You can use multiple authentication providers in Haiilo. Haiilo supports SAML 2.0 and OpenID protocols, and all identity providers (IdP) utilizing these protocols are fully supported. This allows your users to authenticate themselves through Windows-integrated authentication (SAML) or on platforms like LinkedIn (OpenID). Using SAML just-in-time, users can also be imported during the first login if they don't yet exist in your platform.

Haiilo itself doesn't support two-factor authentication, but you can use a SAML service for this. You need to ensure that the service uses a certificate from a trustworthy certification body and TLS 1.2.

Set up a SAML authentication provider

When setting up a SAML authentication provider in Haiilo, it can only apply to one user directory and its users. To set up SAML, you need information from your IdP's metadata.xml. Obtain the metadata before proceeding. You can view a video tutorial for setting up SAML below.

1. Go to Administration > Authentication
2. Select Create authentication provider
3. Enter a name. The name is displayed to users on the login screen after "Authenticate with".
4. Choose a type: SAML or SAML just-in-time
5. Check Active
6. Decide if you want to use Automatic login. This automatically redirects the user from the login screen to the IdP after 3-5 seconds. If users don't want to be redirected, they select Sign in as a local user before the redirect to be taken to the login screen.
7. Decide whether this authentication provider sends session emails for new logins.
8. Fill out the General tab's information
   1. Only check AD FS if your Microsoft Active Directory uses Federation Services.
   2. Enter the Entity ID, Authentication URL, and Logout URL from your IdP metadata.xml.
   3. Choose the Logout method. This defines whether the user is logged out locally (only Haiilo) or globally (SAML logout) when they log out of Haiilo.
   4. Enter a Response validity. This sets the timeframe for queries. Haiilo recommends the standard 300 seconds.
   5. Choose the user directory that can use this authentication provider. The options depend on your user directory settings.
9. Fill out the Request signing tab's information, if applicable
   1. It's possible to sign the SAML request in Haiilo with a certificate and a private key. Activate this function by checking Sign request.
   2. Enter a certificate and a private key in the PEM format. You can use a self-signed certificate. The certificate must be added to the ADFS server in the trust relationship settings under "Signing".
10. Fill out the Response validation tab's information
    1. Alongside the signing of Haiilo requests, it's also possible to check the response of the SAML server. To do this, add the token-signing certificate of the IdP server here.
    2. If you don't want to use this function, select Disable certificate trust check.
11. If you selected SAML just-in-time on step 4, you need to define the attributes that are imported for the users on the Just-in-time provisioning tab.
    1. You will get the necessary values by searching for them in your metadata.xml.
    2. It's also possible to synchronize profile fields. To do this, choose the profile fields in the just-in-time provisioning and assign them according to the values in your metadata.xml.
12. Select Save to generate the Haiilo endpoints and metadata XML. These will appear on the General tab after saving.
13. Add Haiilo's information to your IdP. Haiilo only establishes a redirect to the IdP and then expects a SAML assertion, in which the login name (e.g. the email address) is passed as NameID. For SAML just-in-time, the attributes that are provisioned must also be configured in the SAML assertion. ADFS example:
14. Test the login with a user from the user directory you defined in step 5.

Set up an OpenID authentication provider

In contrast to SAML, OpenID authentication is always available to all your users and cannot be limited to a user directory. To configure OpenID, please read the OpenID guidelines from your identity provider. You can view tutorial videos on setting OpenID up for Entra ID.

1. Go to Administration > Authentication
2. Select Create authentication provider
3. Enter a name. The name is displayed to users on the login screen after "Authenticate with".
4. Select type OpenID Connect
5. Check Active
6. Decide if you want to use automatic login, which automatically redirects to the IdP after 3 seconds.
7. Decide whether this authentication provider sends session emails for new logins.
8. Haiilo provides presets to auto-fill the fields with your IdP information. Select a preset, if applicable to your IdP. You can also fill out the fields manually and leave Presets blank.
9. The Mapping ID is the parameter in the IdP response that needs to match the login name (e.g. the email address) of the Haiilo user.
10. You need to register Haiilo as a web application in your IdP to obtain the Client-ID, Client-Secret, Tenant-Id, Authentication -, Access-Token -, and User-Info URLs, Token Schema, and Authentication schema. You will be asked for the Haiilo login URL. This redirect URL is generated only after saving your configuration in Haiilo.
11. Scope is the permission that you need to access the URL for user information.
12. Select Save to generate the Haiilo Redirect URL. Enter the URL in your IdP's app registration.
13. Test the login.