User Tools

Site Tools



en:single_sign_on_configuration

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
en:single_sign_on_configuration [2026/05/06 15:29] ergoen:single_sign_on_configuration [2026/06/16 11:35] (current) – [Table] toomas
Line 9: Line 9:
   * Your IdP's SAML configuration details (Login URL, Metadata URL)   * Your IdP's SAML configuration details (Login URL, Metadata URL)
  
-===== Step 1: Open the SAML SSO Configuration =====+===== Step 1: Configure Your Identity Provider ===== 
 + 
 +Before configuring Directo, you need to register Directo as a Service Provider (SP) in your Identity Provider. Use the following values: 
 + 
 +^ Parameter                                         ^ Value                                                                                                                                                                                                                                                                                                                                                                                                      ^ 
 +| **Reply URL / ACS (Assertion Consumer Service)**  | ''https://login.directo.ee/api/saml/callback''                                                                                                                                                                                                                                                                                                                                                             | 
 +| **Entity ID / Identifier**                        | The default value is https://login.directo.ee/api/saml/callback. The SAML SSO Entity ID (or Identifier) is a unique identifier for the Identity Provider (IdP) or Service Provider (SP). If the system-provided default value is not suitable, industry best practice is to use a unique URL in URI format or a designated URN. :!: **It must be strictly unique within the system (Identity Provider)!** 
 +| **Name ID format**                                | ''urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress'' (if using Email mapping) or ''urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified'' (if using Username mapping)                                                                                                                                                                                                                               | 
 + 
 +**Where to configure:** 
 +  * **Microsoft Entra ID**: Azure Portal → Enterprise Applications → New Application → Create your own application → Integrate any other application (Non-gallery) → Single sign-on → SAML → Basic SAML Configuration → Edit 
 +  * **Okta**: Applications → Create App Integration → SAML 2.0 → Configure SAML → General settings 
 +  * **Google Workspace**: Admin Console → Apps → Web and mobile apps → Add app → Add custom SAML app → Service provider details 
 + 
 +:!: **Important:** The Reply URL / ACS and Entity ID values must match exactly, including the protocol (https) and path. Mismatched values will cause authentication failures. 
 + 
 +===== Step 2: Open the SAML SSO Configuration =====
  
 Navigate to the SAML SSO configuration page in Directo. You will see a list of existing IdP configurations, or an empty list if none have been configured yet. Navigate to the SAML SSO configuration page in Directo. You will see a list of existing IdP configurations, or an empty list if none have been configured yet.
Line 15: Line 31:
 From the main menu: Settings -> Common Settings -> SSO Saml Login settings. Or use the search feature. From the main menu: Settings -> Common Settings -> SSO Saml Login settings. Or use the search feature.
  
-===== Step 2: Create a New Configuration =====+===== Step 3: Create a New Configuration =====
  
   - Click the **Add new** button.   - Click the **Add new** button.
Line 22: Line 38:
 {{:et:ergo20260506-150112.png}} {{:et:ergo20260506-150112.png}}
  
-===== Step 3: Fill in the Button Title =====+===== Step 4: Fill in the Button Title =====
  
 Enter a descriptive name in the **Button title** field. This is the label that will appear on the SSO login button on the Directo login page (e.g., "Login with Azure AD" or "Company SSO"). Enter a descriptive name in the **Button title** field. This is the label that will appear on the SSO login button on the Directo login page (e.g., "Login with Azure AD" or "Company SSO").
  
-===== Step 4: Configure the IdP Settings =====+===== Step 5: Configure the IdP Settings =====
  
 ==== Login URL (required) ==== ==== Login URL (required) ====
Line 58: Line 74:
 (Azure SSO pictured above) (Azure SSO pictured above)
  
-===== Step 5: Configure Name ID Mapping =====+===== Step 6: Configure Name ID Mapping =====
  
 Under **SAML Name ID Mapping**, select how the IdP identifies users: Under **SAML Name ID Mapping**, select how the IdP identifies users:
Line 67: Line 83:
 Choose the option that matches how your IdP is configured to send the Name ID claim. Choose the option that matches how your IdP is configured to send the Name ID claim.
  
-===== Step 6: Save the Configuration =====+===== Step 7: Save the Configuration =====
  
 {{:et:ergo20260506-150533.png}} {{:et:ergo20260506-150533.png}}
Line 73: Line 89:
 Click **Save**. If you provided a Metadata URL, Directo will automatically import the IdP's signing certificates during the first save. Click **Save**. If you provided a Metadata URL, Directo will automatically import the IdP's signing certificates during the first save.
  
-===== Step 7: Manage Certificates =====+===== Step 8: Manage Certificates =====
  
 After saving, the **Trusted Certificates** section appears below the form. This section shows the signing certificates imported from your IdP's metadata. After saving, the **Trusted Certificates** section appears below the form. This section shows the signing certificates imported from your IdP's metadata.
Line 102: Line 118:
 | **Expires** | The certificate's expiration date. A warning icon appears if the certificate has expired. | | **Expires** | The certificate's expiration date. A warning icon appears if the certificate has expired. |
  
-===== Step 8: Test the Configuration =====+===== Step 9: Test the Configuration =====
  
   - Open the Directo login page in a new browser window or incognito/private window.   - Open the Directo login page in a new browser window or incognito/private window.
en/single_sign_on_configuration.1778070555.txt.gz · Last modified: 2026/05/06 15:29 by ergo

Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki