Single Sign-On is a convenient, yet secure way of authenticating a user. Most customers are already running an Identity Provider (IDP) that supports Single Sign-On through the SAML 2 protocol, e.g. Active Directory, OneLogin, or Okta.
In order to configure the Single Sign-On for Userlane, follow these steps below:
Setting up SSO with ADFS
Userlane can accept authentication via the SAML 2.0 Protocol.
Of the many implementations of this protocol, Microsoft Active Directory Federation Services (ADFS) is one of the most widespread. In this scenario, an ADFS server acts as the Identity Provider (IDP) and Userlane as the Service Provider (SP).
1.1. Adding the Identity Provider (IDP) details to Userlane
To register your IDP with Userlane, the IT Admin needs to provide the following info about the company IDP to the SA:
Entry point/target URL that users will be redirected to for authentication
X509 Certificate/Signatures so that Userlane can securely validate authentication claims
This information is often contained in a Metadata XML file.
Then, sign in to Userlane Portal > Settings > Single Sign-on and add the required information.
1.2. Adding Userlane as a Service Provider (SP) to your IDP
For the company’s IDP to accept authentication requests by Userlane, the IT Admin must first register Userlane as a Service Provider (SP).
Registration steps:
1. Download the Metadata file onto your ADFS Server
2. Open the “AD FS Management” app
3. In the menu on the right, select “Add Relying Party Trust”
4. Select “Claims aware”
5. Select the Metadata file you’ve downloaded or follow the instructions for manual setup below
6. Specify any display name or description you like
7. It is essential to configure which employees are targeted for Userlane.
In general, any employee who has access to the connected application that uses Userlane for enablement purposes should also have access to the Userlane app. However, we recommend that App Owner confirms the target group after consulting with SA to avoid any misunderstanding.
Note: Do not configure MFA (Multi-factor Authentication) as a requirement in order to make the sign-in easier and seamless for your users.
8. Confirm in order to add the Trust and continue with configuring a claims issuance policy for your application
8.1. Select “Add Rule”
8.2. Userlane requires a “nameID” (please keep the exact letter-case form) in the Outgoing Claim Type. This will be the unique identifier on Userlane level and it is the only mandatory attribute required. This ID must be unique for each user and is not meant to be changed over time in order to keep historical information clean.
Additional user information required by App Owner for improved targeting is explained in the article Expanding the Settings
Save and apply the Claim Rule
Make sure to choose how often you want to repeat the SSO for already authenticated users. This assures that user attributes are kept up to date. For doing this: sign in to Userlane Portal > Settings > Browser Extension then in the dropdown SSO Refresh Interval choose one of the available options. Keep in mind that the shorter the interval, the higher the load on your IDP will be.
Test the single sign-on implementation
To test the integration after the setup has been completed, open the following URL in a browser:
https://sso-saml.userlane.com/c/USERLANE-COMPANY-ID/authenticate or you can do it within the Portal:
Then, sign in to Userlane Portal > Settings > Single Sign-on and click the Test SSO button.
The user will be redirected to the IDP.
After successful authentication, the user will be redirected back to Userlane and the Browser Extension will be authenticated.
Users with given permission will be authenticated and end up on the overview page:
