SAML 2.0

Overview

*In order to use SAML 2.0, you must have a full domain URL (www.myexamplestorefront.com), relative path URLS will not work. Please raise a ticket to get your binding and SSL installed prior to the SAML 2.0 installation.

If you are wanting to direct end users from a centralised third party system into your Infigo storefront using Single Sign On - making the experience as fluid and simple as possible for your customers - then our SAML 2.0 module might be the answer.

Security Assertion Markup Language 2.0 (SAML 2.0) is a version of the SAML standard for exchanging authentication and authorisation identities between security domains. Its an XML-based protocol that uses security tokens to pass information about a user between an Identity Provider (the third party system) and a Service Provider (your Infigo storefront). SAML 2.0 enables web-based, cross-domain single sign on (SSO), which helps reduce the administrative overhead of distributing multiple logins for different systems to all of your users.

So our Infigo SAML 2.0 module requires SAML 2.0 support from the third party system, so you would need to check with their administrators first. It also requires that third party system to be the Identity Provider - Infigo is the Service Provider. Our module also makes the process of connecting the two sites as simple as possible through configuration and the support of our team.

 

Setup

The process of setting up the module is detailed below and can be found by searching "SAML" in the admin menu. NOTE: The SAML module is a paid module so will require a ticket to be raised with our support team before using.

Please do not be too overwhelmed by the technical nature of setting up the SAML module, our skilled support team are here to hold your hand every step of the way.

1) We require the third party to provide us with their Identity Provider Meta Data XML.

2) Once this has been provided, our support team will use this information to setup the SAML configuration XML on our side.

3) We will provide a URL containing our SAML metadata that we will share with the third party system administrators. This contains and XMl that they will download and store at their end and establishes the connection between the two systems.

4) The authentication of a user can be done by either their email address or username, the decision on which to use is generally decided by the content of the IDP XML provided in step one but can be discussed during setup as this will require some additional Infigo Customer settings to be made also.

5) We setup the URL redirects for logging in (to the third part system credentials pages) and logging out (where you want the customer to be sent once they log out of Infigo)

 

We support two "versions" of SSO through SAML, the default is that end user will put the URL in their browser for the Infigo site and be redirected to the third party system to login (where they will use their normal centralised login credentials) and then once successful will be redirected straight back to Infigo and be automatically logged in with their account.

The second is that the end user doesn't really know the Infigo site URL and instead originates from the third party system. They log in to that third party system and then from within there they are show a link to access the Infigo site and are seamlessly logged in. 

Both approaches are fine and supported, they just require some configuration adjustments on both ends.

If possible, it would be hugely beneficial for both the setup process and supporting the module moving forwards if we were provided  with our own third party system login so that we can test and troubleshooting the SSO process directly.

 

Passing additional Information

Although SAML 2.0 is a module to authenticate and authorise users, we also support now passing additional customer information from the third party system within the SAML request. This way you can ensure that when customer details change in the third party system they can also then be updated in your Infigo site too the next time the customer logs in through SAML.

Below is a list of all the customer information we allow to be passed as part of the SAML request

  • Title
  • First name
  • Last name
  • Email
  • Company
  • Address 1
  • Address 2
  • Town/City
  • Region
  • Country
  • ZipPostalCode
  • Phone
  • Fax
  • Custom 1
  • Custom 2
  • Custom 3

NOTE: These all need to be passed as SAML attributes. The names of the SAML attributes can all be mapped within our Module and will be done by our support team as part of the setup.

As part of this configuration, we also allow for you to decide which of the additional information should be done once (when the customer first logs in and a customer is created in Infigo for them) or every time they login (when there is information that you want to ensure stays up-to-date from the third party system)

 

Assigning customers to a Department or Customer Role

Lastly, we also support automatically assigning customers to either a Department or a list of Customer Roles.

We understand that in many scenarios you will want to provide different levels of access to different customers that are logged in or created from the third party system through SAML. Therefore, as an additional SAML attribute passed in the request XML we can setup mapping to add that customer to either a single department (either by Name or our Infigo Department ID) or to a number of Customer Roles (a comma delimited list of Customer Roles Names)

Then all you need to do is have all the Access Permission rules setup against all of those Departments or Customer Roles prior and the user will adopt those when they are added on registration or next login.

*Note - we can only accept one user group from your IDP. If you need to pass more then one, they need to be sent from one attribute, comma separated.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.