SAML exchanges authentication and authorization data between two entities, namely an Identity Provider(IdP) and a Service Provider(SP). Here SupportCenter Plus acts as the SP and upon integration, users can directly log in to the application from the IdP without providing any login credentials.
For example, you can set up Active Directory Federation Service (ADFS) as the IdP to allow your users to log in to SupportCenter Plus using their Active Directory credentials.
Role Required: SDAdmin, SDOrgAdmin for multiple portal setups.
Go to Admin > Users > SAML single sign-on.
Under the Service Provider Details section, you will find the following:
Use these details to configure SupportCenter Plus as a service provider in your IdP.
Assertion Consumer URL
Single Logout Service URL
Click the file to download it. Upload this file in the IdP portal.
SP metadata file
In some IdPs, uploading the metadata file is enough to configure SupportCenter Plus as a service provider.
Changes in the alias URL from the Self Service Portal settings and changing the service from http to https will be reflected in the Assertion Consumer URL and Single Logout Service URL. You will have to reconfigure SAML authentication in both SP and IdP portals by regenerating the SP certificate.
First, you must configure SupportCenter Plus as a Service Provider with your Identity Provider.
We have tested SAML 2.0 with ADFS 3.0, Okta, OneLogin, and Azure as the Identity Providers. Click the respective IdPs for configuration information.
After configuring SupportCenter Plus as a service provider in your IdP domain, return to the SAML configuration page in SupportCenter Plus.
Under the Configure Identity Provider Details section,
Enter the Login URL and Logout URL of the IdP.
Select the Name ID Format based on your login preference.
To log in using your username, select Transient or Persistent. Ensure that the format selected matches the configuration in your Identity Provider.
If you wish to log in using your email address, select Email Address.
If you wish to log in using the User Principal Name (UPN) configured in your Active Directory account, select Unspecified.
Select the Algorithm from the drop-down. This algorithm should be the same as that configured in the IdP.
Upload the IdP certificate by clicking the Choose File button.
Click Save. The details of the certificate will be displayed to the right as shown below.
Enable SAML authentication using the toggle button available on the top of the page.
Enabling SAML Single Sign-On will automatically disable Pass-Through Authentication.
The History tab lists all the activities carried out on the configuration page. You can view the activities related to a particular attribute using predefined filters as shown below.
The login page after enabling SAML single sign-on will be displayed as shown below.
SAML single-sign on is applicable only for Support Reps. Hence, the option will not be available in the login page of Custom Portals.
Users can either log in using the Local Authentication (enabled by default) or log in using SAML by clicking the link below the Log In button.
If Local Authentication is disabled, the IdP login page will be displayed.
When the login name generated by the IdP does not match with the login name of a user in SupportCenter Plus,
If dynamic user addition is enabled, then the user will be added afresh with the login name generated by the IdP and password as configured in Active Directory/LDAP settings.
If dynamic user addition is disabled, then the user will not be able to log in to SupportCenter Plus.
During email-based login and UPN-based login, users will not be added via dynamic user addition even if the option is enabled.
SupportCenter Plus supports SAML single logout service. Using this, you can choose to log out from SupportCenter Plus only or from all the services integrated with the IdP.
If you have configured SAML logout in your IdP domain, you will find two options listed.
Click Log out to log out of SupportCenter Plus application alone.
If you click Log Out of SAML, you will be logged out of all the services integrated with the IdP.
The IdP certificate file is not uploaded right.
Reconfigure the IdP details.
SAML response is not received from IdP.
SupportCenter Plus supports only POST binging method. Ensure that the IdP follows POST binding method.
Error in validating the logout response of the IdP.
Refer errors 42, 44, 50, 4, and 36. Contact email@example.com.
21, 22, 23
The IdP response Status is Failure.
Reconfigure the IdP details by following the instructions given here.
The IdP response is not signed. SupportCenter Plus accepts only signed responses.
Configure the IdP settings for SupportCenter Plus to sign assertion and responses.
Unable to verify IdP signature in the SAML response.
Upload the correct IdP certificate file in the SAML configuration page of SupportCenter Plus.
Entity IDs in the SAML response and SupportCenter Plus are not the same.
Reconfigure the SP details in your IdP portal.
The destination URL in the SAML response does not match the actual URL from which the response is called.
Reconfigure the SP details in your IdP portal.
If you have configured a proxy server (say azure app proxy) to externalize the application, add proxyName="<external_url>" and proxyPort="<external_port>" attributes to the connector tag in the server.xml file.
The Issuer field is empty in the SAML response.
46, 47, 51
The SAML response will not be validated as the System Time Stamp does not match the Standard Time.
Set proper time and time zone in the application server.
The user has configured Assertion Encryption, which is not supported in SupportCenter Plus.
Change Assertion Encryption to Assertion Sign in the IdP, which will sign the assertion but not encrypt it.
Issuer name is missing in the SAML assertion.
Reconfigure the SP and IdP.
If the error persists, email us at firstname.lastname@example.org with the log files.
The SAML assertion from the IdP is not for the intended user/contact.
Log in again by using SAML authentication.
The SAML response is not mapped with the right user, and dynamic user addition is disabled in the Self-Service Portal settings.
If the user does not exist in SupportCenter Plus, create a new user manually with the login name generated by the IdP.
If the user already exists in the application, change the Name ID attribute in the IdP portal to match the login name in SupportCenter Plus.
User not found (during email based SAML login).
If the user does not exist in SupportCenter Plus, create a new user manually and configure email address.
If the user already exists in the application, configure their email address to match the login email ID in SupportCenter Plus.
Login is disabled for the user.
Enable login for the user.
More than one user is configured with the login email ID.
Ensure that the login email address is configured only with one user. This error is thrown if the login email ID is configured as a primary/secondary email address of another user.
1. Despite having valid login credentials, why am I added as a new user in SupportCenter Plus when logging in using SAML?
When you log in using SAML, the IdP provides a login name in the SAML response. This login name is generated based on the NameID attribute configured in the IdP. The application does not map this with your credentials because your login name in SupportCenter Plus is not the same as the login name in the SAML response. Now there are two possibilities:
If dynamic user addition is enabled, you will be added as a new user with the login name generated by the IdP and password as configured in the Active Directory/LDAP settings.
If dynamic user addition is disabled, an error message will be displayed and you will not be able to log in to SupportCenter Plus.
To solve this, reconfigure your IdP settings by choosing the right NameID attribute.
2. Why am I added as a separate user even after configuring my IdP to return the correct login name?
If the user falls under a domain, the IdP should return the domain name of the user along with the login name.
For example, if Peter is a support rep with login name peter in the Zylker domain, then the IdP should return Zylker\peter as the login name.
If the above case fails, a new user will be created.
Choose the proper NameID attribute and reconfigure the IdP to solve this.
3. How to fix alignment issues in the login page after enabling SAML as shown in the below image?
Go to Admin > Self-Service Portal Settings.
Click Customize now under Login Page customization.
In the HTML editor, add the classes shown in the screenshot.These classes will also be available under <server_home>\custom\login\default.html
border-bottom: 1px solid #ccc;
padding: 0 4px;
Click Save and check to see if the link now appears aligned.