY26u9Lqb9sga9JnCkUGRaoVrAVM3yfghv
/Cg/QEg+I6SVES75tKdcLDTt/FwmAYDEBV8l52bcMDNF+JWtAuetI9/dWCBe9VTC
asAr2Fxw1ZYTAiqGI9sW4kWS2ApedbqsgH3qqMlPA7tg9iKy8Yw/deEn0qQIx8Gl
VnQFpDgzG9k+jwBoebAYfGvMcO/BDXD2pbWTN+DvbURlAgMBAAGjezB5MAkGA1Ud
EwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmlj
YXRlMB0GA1UdDgQWBBQhAmCewE7aonAvyJfjImCRZDtccTAfBgNVHSMEGDAWgBTA
1nEA+0za6ppLItkOX5yEp8cQaTANBgkqhkiG9w0BAQsFAAOCAgEAAhC5/WsF9ztJ
Hgo+x9KV9bqVS0MmsgpG26yOAqFYwOSPmUuYmJmHgmKGjKrj1fdCINtzcBHFFBC1
maGJ33lMk2bM2THx22/O93f4RFnFab7t23jRFcF0amQUOsDvltfJw7XCal8JdgPU
g6TNC4Fy9XYv0OAHc3oDp3vl1Yj8/1qBg6Rc39kehmD5v8SKYmpE7yFKxDF1ol9D
KDG/LvClSvnuVP0b4BWdBAA9aJSFtdNGgEvpEUqGkJ1osLVqCMvSYsUtHmapaX3h
iM9RbX38jsSgsl44Rar5Ioc7KXOOZFGfEKyyUqucYpjWCOXJELAVAzp7XTvA2q55
u31hO0w8Yx4uEQKlmxDuZmxpMz4EWARyjHSAuDKEW1RJvUr6+5uA9qeOKxLiKN1j
o6eWAcl6Wr9MreXR9kFpS6kHllfdVSrJES4ST0uh1Jp4EYgmiyMmFCbUpKXifpsN
WCLDenE3hllF0+q3wIdu+4P82RIM71n7qVgnDnK29wnLhHDat9rkC62CIbonpkVY
mnReX0jze+7twRanJOMCJ+lFg16BDvBcG8u0n/wIDkHHitBI7bU1k6c6DydLQ+69
h8SCo6sO9YuD+/3xAGKad4ImZ6vTwlB4zDCpu6YgQWocWRXE+VkOb+RBfvP755PU
aLfL63AFVlpOnEpIio5++UjNJRuPuAA=
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
SingleSignOnService bindings
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Location="https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/publicidp"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/publicidp"/>
<SingleSignOnService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP"
Location="https://idp.ssocircle.com:443/sso/SSOSoap/metaAlias/publicidp"/>
Given this metadata, we now know the following:
- EntityId - https://idp.ssocircle.com
-
SingleSignOnService[Location/Binding]
-
https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/publicidp
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
- == OR ==
-
https://idp.ssocircle.com:443/sso/SSOPOST/metaAlias/publicidp
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
-
https://idp.ssocircle.com:443/sso/SSORedirect/metaAlias/publicidp
-
X509 Certificate -
MIIEYzCCAkugAwIBAgIDIAZmMA0GCSqGSIb3DQEBCwUAMC4xCzAJBgNVBAYTAkRF MRIwEAYDVQQKDAlTU09DaXJjbGUxCzAJBgNVBAMMAkNBMB4XDTE2MDgwMzE1MDMy M1oXDTI2MDMwNDE1MDMyM1owPTELMAkGA1UEBhMCREUxEjAQBgNVBAoTCVNTT0Np cmNsZTEaMBgGA1UEAxMRaWRwLnNzb2NpcmNsZS5jb20wggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQCAwWJyOYhYmWZF2TJvm1VyZccs3ZJ0TsNcoazr2pTW cY8WTRbIV9d06zYjngvWibyiylewGXcYONB106ZNUdNgrmFd5194Wsyx6bPvnjZE ERny9LOfuwQaqDYeKhI6c+veXApnOfsY26u9Lqb9sga9JnCkUGRaoVrAVM3yfghv /Cg/QEg+I6SVES75tKdcLDTt/FwmAYDEBV8l52bcMDNF+JWtAuetI9/dWCBe9VTC asAr2Fxw1ZYTAiqGI9sW4kWS2ApedbqsgH3qqMlPA7tg9iKy8Yw/deEn0qQIx8Gl VnQFpDgzG9k+jwBoebAYfGvMcO/BDXD2pbWTN+DvbURlAgMBAAGjezB5MAkGA1Ud EwQCMAAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmlj YXRlMB0GA1UdDgQWBBQhAmCewE7aonAvyJfjImCRZDtccTAfBgNVHSMEGDAWgBTA 1nEA+0za6ppLItkOX5yEp8cQaTANBgkqhkiG9w0BAQsFAAOCAgEAAhC5/WsF9ztJ Hgo+x9KV9bqVS0MmsgpG26yOAqFYwOSPmUuYmJmHgmKGjKrj1fdCINtzcBHFFBC1 maGJ33lMk2bM2THx22/O93f4RFnFab7t23jRFcF0amQUOsDvltfJw7XCal8JdgPU g6TNC4Fy9XYv0OAHc3oDp3vl1Yj8/1qBg6Rc39kehmD5v8SKYmpE7yFKxDF1ol9D KDG/LvClSvnuVP0b4BWdBAA9aJSFtdNGgEvpEUqGkJ1osLVqCMvSYsUtHmapaX3h iM9RbX38jsSgsl44Rar5Ioc7KXOOZFGfEKyyUqucYpjWCOXJELAVAzp7XTvA2q55 u31hO0w8Yx4uEQKlmxDuZmxpMz4EWARyjHSAuDKEW1RJvUr6+5uA9qeOKxLiKN1j o6eWAcl6Wr9MreXR9kFpS6kHllfdVSrJES4ST0uh1Jp4EYgmiyMmFCbUpKXifpsN WCLDenE3hllF0+q3wIdu+4P82RIM71n7qVgnDnK29wnLhHDat9rkC62CIbonpkVY mnReX0jze+7twRanJOMCJ+lFg16BDvBcG8u0n/wIDkHHitBI7bU1k6c6DydLQ+69 h8SCo6sO9YuD+/3xAGKad4ImZ6vTwlB4zDCpu6YgQWocWRXE+VkOb+RBfvP755PU aLfL63AFVlpOnEpIio5++UjNJRuPuAA=
Configuring Grovo (SP)
Now knowing the required values, the Master Administrator needs to configure Grovo, in:
"App Settings" > "Integrations" > "Authentication" > "SP Initiated SAML 2.0"
Below is a demo on how to fill out the form:
Configuring the IdP
Now that Grovo is configured, a link to the SP Metadata is now available to configure the IdP. The following is a sample of an SP Metadata: https://grovo.grovo.com/sso/saml2/metadata
EntityDescriptor - entityID
<md:EntityDescriptor
xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
validUntil="2016-11-09T18:58:25Z"
cacheDuration="PT604800S"
entityID="http://grovo.grovo.com/sso/saml2/metadata">
KeyDescriptor use="signing"
<md:KeyDescriptor use="signing">
<ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:X509Data>
<ds:X509Certificate>
MIICWwIBAAKBgQClvCDmfQYkAg4MC6YthKPA+X+n9jl3grRPQrCDGLGrRlzpCnTV
DdMCarZrcYQo96NtKjKQMZyU2Hz6vDGy1hGUSm/L1rpKEhhTFxbQsMHapsR8eZ7N
ept601NhC/LixYfe0YYuTxrEyk2JzFO45+/KMFbOTEKf7H2Iy/HhaOxcrwIDAQAB
AoGALe3u6DEprHztS6VGzkJ95xK9r9xqnJYaRgTjSdFkG2UKhoKhUhHcskTEfQ4e
ZAQMxEn3bUJydEVyjUHuO/NbN10bQAjRCmudDX6frrZgzZNzu4MX/H2JsOr9BI6W
LK2Mjm6vx8dGNaqzBlIG9xg2xRT+kLwr4co5JCkKK9diXHECQQDT23RgwOyp8BA5
GMsjWKhfuUUg/tVy0Bwro2FKYZ1v3W6vDRrilwvdnkny3cl8KT74Hg2/zJewFEC0
BTKZbQ+rAkEAyER9SrbfqsBObg75Qqfr4bU4i/eepPSFk6xIxpM58xC+EIMwlh/N
GKcA20ZjzcvwLIcKptbBTn8fv/40f0qzDQJAbGtbtIQm2ZT8iGvS0aT2jf5fjVI8
5APy1rZG/OzVyEDW+wjG4H0SWnk+OOcdzMfC7PFccfJ/EmJa9oXObkws/wJAEkCT
vrx+FBzkyQkaVKXjTLXsim0uC1Cx3+yi0V5XuLx85hpe0j/hvG50GIgIzpfYsuY3
5U7LXXEenqv3cuaG/QJAa+G6oOc130BM02joeUlbSj8MzJmPdrwmakmj1vMO3mIP
lxElzemFJ6b7avZGprNeUMZJBvQOgdhv/Z1co7C3Zw==
</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</md:KeyDescriptor>
AssertionConsumerService
<md:AssertionConsumerService
Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
Location="http://grovo.grovo.com/sso/saml2/saml-assertion"
index="1"/>
Given this metadata, we now know the following:
- EntityId - http://grovo.grovo.com/sso/saml2/metadata
-
SingleSignOnService[Location/Binding]
- http://grovo.grovo.com/sso/saml2/saml-assertion
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
-
X509 Certificate -
MIICWwIBAAKBgQClvCDmfQYkAg4MC6YthKPA+X+n9jl3grRPQrCDGLGrRlzpCnTV DdMCarZrcYQo96NtKjKQMZyU2Hz6vDGy1hGUSm/L1rpKEhhTFxbQsMHapsR8eZ7N ept601NhC/LixYfe0YYuTxrEyk2JzFO45+/KMFbOTEKf7H2Iy/HhaOxcrwIDAQAB AoGALe3u6DEprHztS6VGzkJ95xK9r9xqnJYaRgTjSdFkG2UKhoKhUhHcskTEfQ4e ZAQMxEn3bUJydEVyjUHuO/NbN10bQAjRCmudDX6frrZgzZNzu4MX/H2JsOr9BI6W LK2Mjm6vx8dGNaqzBlIG9xg2xRT+kLwr4co5JCkKK9diXHECQQDT23RgwOyp8BA5 GMsjWKhfuUUg/tVy0Bwro2FKYZ1v3W6vDRrilwvdnkny3cl8KT74Hg2/zJewFEC0 BTKZbQ+rAkEAyER9SrbfqsBObg75Qqfr4bU4i/eepPSFk6xIxpM58xC+EIMwlh/N GKcA20ZjzcvwLIcKptbBTn8fv/40f0qzDQJAbGtbtIQm2ZT8iGvS0aT2jf5fjVI8 5APy1rZG/OzVyEDW+wjG4H0SWnk+OOcdzMfC7PFccfJ/EmJa9oXObkws/wJAEkCT vrx+FBzkyQkaVKXjTLXsim0uC1Cx3+yi0V5XuLx85hpe0j/hvG50GIgIzpfYsuY3 5U7LXXEenqv3cuaG/QJAa+G6oOc130BM02joeUlbSj8MzJmPdrwmakmj1vMO3mIP lxElzemFJ6b7avZGprNeUMZJBvQOgdhv/Z1co7C3Zw==
Do not copy/paste these exact values.
SP metadata is different for each enterprise on Grovo. Your users are likely not Grovo employees, so please use the respective metadata link.
Once the IdP is configured, SSO integration is complete and ready to test.
Claims
- We expect
<saml:NameID>
to provide us an email address. - We do not have any requirements to the
NameID
Format
; but recommendurn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
. - Example below:
<saml:NameID>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">
foo@bar.com
</saml:NameID>
Comments
0 comments
Please sign in to leave a comment.