Re-Leased supports Secure Assertion Markup Language (SAML), which lets you provide single sign-on (SSO) access to Re-Leased accounts. With SSO, users can sign in once using their company sign-in form to gain access to multiple systems and service providers, including Re-Leased.
The IT team in a company is usually responsible for setting up and managing the company's SAML authentication system. Refer the team to this article.
How SAML SSO for Re-Leased works
SAML for Re-Leased works the way SAML does with all other service providers. A common use case is a company where all user authentication is managed by a corporate authentication system such as Active Directory or LDAP (generically referred to as an identity provider, or IdP). Re-Leased establishes a trust relationship with the IdP and allows it to authenticate and sign in users to Re-Leased accounts.
A common user case is a user who signs into their corporate system at the beginning of the workday. Once signed in, they have access to other corporate applications and services (such as email or Re-Leased) without having to sign in separately to those services.
Requirements for enabling SAML SSO
Ensure your Re-Leased plan includes the SSO feature. Contact sales to discuss if not.
Meet with the team in your company responsible for the SAML authentication system (usually the IT team) to make sure your company meets the following requirements:
- The company has a SAML server with provisioned users or connected to an identity repository such as Microsoft Active Directory or LDAP. Options include using an in-house SAML server such as OpenAM, or a SAML service such as JumpCloud, Okta, OneLogin, or PingIdentity.
- Re-Leased-bound traffic is over HTTPS, not HTTP
Request the following information from the team:
- The remote login URL for your SAML server (sometimes called SAML Single Sign-on URL)
- The SHA2 fingerprint of the SAML certificate from your SAML server. X.509 certificates are supported and should be in PEM or DER format. There is no upper limit on the size of the SHA fingerprint.
The next step is to enter the information in the Re-Leased Settings section to enable SSO.
Enabling SSO
You must sign in to Re-Leased as an administrator to enable SAML single sign-on.
Click the Settings option in the top bar, then select Manage Single Sign On.
- For SAML Sign-on mode, click choose Enabled. (Choosing Enforced will disable signing in via any other method).
- For Sign-on Url, enter the remote login URL of your SAML server.
- For Public Key, Enter the Certificate fingerprint. This is required for us to communicate with your SAML server.
- (Optional) For Auto-provisioning domains, enter a domain name. Any authenticated users with an e-mail address at that domain will automatically be created within Re-Leased.
Note - When using auto-provisioning it is necessary that the first and last names of users are mapped correctly. This can be done by making sure that these fields are given one of the following attributes:
First name with an attribute of first_name or User.FirstName or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname
Last name with an attribute of last_name or User.LastName or http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname
- Copy the details given for Audience URI (Service Provider Entity ID), ACS URL, and Sign-on URL. And pass these on to your IT Team to complete the configuration at their end.
Click the Save button.
For Azure AD users. A specific detailed guide to configuring SSO to work with Azure AD can be found here.