SAML SSO
Last updated
Last updated
The SAML SSO (Security Assertion Markup Language Single Sign-On) app allows users to log into Eliona using various SSO providers, including Microsoft ADFS. This setup streamlines authentication by using a single set of credentials.
Note: This section is relevant only if you previously used the ADFS app and are upgrading to Eliona v13.2 or later. If you're installing Eliona for the first time, you can skip this section.
Before Eliona v13.2, the "ADFS" app was used to provide Single Sign-On (SSO) for Azure. Starting with v13.2, Eliona introduces support for a broader range of Identity Providers, fully implementing the SAML SSO protocol. As a result, the "ADFS" app has been replaced by the new "SAML SSO" app.
Important: ADFS login will stop working after upgrading to Eliona v13.2. To restore SSO functionality, follow these steps:
Install the SAML SSO app.
Verify the configuration of the SAML SSO app. It should automatically detect and apply the previous ADFS configuration. (The configurations of both apps should appear similar.)
In your Azure configuration, update the Reply URL to:
https://{your-eliona-domain.com}/apps-public/saml-sso/saml/acs
Ensure that the Entity ID in your Azure configuration matches the one specified in the SAML SSO app.
Once these steps are complete, test the login process to confirm that SSO is working as expected. After successful verification, you can safely remove the ADFS app.
The SAML 2.0 Service Provider is configured by defining one or more authentication credentials:
id
Configuration Id. Can only be 1
enable
If the configuration is enabled or not
serviceProviderCertificate
The Certificate of this SAML Service Provider (SP). Can be a self-signed x509 certificate.
serviceProviderPrivateKey
The Private Key matching the Certificate of this SAML Service Provider (SP). DO NOT use RSA key length lower than 2048
idpMetadataUrl
The Metadata URL of the Identity Provider (IdP) if available. Otherwise use the metadataXml to provide Metadata of IdP directly and leave this null
idpMetadataXml
Provide the IdP Metadata XML directly, if you do not have the idpMetadataUrl accessible
ownUrl
The own URL of this Eliona instance
userToArchive
If enabled, the newly created user is archived and cannot log in until an admin has activated it
allowInitializationByIdp
Allow IdP-initiated assertions
signedRequest
If the SP should make a signed SAML Authn-Request or not
forceAuthn
Normally this value is set to false for an SP. If set to true the user has to re-authenticate (login at IdP) even if it has a valid session to the IdP
entityId
Unique identifier URI, typically based on tenant's domain. Normally, the default value can be left as it is
loginFailedUrl
The URL to redirect to if the login failed. If this value is null the default page /noLogin will be shown
The configuration is done via a corresponding JSON structure. As an example, the following JSON structure can be used to define an endpoint for app permissions:
Configurations can be created using this structure in Eliona under Apps > SAML SSO App > Settings. To do this, select the /configs endpoint with the POST method.
For detailed configuration steps, refer to your SSO provider's documentation.
To configure Microsoft ADFS specifically, follow these steps:
Register a New App in Azure
Go to the Azure portal.
Navigate to Azure Active Directory > App registrations > New registration.
Enter your application name and redirect URI (e.g., https://customer.eliona.cloud/apps-public/saml-sso/, platform Web).
Click Register.
Configure SAML-based SSO
In the App registrations, select your application.
Under Manage, go to Single sign-on.
Select SAML as the single sign-on method.
Set Up Basic SAML Configuration
Identifier (Entity ID): Set this to a unique URI, typically based on your tenant's domain, or other verified domain. For example, https://yourtenant.onmicrosoft.com/your-app-id. Does not have to correspond to the actual Eliona instance domain. Can be also set using manifest field "identifierUris".
Reply URL (Assertion Consumer Service URL): This is the URL where Azure AD will send the SAML responses. For example, https://customer.eliona.cloud/apps-public/saml-sso/saml/acs. Found under Authentication -> platform configurations.
Sign-on URL: The URL where users can sign in to your application.
Upload the Public Key Certificate
Under SAML Signing Certificate, upload the public key certificate from the Eliona SAML SSO App.
Locate Configuration Data
Find the Application (client) ID and Directory (tenant) ID on the app's Overview page.
Configure ADFS Settings in Eliona
MS Log-in: Activate the log-in button "via Microsoft" by setting the configuration as "Enabled".
Metadata URL: Enter the Metadata URL from your Microsoft Azure account (found under app registration -> Endpoints).
The metadata XML file contains all the necessary configuration details like endpoints and certificate information. The URL is typically: https://login.microsoftonline.com/{tenant-id}/FederationMetadata/2007-06/FederationMetadata.xml - Replace {tenant-id} with your actual tenant ID.
Own URL: Enter your Eliona system URL (e.g., https://customer.eliona.cloud).
Certificate: Can be a self-generated certificate.
For detailed steps on how to register an app in Azure, refer to the official Microsoft documentation.
