Setting up an authentication provider (SAML or OpenID)

You can connect authentication providers to your platform so that your users can log in using their company credentials. You can integrate any identity provider that is compatible with SAML 2.0 and OpenID protocols. With the use of SAML just-in-time, users can be imported during their initial login if they don't already exist on your platform.

While Haiilo itself doesn't offer two-factor authentication, you can use a SAML service to do so. You need to ensure that the service uses a certificate from a trustworthy certification body and TLS 1.2.

Set up a SAML authentication provider

When setting up a SAML authentication provider, it can only apply to one user directory and that directory's users. You need information from your IdP's metadata.xml to set up SAML. Obtain the metadata before proceeding with the below steps. You can view a video tutorial for setting up SAML below.

  1. Go to Administration > Authentication
  2. Select Create authentication provider
  3. Enter a name. The name is displayed to users on the login screen after "Authenticate with"
  4. Choose a type: SAML or SAML just-in-time
  5. Check Active
  6. Decide if you want to use Automatic login. This automatically redirects the user from the login screen to the identity provider after a few seconds. If users don't want to be redirected, they can select Sign in as a local user before the redirect.
  7. Decide whether this authentication provider sends session emails for new logins
  8. Fill out the fields on each tab as detailed below

General

  1. Only check AD FS if your Microsoft Active Directory uses Federation Services
  2. Enter the Entity ID, Authentication endpoint, and Logout endpoint from your identity provider metadata.xml.
  3. Choose the Logout method. This defines whether the user is logged out locally (only Haiilo) or globally (SAML logout) when they log out of Haiilo.
  4. Enter an Answer validity, i.e., the timeframe for queries. We recommend the standard 300 seconds.
  5. Choose the User directory that can use this authentication provider. The options depend on your user directory settings.

Screenshot 2021-06-16 at 11.12.59.png

Request signing

  1. Check Sign requests if you want to sign the SAML request with a certificate and a private key. Otherwise, skip this tab.
  2. Enter a certificate and a private key in the PEM format. You can use a self-signed certificate. The certificate must be added to the ADFS server in the trust relationship settings under "Signing".
  3. If the private key is password protected, enter the password

Response validation

  1. In addition to signing requests, you can check the SAML server's response. To do this, add the IdP server's token-signing certificate in the PEM format.
  2. If you don't want to use this function, check Disable certificate trust check

Just-in-time provisioning

This tab is only available if you select the type SAML just in time.

  1. Define the attributes that are imported for the users. You can find the necessary values in your metadata.xml.
  2. You can also synchronize profile fields. Choose the profile fields on Haiilo and assign them according to the values in your metadata.xml.

Screenshot 2021-06-16 at 11.15.58.png

Finalize

  1. Select Save to generate the Haiilo endpoints and metadata XML. After saving, these will appear on the General tab.
  2. Add Haiilo's information to your IdP. Haiilo only establishes a redirect to the IdP and then expects a SAML assertion, in which the login name (e.g., the email address) is passed as NameID. For SAML just-in-time, the attributes that are provisioned must also be configured in the SAML assertion. ADFS example:

    Bildschirmfoto_2020-07-02_um_14.36.00.png

Set up an OpenID authentication provider

An OpenID authentication is always available to all users and cannot be limited to a specific user directory. To configure OpenID, we recommend reading the guidelines for your identity provider. You can also view our tutorial videos on setting OpenID up for Entra ID.

  1. Go to Administration > Authentication
  2. Select Create authentication provider
  3. Enter a name. The name is displayed to users on the login screen after "Authenticate with"
  4. Select the type OpenID Connect
  5. Check Active
  6. Decide if you want to use Automatic login. This automatically redirects the user from the login screen to the identity provider after a few seconds. If users don't want to be redirected, they can select Sign in as a local user before the redirect.
  7. Decide whether this authentication provider sends session emails for new logins
  8. Select a preset, if applicable to your IdP. A preset auto-fills the fields with IdP-specific information to help you get started. You can also fill out the fields manually by leaving the preset blank.
  9. Enter the Mapping ID. This is the parameter in the IdP response that needs to match the Haiilo user's login name (e.g., email address).
  10. Register Haiilo as a web application in your IdP to obtain the Client ID, Client Secret, Tenant ID, Authentication URL, Access-Token URL, User-Info URL, Token Schema, and Authentication schema.
    • You will be asked for a Haiilo login/redirect URL. This redirect URL is generated only after saving your configuration in Haiilo. See step 12.
  11. Enter a Scope. This is the permission that you need to access the URL for user information.
  12. Select Save to generate the Haiilo Redirect URL. Enter the URL in your IdP's app registration.

Screenshot_2021-06-16_at_11.18.55.png

Was this article helpful?