Configuring SAML Single Sign On

  1. Authentication Flow
  2. Configuring your IdP (Identity Provider)
  3. Configuring your AdvocateHub
  4. Metadata and Response
  5. SSO Registration Path
  6. SAML SP Issuer Suffix
  7. Common Issues & Errors
Using SAML, you own the entire login process, and your advocate will never see the Influitive login screen when trying to access your AdvocateHub. Attempts to access the AdvocateHub sign-in page are redirected to your company website where advocates sign in. If they've previously signed into your website and a cookie exists on their browser, then the AdvocateHub will verify their login with your website behind the scenes. In that case the advocate will be automatically verified and directed into your AdvocateHub. It is important to understand that once this is setup, anybody in your system can access and sign up to the hub.
Note: For corporate users, you will need to create their accounts in the hub first with a matching email address under Settings > System > User Management. Once the administrator account is created through the hub, that administrator should be able to login through your SSO page.

Authentication Flow

Influitive offers SP Initiated SSO SAML 2.0. Let's have a look at the general flow of how we expect this to work;
  1. The user requests access to a protected SP resource (Influitive Side). The request is redirected to the federation server to handle authentication (Your Side).
  2. If the user is not already logged on to the IdP site or if reauthentication is required, the IdP asks for credentials (e.g., ID and password) and the user logs on.
  3. Information about the user may be retrieved from the user data store for inclusion in the SAML response. (These attributes are predetermined as part of the federation agreement between the IdP and the SP)
  4. The IdP’s SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the SP.
An example;
An example in our case would be the following: The advocate attempts to access a resource on the SP (<yourhub>.influitive.com). However, they do not have a current login session on this site and their federated identity is managed by their IdP. So, now they are sent to the IdP to log on (Endpoint URL) and the IdP provides a SAML web SSO assertion for the user's federated identity back to the SP.
For this specific use case, the HTTP Redirect Binding is used to deliver the SAML <AuthnRequest> message to the IdP and the HTTP POST Binding is used to return the SAML <Response> message containing the assertion to the SP.

Configuring your IdP (Identity Provider)

You must send the following attributes to us in order for us to identify the user who is trying to login:
  • First Name
  • Last Name
  • Email Address
  • Company (Optional)
  • Title (Optional)
Although not an attribute it is important to note if you are using the optional "Audience" tags, you must include Influitive-AdvocateHub as a valid audience
The attributes should be located in the assertion and be in the following format:
<saml:AttributeStatement>
         <saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">John</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">Doe</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">johndoe@example.com</saml:AttributeValue>
         </saml:Attribute>
</saml:AttributeStatement>
Direct the user this URL
  • https://yourhub.influitive.com/saml/consume

Configuring your AdvocateHub

Navigate to Settings > System > Login/Security and scroll down to the Single Sign-On Section. Here you will need to select the Single Sign-On radio button, you will also select the SAML radio button for SSO Type and then fill out 3 fields
  • SSO Endpoint URL or IdP Endpoint URL - This is the URL of the login screen of your portal.
  • SSO Sign out URL - The is the URL where you would like the advocate to sign out (optional).
  • SSO Fingerprint/Thumbprint - You need to create a SSL certificate to sign your login page and then get your SHA1 or SHA256 fingerprint/thumbprint for that certificate.

Metadata & Response

You can access your metadata by navigating to <yourhub>.influitive.com/saml/metadata. It should look something like the below

<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_3414ef40-e3c3-0133-63bb-22000b76a0ca' entityID='Influitive-AdvocateHub' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='true' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://<hub-name.influitive.com/saml/consume' index='0' isDefault='true'/></md:SPSSODescriptor></md:EntityDescriptor><br>

Influitive expects a SAML assertion that looks like this

<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://YOURHUB.influitive.com/saml/consume" ID="A GUID" IssueInstant="CURRENT UTC TIME" Version="2.0" InResponseTo="ID of Influitive SAMLRequest">
   <Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
      <SignedInfo>
         <CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
         <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
         <Reference URI="#_f44dfe01e93143d7b1e1b9e826ace708">
            <Transforms>
               <Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
            </Transforms>
            <DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
            <DigestValue>The DigestValue</DigestValue>
         </Reference>
      </SignedInfo>
      <SignatureValue>The SignatureValue</SignatureValue>
      <KeyInfo>
         <X509Data>
            <X509Certificate>The X509Cert</X509Certificate>
         </X509Data>
      </KeyInfo>
   </Signature>
   <samlp:Status>
      <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
   </samlp:Status>
   <saml:Assertion ID="A SECOND GUID" IssueInstant="CURRENT UTC TIME" Version="2.0">
      <saml:Issuer>{Name of the Issuer. Shouldn't really matter}</saml:Issuer>
      <saml:Subject>
         <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="Influitive-AdvocateHub">example@gmail.com</saml:NameID>
         <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData NotOnOrAfter="CURRENT UTC TIME + 1 MINUTE" Recipient="https://{YOURHUB}.influitive.com/saml/consume" InResponseTo="ID of Influitive SAMLRequest" />
         </saml:SubjectConfirmation>
      </saml:Subject>
      <saml:Conditions NotBefore="CURRENT UTC TIME" NotOnOrAfter="CURRENT UTC TIME + 1 MINUTE">
         <saml:AudienceRestriction>
            <saml:Audience>Influitive-AdvocateHub</saml:Audience>
         </saml:AudienceRestriction>
      </saml:Conditions>
      <saml:AuthnStatement AuthnInstant="CURRENT UTC TIME">
         <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
         </saml:AuthnContext>
      </saml:AuthnStatement>
      <saml:AttributeStatement>
         <saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">John</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">Doe</saml:AttributeValue>
         </saml:Attribute>
         <saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
            <saml:AttributeValue xsi:type="xs:string">johndoe@example.com</saml:AttributeValue>
         </saml:Attribute>
      </saml:AttributeStatement>
   </saml:Assertion>
</samlp:Response><br>

SSO Registration Path

The SSO Registration Path field can be used if you would like to enter another URL which an Advocate can use to sign up to an account for your portal. In this case the Advocate will be directed to a page after attempting to access the hub URL where they will be given the option to either sign in to your portal or create an account in your portal. So the URL you would enter in this field would be the one where a user would usually create an account for your portal. This is completely optional and leaving this blank means the option will not be given to the Advocate.

SAML SP Issuer Suffix

The SAML SP Issuer Suffix field will come into play for you if you have multiple AdvocateHub's. Typically it is set to 'Influitive-AdvocateHub' however this needs to be unique so if you are configuring SSO on your second hub you cannot re-use 'Influitive-AdvocateHub'. When you are configuring your second hub you can add a suffix to the end of this to make it unique, this can be anything you like. You then just need to enter the Suffix you have chosen into this field and you should be all set.

Common Issues & Errors

Below are some issues and solutions to help you troubleshoot your configuration if you run into problems;

Error: "Current time is on or after NotOnOrAfter condition"

Explanation: The SAML assertion has a NotOnOrAfter timestamp that is earlier than the server clock of the SP (Influitive).
Action: Ensure the time and timezone settings are accurate in your IdP. Also, make sure the SAML assertion is fresh and that the NotOnOrAfter timestamp is not set to be too early in the future.

Error: "Current time is earlier than NotBefore condition"

Explanation: The SAML assertion has a NotBefore timestamp that is later than the clock of the SP (Influitive).
Action: Ensure the time and timezone settings are accurate in your Identity Provider and also make sure the NotBefore timestamp is not set in the future.

Error: "Fingerprint Mismatch"

Explanation: The certificate used to sign a SAML assertion didn't match with the uploaded certificate
Action: Make sure you uploaded the correct certificate and double check the fingerprint/thumbprint associated with it is correctly entered in the hub.

Still need help? Contact Us Contact Us