Enable SAML for SSO

saml is an open standard for web browser single sign on using saml, a service provider (swimlane) asks an identity provider (a third party) to authenticate and provide information about a user this is initiated in two different ways in one, swimlane initiates login in the other, the identity provider initiates the login set up saml in swimlane settings, sessions & security swimlane service provider saml metadata the following table contains the metadata you need to know when configuring swimlane with an identity provider metadata usage entity id configurable in swimlane saml settings assertion consumer service (acs) url https //{swimlane hostname here}/api/saml/consume acs binding ☑ http post ☐ http redirect single logout service (sls) url single logout is not currently supported by swimlane sls binding n/a nameid format "emailaddress" if email address is selected as nameid format in swimlane settings, otherwise "unspecified" authn request binding ☐ http post ☑ http redirect authn requests signed configurable in swimlane saml settings authn requests encrypted no signing certificate configurable in swimlane saml settings assertions encrypted encrypted assertions are not currently supported by swimlane a successful log in with saml requires a user that matches the nameid username or email address that already exists in swimlane swimlane does not support just in time (jit) provisioning saml is available to users added by directory services sync as well as those added manually to enable saml for sso from the sessions and security dashboard, click > to expand authentication under saml authentication, toggle the switch to enable saml authentication next, click saml settings on saml authentication, identify the name id format select from the dropdown you have two options for users logging in to swimlane, the swimlane username, or email address this setting determines how swimlane interprets the name id sent in the saml response and matches it to a swimlane user important! swimlane's saml processes match case for email addresses ensure the email address for the swimlane user matches the email address in the saml response! it's important to note however, that username matching is case insensitive next, complete the following required fields sso url identity provider entity id service provider entity id specify whether to verify the identity provider signature or whether to allow invalid signatures with the verify identity provider signature toggle and then upload the certificate important! swimlane strongly recommends that you enable this saml option and upload your identity provider's certificate in order to ensure that swimlane is communicating with the expected identity provider also important! the certificate you upload at this step must be a pem (privacy enhanced mail) certificate select whether the saml request should be signed by swimlane with the sign authnrequest? toggle and then upload the private key (format pkcs #12) and public certificate note you can convert a pem formatted public certificate and key to pkcs #12 using openssl here is an example of how to convert openssl pkcs12 export out cert pfx in pem public certificate crt inkey pem private key key do not enter a password when prompted swimlane does not support password protected pkcs #12 certificates if your sso provider calculates the saml response signature with non significant whitespace, select the preserve whitespace in saml response? toggle