13min

Single sign-on

IntroductionThe identity federation standard Security Assertion Markup Language (SAML) 2.0 enables the secure exchange of user authentication data between web applications and identity service providers.

When you use the SAML 2.0 protocol to enable single sign-on (SSO), security tokens containing assertions pass information about an end user (principal) between a SAML authority - an identity
provider (IdP), and a SAML consumer - a service provider (SP). 

Echoes, acting as the service provider (SP), supports single sign-on through SAML using external identity providers (IdPs) such as Okta, OneLogin and Microsoft Active Directory Federation Service. Echoes is compatible with all external IdPs that support SAML 2.0.
Default membershipEvery member who creates a new account via SSO will be put into the global Organization with the default Contributor role.
Configuring SSO/SAMLStep 1: Configure your identity providerHead to the configuration page to get the Echoes SP information to be set into your IDP:
Assertion Consumer Service URL: This is the callback that the IdP will send to tell Echoes to log in a user.
Entity ID/SAML Audience: A URL that describe the entity that is expected to receive the SAML message. In this case, it is the URL for Echoes.
Metadata: Echoes SP metadata file (XML) can be downloaded. (once the connection has been configured)
Attributes mappingThose attribute names are expected and mendatory.
FirstName
LastName
Email
Example of attribute assertion:
XML
|
<saml2:AttributeStatement>
        <saml2:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue
                xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">john.doe@unknown.com
            </saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue
                xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John
            </saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue
                xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Doe
            </saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
<saml2:AttributeStatement>
        <saml2:Attribute Name="Email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue
                xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">john.doe@unknown.com
            </saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="FirstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue
                xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">John
            </saml2:AttributeValue>
        </saml2:Attribute>
        <saml2:Attribute Name="LastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
            <saml2:AttributeValue
                xmlns:xs="http://www.w3.org/2001/XMLSchema"
                xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Doe
            </saml2:AttributeValue>
        </saml2:Attribute>
    </saml2:AttributeStatement>
﻿
SAML2 Identity Providers example﻿﻿Okta﻿
﻿﻿Keycloak  
Step 2: Enable SSO in EchoesHead to the configuration page in order to enter the SAML information in order to configure the Echoes SP. Two values are to be set:
SAML 2.0 Endpoint URL: In most cases it opens your Identity Provider's page where your end-users are to enter their credentials
Public Key x.509 Certificate: Issued by your Identity Provider
Once configured, all users holding the email domain from the root Account Owner (root user who opened the Echoes account the very first time) will authenticate using SSO (personal login credentials will no longer work).

Users who signup via invites with an email domain different from the root Account Owner will not authenticate using SSO.
If you wish to add more domains to your SSO configuration, please reach out to support@echoeshq.com.
Frequently asked questions
How to add new members to a SAML-enabled Echoes account?
What happens to Echoes accounts that existed prior to SAML being enabled?
Does Echoes de-provision members no longer present in the Identity Provider?
How to delete the SAML configuration
﻿

Updated 16 Mar 2023

Did this page help you?

Yes

UP NEXT

Google

Docs powered by archbee

TABLE OF CONTENTS

Introduction

Default membership

Configuring SSO/SAML

Step 1: Configure your identity provider

Attributes mapping

SAML2 Identity Providers example

Step 2: Enable SSO in Echoes

Frequently asked questions

How to add new members to a SAML-enabled Echoes account?

What happens to Echoes accounts that existed prior to SAML being enabled?

Does Echoes de-provision members no longer present in the Identity Provider?

How to delete the SAML configuration