SAML Single Sign-On
Security Assertion Markup Language (SAML) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. The EMD Digital platform acts as the service provider, while your company provides the identity provider (such as Microsoft Azure Active Directory, Okta and others).
Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single user identity to various web applications. Using SSO, the user user is not asked to create a new account using a password but instead is logged in automatically through their corporate identity provider. Access to our platform can then be governed centrally by the corporate directory.
Prerequisites
- Verify your domains with us. We will create a challenge that needs to be added to the DNS zone of all domains that will be used by employees to log in.
- Ensure that your identity provider uses the HTTPS protocol and supports SAML 2.0.
- The identity provider can be hosted on-premises and in a private network as long as it accessible by the employee.
Setting up SAML with the Identity Provider
Please refer to the documentation of your identity provider for detailed step by step instructions. The following information is required to complete the set up.
| SAML Attribute Name | Description | Required |
|---|---|---|
| NameID | Persistent identifier | Yes |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name | Preferred username | No |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname | First name | Recommended |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname | Last Name | Recommended |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | Email address | Yes |
note
The persistent identifier (NameID) must not change for a user over time. For example, an email address is not a persistent identifier because it can change over time. Do not use the User Principal Name (UPN) as identifier either, especially if you use more than one domain and users can be transferred between domains (e.g. na.mycorp.com and eu.mycorp.com).