SSO

The preferred set-up for SSO is SAML.

Set-up required on the client side

You will need the following variables

• entity_id: https://organization_name.contract-p.fit

• acs_url: https://organization_name.contract-p.fit/auth/SAML/login

Notes

• Replace organization_name by the name of your tenant

• If you are on the qualification environment, replace contract-p.fit by contract-q.fit;
  If you are on a single tenant environment, replace contract-p.fit by contract.fit

Configuring claims

• The name of the SSO user is expected in the following attribute in the SAMLResponse: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

• The roles of the SSO user are expected in the following attribute in the SAMLResponse (repeat if multiple roles)
  http://schemas.microsoft.com/ws/2008/06/identity/claims/role

Specifying roles

• You can either specify a tenant-wide role (on the entire organization) or inbox-specific roles

  • administrator@tenant:organization_name

  • operator@inbox:invoices

• The pattern here is role_name@scope_level:scope_name

  • role_name must be an existing role in your tenant (the name of the role, not the id; case sensitive)

  • scope_level is tenant or inbox

  • scope_name is the name of your tenant or of the inbox (the name of the inbox, not the id; case sensitive)

What you need to share with us

The federation XML file

• Either a link through which it will remain available and up to date

• Either the xml file itself (discouraged as harder to keep up to date)