Security Assertion Markup Language (SAML) is a mechanism used to authorize users in two or more web applications/websites. It could be used as Single Sign On (SSO) method in UseResponse.
SAML is not in the core of the system and is available in Enterprise package
How Does It Work in UseResponse
UseResponse takes the role of service provider here that establishes connection with identity provider (LDAP, Active Directory) of your corporate network. You can use your own SAML server or choose SAML service like OneLogin, Okta, PingIdentity, as identify provider (IdP).
Once user is authorized in any of your application that uses SAML, he would be automatically logged in all other applications (CRM, email, internal system, etc). So authentication process is handled outside of UseResponse.
Each time new user is added into your network, new user account is created in UseResponse, but passwords are not stored in the system but only emails and Full Names.
No matter what login form you would use, users would sign in corporate network (authenticated with LDAP or Active Directory as an example). Once user is added in your corporate network, it's added automatically into your community by syncing the data.
Configuring SAML Implementation
To enable SAML, please go to Administration » Login Plus » Single Sign-on.
If you are going to use system only within your company, so no public users would have access to it, choose the option to use only SSO and disable registration emails.
You would need 2 options to put on your IdP (SAML server or service provider) that are provided on settings page:
- Assertion Consumer Service URL - SSO URL of UseResponse that is served as service provider in SAML;
- Single Logout Service URL - used to logout user from UseResponse once logout process was done in another application.
You would need to take 3 options for your IdP to put in UseResponse settings:
- External Login URL - used to forward you to external login form where user is authenticated;
- External Logout URL - used to logout user from all web applications once user logs out UseResponse;
- Certificate Fingerprint - the SHA1 fingerprint of the SAML certificate that should be taken at your IdP.
You can pass other variables to be caught by the system set in the module settings like User ID, Email, First Name, Last Name.
Any user that signs in UseResponse using SAML is assigned to "User" Role.