Skip to main content
Eptura Knowledge Center

Set up SAML in Serraview Configuration

  1. Last updated
  2. Save as PDF

Update the SAML Configuration

If you are updating the SAML Configuration, then we recommend that you complete the following incase you need to rollback.
  1. Retain a copy of the existing metadata file.
  2. Update to the new metadata file.
  3. Check that the users can log via SSO.
  4. If you users can't login via SSO, then you will need to rollback to the old metadata file. This way your users can login while our Support team helps you troubleshoot the issue.

Create the SAML Configuration

The following steps need to be completed to set up the configuration.

Step 1. Client IT to send the Serraview Support team your SAML metadata file

For the Serraview Support team to assist with SSML configuration, the Client IT team must send them the following file:

  • Generate and send Serraview the Client’s SAML metadata file.

Step 2. Configure the SAML settings in Serraview

The Serraview Support team will complete the configuration.

  1. Sign into https://[client_instance].serraview.com using a Serraview account (non-SAML).

  2. Navigate to Configuration > General.
  3. Select SAML.
  4. Modify the SAML configuration as required. This area contains the configuration settings required to enable SAML. Most of these options are completed by the Client as the Identity Provider (IdP), but some are populated by Serraview as the Service Provider (SP).

Important notes:

  • Make changes carefully because this configuration will impact the user's ability to access Serraview.
  • When you enable SSO, make sure you have completed all the fields as they can't be blank.

Field

Description

Enable SSO

Check the Enable SSO check box to enable SAML Authentication.
When SSO is Enabled, users will see an additional button on the Login Page to Login using SAML. Although not explicitly configured, the SAML Name ID Attribute must be configured at the IdP to a value that uniquely identifies a user. This is often an email address or an employee number which already exists in Serraview as a part of people data.

The Name ID attribute is crucial for functionality of SAML in Serraview. This is the identifying attribute for a user. Make sure that this is configured at the IdP to a uniquely identifying attribute.

SSO Name

In the SSO Name field, enter an end-user friendly name that displays on the SSO Login button on the login page.
For example, "My Company SSO Login" in the screenshot below.

clipboard_e8143d802387ce4c30552e00bea3f189a.png
 

SAML Issuer

In the SAML Issuer field enter the unique identifier of the IdP.

Identity Provider SSO Service URL

In the Identity Provider SSO Service URL field, enter the Assertion Consumer Service (ACS) URL. SAML requests will be directed to this ACS.

SSO Service Binding

From the SSO Service Binding type drop down select either:

  • HTTP-POST
  • HTTP-Redirect

This attribute specifies the transport binding to use when Serraview sends authentication requests to your IdP.

Identity Provider Certificate

In the Identity Provider Certificate field enter the public certificate.

The public certificate used by the Serraview SP to verify the signature/decrypt messages received from your IdP.

Sign Authentication Request

This indicates if requests made by the Serraview SP should be signed by the SP based on what your IdP is expecting.

Verify SAML Response Signature

This indicates if your IdP SAML Response Signature must be verified by Serraview when it is received. We recommend this be used for increased security protection.

Verify SAML Assertion Signature

This indicates if your IdP SAML Assertion Signature on SAML assertion must be verified. We recommend this be used for increased security protection. Note: The IdP SAML Assertion Signature is configured as enabled on IdP by default.

Verify SAML Assertion Encryption

This indicates if the Serraview SP decrypts the SAML assertion from your IdP. We recommend this be used for increased security protection.
Note to enable this the IdP must be configured to encrypt the SAML assertion on the Client's end or it will fail to decrypt on the Serraview end.

First Name Attribute

In the First Name Attribute field, enter a value that is the name of the SAML assertion attribute identifying the First Name of the user.

Last Name Attribute

In the Last Name Attribute field, enter a value that is the name of the SAML assertion attribute identifying the Last Name of the user.

Email Attribute

In the Email Attribute field, enter a value that is the name of the SAML Assertion attribute that will be used to identify the email address of the user.

First Name, Last Name, Email Attribute will be used to automatically create a person record in Serraview in instances where an IdP authenticated person does not have a person record in Serraview.

Service Provider Identifier

Display Only - This contains the unique identifier to the Serraview SP instance.
 

Serraview SSO URL

Display Only - This contains the URL to the Serraview Assertion Consumer Service, used by IdP to send SAML responses.

Serraview Certificate

Display Only - This contains the Serraview application's public key used by the IdP to verify Serraview signature/decrypt SAML responses.

Serraview Certificate Signature Method

From the Serraview Certificate Signature Method drop-down select either:

  • SHA1
  • SHA256

This is the encryption method used to sign the Serraview SAML request. This matches the signature method in Serraview certificate. The value can be various based on the security requirement from your IdP. Whilst Serraview supports both SHA1 and SHA256, by default, Serraview generates the certificates of SHA256 signature method.

Force SSO

For more information, refer to the Do you want to force SSO? section below.

5. Click the Update button.

Step 3. Serraview Support team to send the SAML metadata file

  • We will generate and send the Client their SAML metadata file.

Step 4. Optional - Set up the Force SSO

After you are certain that all the setup has completed correctly and checked by the Serraview Support team, then you can select the Force SSO option. This means:

  • Only SAML is used for authentication.
  • Users will no longer be able to log into Serraview via the normal Username/Password method.
  • When the user browses to the login page (https://[client_instance].serraview.com) they will automatically be directed to the SAML Login process and, if authenticated successfully, Serraview opens to them a moment later (they do not see a login screen).

For a user to successfully sign in with the Login Identifier (e.g. logon name, email address, employee number), the identifier needs to match what is in Serraview with what is in the Identity Provider(IdP) server on the client's side. If these do not match, a successful login token cannot be given to the user and the error message "Login Identifier is not provided for user" displays.

For more information on how to set the Login Identifier in Serraview, see Configure Default User Role and the Logon Identifier.