Administration User Single Sign-On (SSO)

Note: This section documents the set up of Single Sign-On (SSO) for Symbee Connect Company Administration Users into the Administration Portal, not SSO for your end users/agents when accessing the Symbee Connect desktop UI for contact servicing. For details on set up of Single Sign On for your end users/agents when accessing the Symbee Connect desktop UI, refer to the Configuring Single Sign-on (SSO) for Users and Agents Guide.

Overview

Your Symbee Connect Administration Portal supports single-sign-on for administration users using their credentials stored in your corporate directory if your corporate directory supports the Security Assertion Markup Language (SAML).

In SAML terms, the Administration Portal is a SAML 2.0 compliant Service Provider, and can be configured to integrate with any SAML 2.0 compliant Identity Provider (IdP). For example: Azure AD, ADFS, OKTA, Shibboleth, OneLogin, Duo, etc.

The Administration Portal supports the following SAML user flows:

  • Service-Provider (SP) initiated SSO - a login started from the Symbee Connect Administration Portal by clicking the Corporate Login Login button on the login page
  • Identity Provider (IdP) initiated SSO - a login started from an Identity Provider Application portal first
  • Identity Provider (IdP) initiated Single Logout (SLO) - when the user logs out of their Identity Provider, they will also be logged out of the Symbee Connect Administration Portal

Note: While SAML supports it, Symbee Connect (intentionally) does not support Single Log Out in the reverse direction - logging out of the Symbee Connect Administration Portal does not log the user out of their Identity Provider.

Specific Characteristics of Symbee Connect Admin Portal SAML 2.0 Support

The below notes are provided to assist when integrating your SAML compliant IdP with the Symbee Connect Administration Portal:

  • The Symbee Connect Portal SAML support requires all SAML communication to be over HTTPS. HTTP is not supported (this includes both the SAML Authentication Requests sent from Symbee Connect to the IdP and the return SAML Assertion Responses sent back from the IdP to Symbee Connect)
  • The Symbee Connect Portal SAML integration does not support SAML Response Payload encryption at this time. (Note: from the first point, all SAML responses from the IdP will already be encrypted at the Transport layer). Therefore there is no need to provide/configure your IdP Private Key in the Symbee Connect Portal SAML Settings (you still have to provide the Public Cert used for SAML Request signing)
  • The Symbee Connect Portal SAML support is driven off the SAML NameID (the value of the <saml:Assertion ...><saml:Subject><saml:NameID>). The value from the NameID is matched against the UserId of Admin Users defined in the Symbee Connect Administration Portal.
  • Beyond the above NameID requirement, no other specific SAML Attributes or Claims are required.

Accessing Administration Portal SSO Settings

The Administration Portal Single Sign-on settings are configured within your Symbee Connect Administration Portal, from the Company Administration menu located on the left of the top navigation bar, under Security Settings.

Note: The Single Sign-on settings view is only available to Administration Users with a Role of Administrator.

Administration Portal SSO configuration is Region based. If you have Environments in multiple regions, access the Administration Portal in the appropriate region to view and configure your Company SSO settings in that region.

Single Sign-on Settings Details

The Single Sign-On configuration is grouped under the following Sections:

Single Sign-On Enablement

These settings control the overall Administration Portal Single Sign-on directory integration behavior.

Single Sign-On Enabled

Once you have configured your Directory integration below, this setting enables or disables the overall Single Sign-On functionality.

Single Sign-On Login Required (password-based access disabled)

With Single Sign-On enabled, this setting controls whether your Administration users are required to use Single Sign-On. If enabled, Symbee Connect Administration Portal managed passwords are disabled, and users can only log in with their corporate directory credentials. This setting intentionally does not effect users set with the Administrator role. This is to allow Administrators to log in using a Symbee Connect maintained password to gain access and maintain these Single Sign-On settings if needed.

Your Endpoint Details (used for configuration in your Identity Provider)

The (read-only) values provided in these fields define the SAML Service Provider details of you Administration Portal. Use these values when configuring your Administration Portal to/within your Identity Provider.

Service Provider SAML Audience Entity ID

This is the Entity ID your Symbee Connect Connect Administration Portal is known as from a SAML Service Provide perspective. Copy this value and configure it in your Identity Provider (IdP). Depending on your IdP, this value might be referred to as terms like: Service Provider (or SP) Identifier or Entity ID, or SAML Audience Identifier, or Audience URI.

Service Provider Assertion Consumer Service (ACS) URL

This is the URL your Identity Provider (IdP) needs to send SAML Assertions to. Copy this value and configure it in your IdP. Depending on your IdP, this value might be referred to as terms like: Reply URL, Assertion Consumer Service (ACS) URL, or Single Sign-On URL.

Service Provider Single Logout (SLO) URL

Optional. This is the URL your Identity Provider (IdP) needs to send Single Logout requests to, if your IdP supports Single Logout (SLO). Copy this value and configure it in your IdP. Depending on your IdP, this value might be referred to as terms like: Logout URL, or Single Logout URL.

Your Identity Provider (SAML IdP) Details

Identity Provider Description

Optional. For your documentation purposes only, you can provide a description for your current IdP configuration below.

Identity Provider Entity Identifier

The unique identifier of the matching Application configured in your IdP. This must be a URI. Copy this value from your IdP configuration and paste it here. Depending on your IdP, this value might be referred to as terms like: Azure AD Identifier, Identity Provider Issuer, or Issuer URL.

Identity Provider Single Sign-On Request URL

The URL that Authentication requests from your Symbee Connect Administration Portal need to be sent to your IdP on. Copy this value from your IdP configuration and paste it here. Depending on your IdP, this value might be referred to as terms like: Login URL, IdP Single Sign-On URL, or IdP SAML Endpoint.

Identity Provider Single Logout Response URL

Optional. Leave blank if your IdP does not support Single Logout (SLO). The URL that Single Logout responses back to your IdP need to be sent to. Copy this value from your IdP configuration and paste it here. Depending on your IdP, this value might be referred to as terms like: Logout URL, or IdP SLO Endpoint.

Identity Provider Metadata URL (if available)

If your IdP publishes its SAML Metadata configuration as a reachable URL, copy this URL from your IdP configuration and paste it here. Otherwise leave blank.

Identity Provider Signing Certificate

Download your Identity Provider's x509 Base64 encoded certificate used for signing SAML messages, and paste the content of the certificate here. When downloading the certificate from your IdP, if a format option is available, choose the Base64 option.

For reference, the content of the certificate will start with "-----BEGIN CERTIFICATE-----" and end with "-----END CERTIFICATE-----".


Step by Step setup instructions for common Identity Providers

See the following links for step by step instructions to configure some of the common Identity Providers: