Overview
This article serves as a detailed manual for setting up SAML Single Sign-On (SSO) to ensure secure access to services through Influitive AdvocateHub. It covers the authentication flow, configuring the Identity Provider (IdP), AdvocateHub settings, handling metadata and responses, and the importance of the SAML SP Issuer Suffix and SSO Identifier Field. Additionally, it provides insights into mapping profile fields and syncing SAML Provider data with Influitive profile fields for a seamless user experience.
Information
Using SAML, you own the entire login process, and your advocate will never see the Influitive login screen when trying to access your AdvocateHub. Attempts to access the AdvocateHub sign-in page are redirected to your company website where advocates sign in. If they've previously signed into your website and a cookie exists on their browser, then the AdvocateHub will verify their login with your website behind the scenes. In that case the advocate will be automatically verified and directed into your AdvocateHub. It is important to understand that once this is setup, anybody in your system can access and sign up to the hub.
Note: For corporate users, you will need to create their accounts in the hub first with a matching email address under Settings > System > User Management . Once the administrator account is created through the hub, that administrator should be able to login through your SSO page.
Note: Single Sign-on may not be available in your plan. Please contact your CSM to learn more.
Authentication Flow
- The user requests access to Influitive. The request is redirected to the Identity Provider to handle authentication.
- If the user is not already logged on to the IdP site or if reauthentication is required, the IdP asks for credentials (e.g., ID and password) and the user logs on.
- Information about the user may be retrieved from the user profile in the Identity Provider for inclusion in the SAML exchange. (These attributes are predetermined as part of the federation agreement between the IdP and the SP)
- The IdP’s SSO service returns a SAML response containing the authentication assertion and any additional attributes to Influitive and Influitive logs the user in.
Note : Influitive does support SP-Initiated SAML SSO
Note : Influitive cannot act as the IdP
Configuring your IdP (Identity Provider)
- First Name
- Last Name
- Email Address (Unique Identifier by default. If you would like to use a different value to identify users please see the SSO Identifier Field section below)
- Company (Optional)
- Title (Optional)
<saml:AttributeStatement>
<saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">John</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">Doe</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">johndoe@example.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
- https:// yourhub. influitive.com/saml/consume
Note : If you have a custom domain in your Hub, please direct users to your custom domain URL
- https:// customdomain /saml/consume
Configuring your AdvocateHub
- SSO Endpoint URL or IdP Endpoint URL - This is the URL of the login screen of your portal.
- SSO Sign out URL - The is the URL where you would like the advocate to sign out (optional).
- IdP SLO Target Url (Identity Provider Single-logout Target URL) - This will allow the end-user to logout from a single session and be automatically logged out of all related sessions that were established during SSO.
- SSO Fingerprint/Thumbprint - You need to create a SSL certificate to sign your login page and then get your SHA1 or SHA256 fingerprint/thumbprint for that certificate.
Metadata & Response
You can access your metadata by navigating to "<yourhub>.influitive.com/saml/metadata" or "<customdomain>/saml/metadata". It should look something like the below:
<?xml version='1.0' encoding='UTF-8'?><md:EntityDescriptor ID='_3414ef40-e3c3-0133-63bb-22000b76a0ca' entityID='Influitive-AdvocateHub' xmlns:md='urn:oasis:names:tc:SAML:2.0:metadata'><md:SPSSODescriptor AuthnRequestsSigned='false' WantAssertionsSigned='true' protocolSupportEnumeration='urn:oasis:names:tc:SAML:2.0:protocol'><md:NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</md:NameIDFormat><md:AssertionConsumerService Binding='urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST' Location='https://<hub-name.influitive.com/saml/consume' index='0' isDefault='true'/></md:SPSSODescriptor></md:EntityDescriptor><br>
Influitive expects a SAML assertion that looks like this
<?xml version="1.0" encoding="UTF-8"?>
<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" Destination="https://YOURHUB.influitive.com/saml/consume" ID="A GUID" IssueInstant="CURRENT UTC TIME" Version="2.0" InResponseTo="ID of Influitive SAMLRequest">
<Signature xmlns="http://www.w3.org/2000/09/xmldsig#">
<SignedInfo>
<CanonicalizationMethod Algorithm="http://www.w3.org/TR/2001/REC-xml-c14n-20010315" />
<SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1" />
<Reference URI="#_f44dfe01e93143d7b1e1b9e826ace708">
<Transforms>
<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
</Transforms>
<DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1" />
<DigestValue>The DigestValue</DigestValue>
</Reference>
</SignedInfo>
<SignatureValue>The SignatureValue</SignatureValue>
<KeyInfo>
<X509Data>
<X509Certificate>The X509Cert</X509Certificate>
</X509Data>
</KeyInfo>
</Signature>
<samlp:Status>
<samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success" />
</samlp:Status>
<saml:Assertion ID="A SECOND GUID" IssueInstant="CURRENT UTC TIME" Version="2.0">
<saml:Issuer>{Name of the Issuer. Shouldn't really matter}</saml:Issuer>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="Influitive-AdvocateHub">example@gmail.com</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData NotOnOrAfter="CURRENT UTC TIME + 1 MINUTE" Recipient="https://{YOURHUB}.influitive.com/saml/consume" InResponseTo="ID of Influitive SAMLRequest" />
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="CURRENT UTC TIME" NotOnOrAfter="CURRENT UTC TIME + 1 MINUTE">
<saml:AudienceRestriction>
<saml:Audience>Influitive-AdvocateHub</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="CURRENT UTC TIME">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">John</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">Doe</saml:AttributeValue>
</saml:Attribute>
<saml:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml:AttributeValue xsi:type="xs:string">johndoe@example.com</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
</samlp:Response><br>
SAML SP Issuer Suffix
SSO Identifier Field
Note : If you want to enable this feature for your AdvocateHub please reach out to support@influitive.com.
The SSO Identifier Field allows you to enter a different attribute you can send us other than 'Email' (default) to identify the user. This would be useful if you have a certain ID on the SSO provider side and you would rather use that as the unique identifier as you know this won't change whereas it may be possible for the user to update their email address with the SSO provide which will lead to a duplicate account in Influitive being created.
Profile Field Mapping
You can now sync data from their SAML Provider into Influitive’s Profile Fields .
Details that are entrusted to a SAML provider like Job Title, Company, and other identity-related information will be sent on every login through the SSO provider.
Customers have two options for the sync:
- One-time import - The field syncs when the member first joins
- Continuous pull - The field syncs each time the member logs in
Similar to how Salesforce or Challenge profile field mapping, using the SAML field sync will overwrite any manually-entered values and restrict them from other mappings.
Note : The SSO Parameter mappings are only possible for SAML type of Single Sign On.
FAQ
What is the role of the Identity Provider (IdP) in SAML SSO?
The IdP is central to the SSO process, handling authentication requests and sending the necessary attributes to the service provider to identify users trying to log in.
How do I configure my AdvocateHub for SAML SSO?
To configure your AdvocateHub, navigate to Settings > System > Login/Security, enable Single Sign-On, select the SAML SSO Type, and fill out the required fields as per the instructions provided in the article.
What is the SAML SP Issuer Suffix and why is it important?
The SAML SP Issuer Suffix is an identifier used in SAML transactions to ensure uniqueness, especially when managing multiple AdvocateHubs. It prevents the use of the same issuer suffix for more than one hub.
Can I use an attribute other than 'Email' for the SSO Identifier Field?
Yes, you can specify an alternative stable identifier from your SSO provider to uniquely identify a user, which helps prevent duplicate accounts in Influitive when a user's email address changes.
Is it possible to sync data from my SAML Provider with Influitive's Profile Fields?
Yes, you can sync details such as Job Title, Company, and other identity-related information from your SAML Provider into Influitive’s Profile Fields on every login through the SSO provider.