Using single sign-on (SAML) with SolveBio

Single sign-on is a feature for enterprise SolveBio accounts. SolveBio supports SAML authentication and is compatible with many identity providers such as OneLogin, Ping Identity, Ping Federate, Okta, Bitium, Centrify, Clearlogin, and Auth0. To get started, you’ll need to configure a SolveBio SSO connection with your identity provider.

SAML SSO must be enabled by SolveBio Support. Please email support@solvebio.com for more information.

To configure your own identity provider (IdP) solution, please follow these parameters:

  • SolveBio supports IdP-initiated flow and SP-initiated flow. For SP-initiated login, go to: https://<accountdomain>.solvebio.com
  • SSO post-back URL (also known as the Assertion Consumer Service URL): https://<accountdomain>.solvebio.com/api/auth/saml/acs
  • Entity ID and/or Audience: https://<accountdomain>.solvebio.com/
  • SAML Logout Endpoint: https://<accountdomain>.solvebio.com/api/auth/logout

Replace <accountdomain> with the unique subdomain for your account.

 

The following attributes and settings must be configured for your SAML ACS request:

NameID (i.e. username)

We require that the NameID contain the user’s email address or some other Unique Identifier that stays persistent. Please verify that your NameID format matches the example included below.

<saml:Subject>
    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" NameQualifier="accountdomain.solvebio.com" SPNameQualifier="https://www.solvebio.com/">Your Unique Identifier</saml:NameID>
</saml:Subject>

Email Attribute (Required)

 <saml:Attribute Name="email"
 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
    <saml:AttributeValue xsi:type="xs:anyType">user@youremail.com</saml:AttributeValue>
 </saml:Attribute>

Full Name Attribute (Optional)

 <saml:Attribute Name="full_name"
 NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
     <saml:AttributeValue xsi:type="xs:anyType">Full Name</saml:AttributeValue>
 </saml:Attribute>

X.509 Certificates (Required)

SolveBio requires that the SAML response is signed. You will need to paste a valid X.509 (.pem) certificate to verify your identity. This must be securely provided to SolveBio Support. SolveBio will provide you with an SP certificate.

End-to-End Encryption Key (Optional)

If you require an end-to-end encryption key with your IDP, SolveBio Support can optionally provide one to you.

 

User Provisioning & Deprovisioning

Provisioning — SolveBio supports Just-in-Time provisioning which allows your users to create new accounts on the fly when they first try to login to SolveBio using SSO. When they login for the first time using their SSO credentials, an account will automatically be created for them using their IdP username, email, and full name.

Users provisioned through SAML SSO will not be able to set a password or log in with their username and password, unless your account is configured this way.

Deprovisioning – If a user has left your team and you'd like to restrict their login access, an Admin or Owner will need to disable their account via the Team Settings page in SolveBio. SolveBio does not currently support automatic deprovisioning through your IdP.

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk