Skip to main content
Sign in

Creating a SAML SSO integration

  • June 14, 2023 16:18
  • Updated

Oomnitza supports Security Assertion Markup Language (SAML) 2.0 for Single Sign On (SSO).

When you activate the SAML SSO integration, users can sign in to their Oomnitza instance using SAML. 

Navigation

small_blue_link.svg Before you start

small_blue_link.svg Creating the integration

Before you start

You will need:

  • Your SSO URL
  • Your certificate
  • (Optional): SP (Service Provider) certificate with a public key and private key

SSO URL

The SSO URL of the identity provider (IdP).

Certificate

Your IdP certificate.

Information for configuring IdP
The information that you provide to create an SSO certificate depends on your identity provider (IdP). When generating the SSO certificate in the IdP ensure that you supply the following service provider (SP) base URL: https://{instance-name}.oomnitza.com and the following SP endpoint URL: https://{instance-name}.oomnitza.com/saml/consume.

Active Directory Federation Services (ADFS) has the following types of X.509 certificates:

  • Service communication
  • Token decrypting
  • Token signing

For ADFS, you must select the token-signing certificate

(Optional): SP (Service Provider) certificate with a public key and private key

Encrypting the SAML assertion is optional but provides an additional layer of security for the information contained within the assertion. However, even if the assertion is not encrypted, there is still privacy protection through the use of transport layer security (TLS) during the transmission of the SAML data.

To encrypt the SAML assertion, you can generate a key pair and upload it to Oomnitza either during or after enabling the SAML SSO integration.

The key pair can be generated using the following commands:

openssl genrsa -out rsaprivatekey.pem 2048

This command generates an RSA private key and saves it in the file 'rsaprivatekey.pem'.

openssl req -new -x509 -days 365 -key rsaprivatekey.pem -out rsacert-${INSTANCE}.pem

This command generates a public key using the provided RSA private key. The key is valid for 365 days and saved in the file 'rsacert-${INSTANCE}.pem'.

Note
${INSTANCE} in the second command is a placeholder that should be replaced with the appropriate instance name.

Creating the integration

  1. Log into Oomnitza and select Configuration > Integrations.
  2. Click the Block view block_view.PNG
  3. On the Integrations page, scroll down to the SSO Integrations and click the SAML tile.
  4. On the CONNECT page, enter the SSO URL of the identity provider (IdP).
  5. Upload your IdP certificate.
  6. (Optional). Upload the SP certificate with the public key ("rsacert-${INSTANCE}.pem"), and the SP certificate with the private key ("rsaprivatekey.pem")
  7.  JIT Provisioning: JIT provisioning automatically creates a user account when first-time users log in. Alternatively, you will need to manually create a user account for each new user in Oomnitza. If you select JIT Provisioning, you must also supply the following:
    • Default Role - The default Oomnitza role assigned to the imported or JIT-provisioned users at the time their account is created.
    • Name Identifier - The method used to identify the imported or JIT provisioned user. Oomnitza supports two types of name ID policies:
      • Email Addresses such as myname@oomnitza.com.
      • Unspecified, which means that the Name ID can be in any format such as myname. Check with your IdP as some IdPs don't allow unspecified name IDs.
  8. SSO only: Select this option if you wish to prevent standard authentication to Oomnitza. This option will remove the username/password option and require that users log in exclusively through SSO. We suggest that you do not select this option until you have tested the SSO feature and verified it works correctly.
  9. Enable multifactor authentication. Select this option to add a layer of protection to the sign-in process. When accessing Oomnitza, the user will need to provide additional identity verification, such as entering a code received by phone.
  10. Click FINISH at the bottom right to save.
  11. Verify that SSO is successful by clicking on the Single Sign-On (SSO) option in your Oomnitza instance.

Tip
You can use the  Validate SAML Response tool to validate SAML Responses, their signatures, and their data.

Related Links

Global SAML settings

Related articles

Comments

0 comments

Please sign in to leave a comment.