SSO backend workflow and setup
Sertifi supports Service Provider-initiated SSO using the SAML 2.0 protocol. This article outlines the backend process when the end user accesses their Sertifi portal using SSO, as well as the SAML requirements of Sertifi to enable your portal for SSO.
This article contains the following sections:
See these related articles:
Backend workflow
The backend workflow, once SSO is enabled for your portal, goes through the following process:
- The user navigates to their Sertifi portal via URL.
- The user clicks Log in with enterprise ID.
- The user is redirected to your authentication endpoint, at which point Sertifi sends a SAML AuthN request to your endpoint.
- The user is authenticated into your system. Note that Sertifi doesn't have control over how your system performs the authentication. Typically with SSO, if the user has previously logged in and has an active session, the authentication is seamless. Otherwise, the authentication prompts for the user's credentials. This may need to be configured on your end.
- The user is redirected back to Sertifi, which sends a SAML assertion that contains the information Sertifi requires to log the user into the portal.
Note that Sertifi does not support Identity Provider-initiated SSO. Users must click Log In with Enterprise ID on the Sertifi portal.
Once SSO is set up on a Sertifi portal, users with a role of Admin or higher, must log in with SSO. This means that you have full control of their access to Sertifi.
SAML Requirements
To configure SSO using SAML, please provide the following information:
- IdP Issuer URI - the Issuer URI of the Identity Provider. This value is usually the SAML Metadata EntityID of the IdP EntityDescriptor.
- IdP Single Sign-On URL - the binding-specific IdP Authentication Request Protocol endpoint that receives SAML AuthnRequest messages from Okta.
- IdP Signature Certificate - the PEM or DER-encoded public key certificate of the Identity Provider used to verify SAML message and assertion signatures.
Alternatively, if you are able to provide a SAML metadata file, we can use that to obtain all of the required information.
In order to enable SSO for your portals, Sertifi requires that you send two pieces of information, for each user, on the SAML assertion. The SAML must be signed using the SHA-256 algorithm:
- Unique ID – the user's unique ID in your system. This is sent as the Subject NameID value.
- Email Address – the user's unique email address. This must be sent as a SAML attribute. The email address MUST be unique.
- (Optional) First Name and Last Name – the user's first and last name. If the user's first and last name aren't included with the SAML assertion, the user will be prompted on first login to enter their first and last name.