Set up custom User Authentication using via SAML-based SSO
** Configuring a new SSO in Centercode using SAML 2.0 will require a level of technical expertise. We strongly encourage you to maintain contact with the correct IT team in your organization; typically the same team you’d go for help with your company user account. Centercode Support will also be available for supplementary configuration assistance.
1. Preparing for SSO Configuration
When seeking to configure SSO for your Centercode site, there are three key steps starting with configuring your Identity Provider (IDP - the system that controls your user accounts) to allow Centercode as a Service Provider (SP). The actual steps to configuring your IDP depends on the provider you use. Review the information below when configuring your IDP and ensure the expected Attributes (values provided to Centercode from your account system) are accounted for.
Most fields in the configuration below are required, and most will require collaboration with the technical contact responsible for SSO configurations or managing your Identity Provider system. Please review the fields below and seek assistance as necessary. For a better understanding of each field’s purpose, please see below:
- Name - The internal name for the Single Sign On being created/configured. This is also used as an identifier in the SSO configuration.
- IDP Gateway - The URL of the page the user will use to enter their credentials and log in.
- IDP Issuer - The entity identifier of the site that facilitates the login.
- ACS Signing Certificate Public Key - The certificate that your Identity Provider will use to digitally sign the SAML Response.
- IDP to SP Binding (IDP Initiated) - Defaulted to POST, Centercode supports HTTP POST from when the user starts with your Identity Provider and is sent to Centercode as the Service Provider.
- SP to IDP Binding (SP Initiated) - Centercode supports either HTTP Redirect or HTTP POST when the user is sent from the Centercode platform to your Identity Provider for login.
- Alternate Logout URL (Optional) - If a user should be logged out of their global account when logging out of Centercode, define the address that the user will be sent to. Use %ReturnToURL% to bring the user back to the Centercode landing page.
- Alternate Profile Edit URL - By design, user account settings under SAML can’t be adjusted within Centercode because they’re provided by the IdP. However, this link would be presented to your users as a shortcut to your “update my account” page. Use %ReturnToURL% to link back to this site.
- Alternate Login Label - This is the text shown to users on the Centercode landing page which links to your SSO login page.
Schema / Attribute Configuration
These attributes are required by Centercode. If your Identity Provider isn’t able to send any of these attributes, we’ll ask the user for them directly.
- Username - the SAML attribute name that maps to Username within Centercode. This is used as an alias so users can be identified in collaborative places (ex: feedback, discussions). Must be unique
- Email Address - the SAML attribute name that maps to Email Address in Centercode. Email Address is the most common binding value between two account systems. Must be unique
- First Name - the SAML attribute name that maps to First Name in Centercode.
- Last Name - the SAML attribute name that maps to Last Name in Centercode.
Schema Options (per attribute):
- User can upgrade from this field - When enabled, if a preexisting Centercode account matches email address of a new account coming from the Identity Provider, the Centercode account will upgrade to an SSO account. When disabled, the incoming account will be rejected due to conflict.
- Provider must supply this value - When enabled, the IdP system is required to provide this attribute. If one of these fields is not available from the IdP, this option should be disabled so incoming users can supply the value. If enabled, users will not be able to change the value provided. If enabled but not provided by the IdP, the user won’t be able to enter the Centercode platform using SSO.
2. Configuring Centercode
To begin configuring Centercode for SSO, you’ll need to login to your Centercode portal as a Community Manager and navigate to User Authentication Management (Community Tools -> Configuration -> User Authentications). From here:
- Click Add a New Authentication System
- Select SAML2 from the the Type drop down menu
- You’ll see the list of fields appear. Complete the form as appropriate
Make sure the Certificates match between your IdP and your Centercode configuration!
- Select an EA Foundation Team
- The EA Foundation Team will be applied to every user when entering your portal via this SSO method.
- We recommend that you create a default SAML SSO team and segment incoming users (based off of criteria of your choice) via automated Notice Macro.
- Click Submit to finish creation of your Single Sign On.
3. Providing Metadata to Your IT
Now that your Single Sign On has been created, the next step is to gather the metadata and present it to your IT contact. To gather the metadata information:
- Navigate into the User Authentication Management page
- Hover over the desired SSO configuration
- Click the Metadata icon
- Copy the entirety of the text on this page and send it to your IT contact.
- They’ll use the information contained within the metadata to configure the Identity Provider side of the SSO equation.
Finalizing Your SSO
Once the metadata is configured, the next step is to enable the SSO method for testing. The best way to do this is to enable the SSO without hiding your local login functions:
- Navigate into the User Authentication Management page
- Click the Centercode authentication method
- Under the Alternate Login section, select Local and Remote Logins from the dropdown list
- Click Submit to add an SSO link to your site’s Login page
- Log out of Centercode and click your new SSO Login link on the top-right of your login page
If you run into any issues while configuring SSO or have any questions, let us know! We’d be happy to guide you through this process and address any questions you may have. You can schedule a coaching call with us here.
Adding SSO to an Existing Community
When updating an existing Centercode Community to utilize a new SSO authentication method, you need to ensure that accounts present in both systems can be combined and Centercode account activity and history is not lost. To accomplish this goal, perform the following steps:
- To bind accounts, you must determine (or establish) a unique identifier between the two systems - Email Address. Inform your users to ensure the email address they use in your IdP system matches the email address they’re using for Centercode before they log in through SSO for the first time. This can be done in either system as long as they match. Logins without matching information will create new accounts, leaving the Centercode-only account behind (requiring merging of the accounts, done manually).
- When users log in through SSO, non-SSO user accounts will need to merge into the new SSO accounts. To do this, you’ll adjust the SSO configuration by selecting User Can Upgrade From This Field for the Email Address attribute. Centercode will use the Email Address attribute to match users’ accounts together, allowing them to use SSO to log into what was previously a Centercode account.
- If Username is not provided by the Identity Provider, users may find that their desired username conflicts with one already in the Centercode system.
If Username is provided by the Identity Provider and the provided Username conflicts with a non-SSO account, users may encounter an error when logging in. This may require additional action on the IDP side (change the username within the IDP).