Single Sign On (SSO / SAML) with Ethnio
If You're Reading This, You Probably Know About SSO/SAML
SSO has become the de facto standard for large organizations managing vendor access for their employees. It's a single set of credentials your employees can use to log into several different applications, and you can absolutely set this up with Ethnio (Enterprise-only). Sections in this doc:
- Getting Started with Ethnio SSO
- How Does SSO Work With Ethnio?
- Auto-Provisioning Seat Licenses via SSO
- Attributes
- Audience URI / Entity ID
Does Ethnio Support SSO/SAML? Yes.
Ethnio supports SSO via SAML 2.0 and acts as a service provider (SP) for SSO. You must have a federation service that acts as an identity provider (IdP), but you almost definitely have that if you're interested in this whole setup. Ethnio supports all the most common IdPs:
- ADFS 2.0/3.0
- PingFederate/PingOne
- Okta
- OneLogin
- Google SAML 2.0
There may be additional functionality as part of an SSO integration, like account provisioning upon addition to the IdP (pre-provisioning), automatic account de-provisioning upon removal from the IdP. Please reach out to us to see about different levels of functionality.
Getting Started with Ethnio SSO
If you're an Enterprise customer, and would like to activate SSO, there are four steps to getting started
- ✅ Grab the Ethnio Metadata.xml file
- ✅ Make sure your IdP supports SAML 2.0 and SP initiated SSO
- ✅ Send your Metadata.xml file to help@ethn.io
- ✅ We'll reply right away and get started enabling SSO on your account, then let you know when it's ready to test.
⚠️ Important note on testing: Make sure anyone testing SSO at your organization has been invited to the Ethnio account and has a team account with the exact email you use for SSO credentials
How Does SSO Work With Ethnio?
- After setup is complete, head to ethn.io/login and click "Single Sign On", or your custom SSO login URL which we provide
- Either way, Ethnio forwards the request to the IdP. The user will be redirected to the IdP login page.
- You log in using your company credentials
- We validate against your user directory
- The SAML assertion is sent back to Ethnio. At a minimum, the SAML assertion response from the identity provider must contain the user’s email address. The email address must correspond to a team license within that Ethnio account. First and last name attributes are typically sent as parameters as well, but they are not required to enable SSO.
- Your session is authenticated and logged into Ethnio
Auto-Provisioning Seat Licenses via SSO
The first time a user from your organization logs in to Ethnio via SSO, the IdP is communicating to Ethnio that this user should be allowed to have an account. If a user should not have an account, the SAML assertion should not be sent to Ethnio by imposing restrictions through the IdP. The basic idea here is you're responsible for deciding who should have access to Ethnio at your organization. If your organization wants SCIM provisioning so that there is automatic provisioning and deprovisioning via SSO integration, this can be part of an Enterprise Add-On.
Attributes
For successful sign in authentication, the Email, FirstName and LastName claims need to be exactly the same in Ethnio as in your SSO configuration. This requires three separate claims with additional details below.
- Email – Specify the attribute name your IdP uses for each user's email address.
- FirstName – Specify the attribute name your IdP uses for each user's first name.
- LastName – Specify the attribute name your IdP uses for each user's last name.
Audience URI / Entity ID
https://ethn.io/sp
Optional (Automatic Notifications by Domain)
If anyone using their work email at your organization tries to create a free Ethnio account, we'll alert them that you have a company-wide SSO license and ask them to continue logging in with their company credentials. Then the same account provisioning rules from above will apply.