User Tools

Site Tools



en:single_sign_on_configuration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
en:single_sign_on_configuration [2026/05/06 14:44] – created ergoen:single_sign_on_configuration [2026/06/16 11:35] (current) – [Table] toomas
Line 9: Line 9:
   * Your IdP's SAML configuration details (Login URL, Metadata URL)   * Your IdP's SAML configuration details (Login URL, Metadata URL)
  
-===== Step 1: Open the SAML SSO Configuration =====+===== Step 1: Configure Your Identity Provider ===== 
 + 
 +Before configuring Directo, you need to register Directo as a Service Provider (SP) in your Identity Provider. Use the following values: 
 + 
 +^ Parameter                                         ^ Value                                                                                                                                                                                                                                                                                                                                                                                                      ^ 
 +| **Reply URL / ACS (Assertion Consumer Service)**  | ''https://login.directo.ee/api/saml/callback''                                                                                                                                                                                                                                                                                                                                                             | 
 +| **Entity ID / Identifier**                        | The default value is https://login.directo.ee/api/saml/callback. The SAML SSO Entity ID (or Identifier) is a unique identifier for the Identity Provider (IdP) or Service Provider (SP). If the system-provided default value is not suitable, industry best practice is to use a unique URL in URI format or a designated URN. :!: **It must be strictly unique within the system (Identity Provider)!** 
 +| **Name ID format**                                | ''urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'' (if using Email mapping) or ''urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'' (if using Username mapping)                                                                                                                                                                                                                               | 
 + 
 +**Where to configure:** 
 +  * **Microsoft Entra ID**: Azure Portal → Enterprise Applications → New Application → Create your own application → Integrate any other application (Non-gallery) → Single sign-on → SAML → Basic SAML Configuration → Edit 
 +  * **Okta**: Applications → Create App Integration → SAML 2.0 → Configure SAML → General settings 
 +  * **Google Workspace**: Admin Console → Apps → Web and mobile apps → Add app → Add custom SAML app → Service provider details 
 + 
 +:!: **Important:** The Reply URL / ACS and Entity ID values must match exactly, including the protocol (https) and path. Mismatched values will cause authentication failures. 
 + 
 +===== Step 2: Open the SAML SSO Configuration =====
  
 Navigate to the SAML SSO configuration page in Directo. You will see a list of existing IdP configurations, or an empty list if none have been configured yet. Navigate to the SAML SSO configuration page in Directo. You will see a list of existing IdP configurations, or an empty list if none have been configured yet.
  
-===== Step 2: Create a New Configuration =====+From the main menu: Settings -> Common Settings -> SSO Saml Login settings. Or use the search feature. 
 + 
 +===== Step 3: Create a New Configuration =====
  
   - Click the **Add new** button.   - Click the **Add new** button.
   - You will be taken to the IdP configuration form.   - You will be taken to the IdP configuration form.
  
-{{<add_new_button_img_here>}}+{{:et:ergo20260506-150112.png}}
  
-===== Step 3: Fill in the Button Title =====+===== Step 4: Fill in the Button Title =====
  
 Enter a descriptive name in the **Button title** field. This is the label that will appear on the SSO login button on the Directo login page (e.g., "Login with Azure AD" or "Company SSO"). Enter a descriptive name in the **Button title** field. This is the label that will appear on the SSO login button on the Directo login page (e.g., "Login with Azure AD" or "Company SSO").
  
-{{<button_title_field_img_here>}} +===== Step 5: Configure the IdP Settings =====
- +
-===== Step 4: Configure the IdP Settings =====+
  
 ==== Login URL (required) ==== ==== Login URL (required) ====
Line 32: Line 48:
 Enter the **Login URL** (also known as SSO URL or SAML Endpoint) from your Identity Provider. This is the endpoint where Directo sends SAML authentication requests. Enter the **Login URL** (also known as SSO URL or SAML Endpoint) from your Identity Provider. This is the endpoint where Directo sends SAML authentication requests.
  
-{{<login_url_field_img_here>}}+{{:et:ergo20260506-150907.png}}
  
 **Where to find it:** **Where to find it:**
Line 38: Line 54:
   * **Okta**: Applications → Your App → Sign On tab → Identity Provider Single Sign-On URL   * **Okta**: Applications → Your App → Sign On tab → Identity Provider Single Sign-On URL
   * **Google Workspace**: Admin Console → Apps → Web and mobile apps → Your App → SSO URL   * **Google Workspace**: Admin Console → Apps → Web and mobile apps → Your App → SSO URL
- 
-{{<idp_login_url_img_here>}} 
  
 ==== Logout URL (optional) ==== ==== Logout URL (optional) ====
  
 Enter the **Logout URL** (also known as SLO URL or Single Logout Endpoint). This enables single logout — when a user logs out of Directo, they are also logged out of the IdP session. Enter the **Logout URL** (also known as SLO URL or Single Logout Endpoint). This enables single logout — when a user logs out of Directo, they are also logged out of the IdP session.
- 
-{{<logout_url_field_img_here>}} 
  
 **Where to find it:** Look for "SLO URL", "Logout URL", or "Single Logout Endpoint" in the same section as the Login URL in your IdP. **Where to find it:** Look for "SLO URL", "Logout URL", or "Single Logout Endpoint" in the same section as the Login URL in your IdP.
- 
-{{<idp_logout_url_img_here>}} 
  
 ==== Metadata URL (required) ==== ==== Metadata URL (required) ====
  
 Enter the **Metadata URL** that points to your IdP's SAML metadata XML document. This URL contains the IdP's signing certificates, endpoints, and other configuration details. Enter the **Metadata URL** that points to your IdP's SAML metadata XML document. This URL contains the IdP's signing certificates, endpoints, and other configuration details.
- 
-{{<metadata_url_field_img_here>}} 
  
 **Where to find it:** **Where to find it:**
Line 62: Line 70:
   * **Google Workspace**: Admin Console → Apps → Web and mobile apps → Your App → Download metadata (use the URL, not the file)   * **Google Workspace**: Admin Console → Apps → Web and mobile apps → Your App → Download metadata (use the URL, not the file)
  
-{{<idp_federation_metadata_url_img_here>}}+{{:et:ergo20260506-150829.png}}
  
-===== Step 5: Configure Name ID Mapping =====+(Azure SSO pictured above) 
 + 
 +===== Step 6: Configure Name ID Mapping =====
  
 Under **SAML Name ID Mapping**, select how the IdP identifies users: Under **SAML Name ID Mapping**, select how the IdP identifies users:
Line 73: Line 83:
 Choose the option that matches how your IdP is configured to send the Name ID claim. Choose the option that matches how your IdP is configured to send the Name ID claim.
  
-{{<name_id_mapping_field_img_here>}}+===== Step 7: Save the Configuration =====
  
-===== Step 6Save the Configuration =====+{{:et:ergo20260506-150533.png}}
  
 Click **Save**. If you provided a Metadata URL, Directo will automatically import the IdP's signing certificates during the first save. Click **Save**. If you provided a Metadata URL, Directo will automatically import the IdP's signing certificates during the first save.
  
-{{<save_button_img_here>}} +===== Step 8: Manage Certificates =====
- +
-===== Step 7: Manage Certificates =====+
  
 After saving, the **Trusted Certificates** section appears below the form. This section shows the signing certificates imported from your IdP's metadata. After saving, the **Trusted Certificates** section appears below the form. This section shows the signing certificates imported from your IdP's metadata.
  
-{{<certificates_section_img_here>}}+{{:et:ergo20260506-151935.png}}
  
 ==== Importing Certificates ==== ==== Importing Certificates ====
Line 91: Line 99:
   * Certificates are automatically imported from the Metadata URL on first save.   * Certificates are automatically imported from the Metadata URL on first save.
   * To manually import or re-import certificates, click **Import from Metadata URL**.   * To manually import or re-import certificates, click **Import from Metadata URL**.
- 
-{{<import_certificates_button_img_here>}} 
  
 ==== Certificate Rollover ==== ==== Certificate Rollover ====
Line 112: Line 118:
 | **Expires** | The certificate's expiration date. A warning icon appears if the certificate has expired. | | **Expires** | The certificate's expiration date. A warning icon appears if the certificate has expired. |
  
-===== Step 8: Test the Configuration =====+===== Step 9: Test the Configuration =====
  
   - Open the Directo login page in a new browser window or incognito/private window.   - Open the Directo login page in a new browser window or incognito/private window.
Line 118: Line 124:
   - Click the button and verify that you are redirected to your IdP's login page.   - Click the button and verify that you are redirected to your IdP's login page.
  
-{{<login_page_sso_button_img_here>}}+{{:et:ergo20260506-152053.png}} 
 + 
 +{{:et:ergo20260506-152359.png}}
  
   - After authenticating with the IdP, you should be redirected back to Directo and logged in.   - After authenticating with the IdP, you should be redirected back to Directo and logged in.
Line 135: Line 143:
  
 :!: **Warning:** Deleting an IdP configuration will immediately prevent users from logging in via that SSO method. :!: **Warning:** Deleting an IdP configuration will immediately prevent users from logging in via that SSO method.
 +
 +:!: **Warning:** If you have enabled "Only configured SSO SAML methods can be used for authentication" and you delete all login methods you can lock yourself out of your application.
 +
 +{{:et:ergo20260506-152859.png}}
  
 ===== Troubleshooting ===== ===== Troubleshooting =====
en/single_sign_on_configuration.1778067869.txt.gz · Last modified: 2026/05/06 14:44 by ergo

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki