Single Sign-on

Updated: Feb 14, 2017

Single Sign-on

SmartKey accounts can be integrated with third-party Single Sign-on (SSO) providers. When an account is configured for SSO, users in that account will be able to login with their SSO credentials. Currently, the only available SSO mechanism is SAML.

Configuring a SAML provider

To enable SAML for your account, first obtain the Identity Provider (IdP) metadata XML file. Then, as the account administrator, go to the Single Sign-On tab on the Account Settings page. Click enable and upload or paste the SAML IdP metadata, then click save. The IdP must meet the requirements set forth below. The SSO configuration page will inform you if the provided IdP metadata is compatible.

SAML Identity Provider requirements

In order to use a SAML IdP with SmartKey, the IdP must:

  • Adhere to SAML 2.0, Web Browser SSO profile
  • Use one or more signing keys specified as an X.509 certificate
  • Use the urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress name format
  • Accept the POST binding for requests
  • Not require signed requests
  • Use the POST binding for response
  • Sign responses, assertions, or both

Warning: administrator lock-out

If the SSO mechanism is misconfigured, you will not be able to login to your account. When updating the SSO configuration, make sure to test logging without logging out or letting your current session expire. The most convenient way to test is with a different browser or a private browsing session.

Multiple accounts

Different accounts might have different SSO providers. As such, a user can be in multiple accounts with different SSO providers. Such a user will need to select which SSO provider to use during the login process. When switching accounts, a user might need to reauthenticate to satisfy the new account’s authentication requirements.