Configuring SAML Single Sign On

Using SAML, you own the entire login process, and your advocate will never see the Influitive login screen when trying to access your AdvocateHub. Attempts to access the AdvocateHub sign-in page are redirected to your company website where advocates sign in. If they've previously signed into your website and a cookie exists on their browser, then the AdvocateHub will verify their login with your website behind the scenes. In that case the advocate will be automatically verified and directed into your AdvocateHub. It is important to understand that once this is setup, anybody in your system can access and sign up to the hub.
Note: For corporate users, you will need to create their accounts in the hub first with a matching email address under Settings > System > User Management. Once the administrator account is created through the hub, that administrator should be able to login through your SSO page.

Authentication Flow

Influitive offers IDp & SP Initiated SSO SAML 2.0. Let's have a look at the general flow of how we expect this to work;
  1. The user requests access to a protected SP resource (Influitive Side). The request is redirected to the federation server to handle authentication (Your Side).
  2. If the user is not already logged on to the IdP site or if reauthentication is required, the IdP asks for credentials (e.g., ID and password) and the user logs on.
  3. Information about the user may be retrieved from the user data store for inclusion in the SAML response. (These attributes are predetermined as part of the federation agreement between the IdP and the SP)
  4. The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.
An example;
An example in our case would be the following: The advocate attempts to access a resource on the SP (<yourhub>.influitive.com). However, they do not have a current login session on this site and their federated identity is managed by their IdP. So, now they are sent to the IdP to log on (Endpoint URL) and the IdP provides a SAML web SSO assertion for the user's federated identity back to the SP.
For this specific use case, the HTTP Redirect Binding is used to deliver the SAML <AuthnRequest> message to the IdP and the HTTP POST Binding is used to return the SAML <Response> message containing the assertion to the SP.

Configuring your IdP (Identity Provider)

You must send the following attributes to us in order for us to identify the user who is trying to login:
  • First Name
  • Last Name
  • Email Address
  • Company (Optional)
  • Title (Optional)
Although not an attribute it is important to note if you are using the optional "Audience" tags, you must include Influitive-AdvocateHub as a valid audience
The attributes should be located in the assertion and be in the following format:
<saml:AttributeStatement>
         <saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">John</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">Doe</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">johndoe@example.com</saml:AttributeValue>
         </saml:Attribute>
</saml:AttributeStatement>
Direct the user this URL
  • https://yourhub.influitive.com/saml/consume

Note: This should always be your subdomain and not your custom domain


Configuring your AdvocateHub

Navigate to Settings > System > Login/Security and scroll down to the Single Sign-On Section. Here you will need to select the Single Sign-On radio button, you will also select the SAML radio button for SSO Type and then fill out 3 fields
  • SSO Endpoint URL or IdP Endpoint URL - This is the URL of the login screen of your portal.
  • SSO Sign out URL - The is the URL where you would like the advocate to sign out (optional).
  • SSO Fingerprint/Thumbprint - You need to create a SSL certificate to sign your login page and then get your SHA1 or SHA256 fingerprint/thumbprint for that certificate.

Metadata & Response

You can access your metadata by navigating to <yourhub>.influitive.com/saml/metadata. It should look something like the below

<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_3414ef40-e3c3-0133-63bb-22000b76a0ca' entityID='Influitive-AdvocateHub' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='true' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://<hub-name.influitive.com/saml/consume' index='0' isDefault='true'/></md:SPSSODescriptor></md:EntityDescriptor><br>

Influitive expects a SAML assertion that looks like this

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://YOURHUB.influitive.com/saml/consume" ID="A GUID" IssueInstant="CURRENT UTC TIME" Version="2.0" InResponseTo="ID of Influitive SAMLRequest">
   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
         <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
         <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
         <Reference URI="#_f44dfe01e93143d7b1e1b9e826ace708">
            <Transforms>
               <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>The DigestValue</DigestValue>
         </Reference>
      </SignedInfo>
      <SignatureValue>The SignatureValue</SignatureValue>
      <KeyInfo>
         <X509Data>
            <X509Certificate>The X509Cert</X509Certificate>
         </X509Data>
      </KeyInfo>
   </Signature>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <saml:Assertion ID="A SECOND GUID" IssueInstant="CURRENT UTC TIME" Version="2.0">
      <saml:Issuer>{Name of the Issuer. Shouldn't really matter}</saml:Issuer>
      <saml:Subject>
         <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="Influitive-AdvocateHub">example@gmail.com</saml:NameID>
         <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="CURRENT UTC TIME + 1 MINUTE" Recipient="https://{YOURHUB}.influitive.com/saml/consume" InResponseTo="ID of Influitive SAMLRequest" />
         </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions NotBefore="CURRENT UTC TIME" NotOnOrAfter="CURRENT UTC TIME + 1 MINUTE">
         <saml:AudienceRestriction>
            <saml:Audience>Influitive-AdvocateHub</saml:Audience>
         </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement AuthnInstant="CURRENT UTC TIME">
         <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
         </saml:AuthnContext>
      </saml:AuthnStatement>
      <saml:AttributeStatement>
         <saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">John</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">Doe</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">johndoe@example.com</saml:AttributeValue>
         </saml:Attribute>
      </saml:AttributeStatement>
   </saml:Assertion>
</samlp:Response><br>

SSO Registration Path

The SSO Registration Path field can be used if you would like to enter another URL which an Advocate can use to sign up to an account for your portal. In this case the Advocate will be directed to a page after attempting to access the hub URL where they will be given the option to either sign in to your portal or create an account in your portal. So the URL you would enter in this field would be the one where a user would usually create an account for your portal. This is completely optional and leaving this blank means the option will not be given to the Advocate.

SAML SP Issuer Suffix

The SAML SP Issuer Suffix field will come into play for you if you have multiple AdvocateHub's. Typically it is set to 'Influitive-AdvocateHub' however this needs to be unique so if you are configuring SSO on your second hub you cannot re-use 'Influitive-AdvocateHub'. When you are configuring your second hub you can add a suffix to the end of this to make it unique, this can be anything you like. You then just need to enter the Suffix you have chosen into this field and you should be all set.

Still need help? Contact Us Contact Us