Administration

Single sign-on

10min
introduction the identity federation standard security assertion markup language (saml) 2 0 enables the secure exchange of user authentication data between web applications and identity service providers when you use the saml 2 0 protocol to enable single sign on (sso), security tokens containing assertions pass information about an end user (principal) between a saml authority an identity provider (idp), and a saml consumer a service provider (sp) echoes , acting as the service provider (sp), supports single sign on through saml using external identity providers (idps) such as okta, onelogin and microsoft active directory federation service echoes is compatible with all external idps that support saml 2 0 default membership every member who creates a new account via sso will be put into the global organization with the default contributor role configuring sso/saml step 1 configure your identity provider head to the configuration page to get the echoes sp information to be set into your idp assertion consumer service url this is the callback that the idp will send to tell echoes to log in a user entity id/saml audience a url that describe the entity that is expected to receive the saml message in this case, it is the url for echoes metadata echoes sp metadata file (xml) can be downloaded (once the connection has been configured) attributes mapping those attribute names are expected and mendatory firstname lastname email example of attribute assertion \<saml2\ attributestatement> \<saml2\ attribute name="email" nameformat="urn\ oasis\ names\ tc\ saml 2 0\ attrname format\ unspecified"> \<saml2\ attributevalue xmlns\ xs="http //www w3 org/2001/xmlschema" xmlns\ xsi="http //www w3 org/2001/xmlschema instance" xsi\ type="xs\ string">john doe\@unknown com \</saml2\ attributevalue> \</saml2\ attribute> \<saml2\ attribute name="firstname" nameformat="urn\ oasis\ names\ tc\ saml 2 0\ attrname format\ unspecified"> \<saml2\ attributevalue xmlns\ xs="http //www w3 org/2001/xmlschema" xmlns\ xsi="http //www w3 org/2001/xmlschema instance" xsi\ type="xs\ string">john \</saml2\ attributevalue> \</saml2\ attribute> \<saml2\ attribute name="lastname" nameformat="urn\ oasis\ names\ tc\ saml 2 0\ attrname format\ unspecified"> \<saml2\ attributevalue xmlns\ xs="http //www w3 org/2001/xmlschema" xmlns\ xsi="http //www w3 org/2001/xmlschema instance" xsi\ type="xs\ string">doe \</saml2\ attributevalue> \</saml2\ attribute> \</saml2\ attributestatement> saml2 identity providers example okta docid\ modkuix4n fmmrtevh2m5 keycloak docid\ egss3zd2v12yaacjesysh step 2 enable sso in echoes head to the configuration page in order to enter the saml information in order to configure the echoes sp two values are to be set saml 2 0 endpoint url in most cases it opens your identity provider's page where your end users are to enter their credentials public key x 509 certificate issued by your identity provider once configured, all users holding the email domain from the root account owner (root user who opened the echoes account the very first time) will authenticate using sso (personal login credentials will no longer work) users who signup via invites with an email domain different from the root account owner will not authenticate using sso if you wish to add more domains to your sso configuration, please reach out to support\@echoeshq com frequently asked questions how to add new members to a saml enabled echoes account? echoes makes use of just in time provisioning for member accounts; any new member created within an identity provider will have an account automatically created in echoes when that member attempts to sign into echoes for the first time what happens to echoes accounts that existed prior to saml being enabled? existing members will have their echoes account automatically linked to their idp account does echoes de provision members no longer present in the identity provider? at this time, echoes's saml2 integration does not automatically de provision inactive user accounts instead, the member remains inside of echoes without any means to log in, as they can no longer access the idp platform for sign on for now, inactive member accounts will need to be removed manually by a manager or an owner of the echoes organization how to delete the saml configuration contact support\@echoeshq com