Enabling Single Sign-On (SSO) via SAML

Single Sign-On is a convenient, yet secure way of authenticating a user. Most customers are already running an Identity Provider (IDP) that supports Single Sign-On through the SAML 2 protocol, e.g. Active Directory, OneLogin, or Okta.

In order to configure the Single Sign-On for Userlane, follow these steps below:


Setting up SSO via SAML 2.0

Userlane can accept authentication via the SAML 2.0 Protocol. Of the many implementations of this protocol, Microsoft Active Directory Federation Services (ADFS) is one of the most widespread. In this scenario, an ADFS server acts as the Identity Provider (IDP) and Userlane as the Service Provider (SP).

1.1. Adding the Identity Provider (IDP) details to Userlane

To register your IDP with Userlane, the IT Admin needs to provide the following info about the company IDP to the SA:

  • Entry point / target URL that users will be redirected to for authentication

  • X509 Certificate/Signatures so that Userlane can securely validate authentication claims

This information is often contained in a Metadata XML file.  You send the entire file to Userlane and we will find the right information contained within it.

1.2. Adding Userlane as a Service Provider (SP) to your IDP

For the company’s IDP to accept authentication requests by Userlane, the IT Admin needs to register Userlane as a Service Provider (SP) first.

The Userlane Service Provider Metadata differs for each customer. Your Userlane SA will provide you with a an .xml file to import in your ADFS Server.
Registration steps:

1. Download the Metadata file onto your ADFS Server

2. Open the “AD FS Management” app

3. In the menu on the right, select “Add  Relying Party Trust”



4. Select “Claims aware”



5. Select the Metadata file you’ve downloaded or follow the instructions for manual setup below


6. Specify any display name or description you like




7. It is important to configure which employees are targeted for Userlane.
In general, any employee who has access to the connected application that uses Userlane for enablement purposes should also have access to the Userlane app. However, we recommend that App Owner confirms the target group after consulting with SA to avoid any misunderstanding.

Note: Do not configure MFA (Multi-factor Authentication) as a requirement in order to make the sign-in easier and seamless for your users.

8. Confirm in order to add the Trust and continue with configuring a claims issuance policy for your application

8.1. Select “Add Rule”


8.2. Userlane requires a “nameID” in the Outgoing Claim Type. This will be the unique identifier on Userlane level and it is the only mandatory attribute required. This ID must be unique for each user and is not meant to be changed over time in order to keep historical information clean.



Additional user information required by App Owner for improved targeting is explained in the article Expanding the Settings

Save and apply the Claim Rule


Test the single sign-on implementation

To test the integration after the setup has been completed, open the following URL in a browser:

https://sso-saml.userlane.com/c/USERLANE-COMPANY-ID/authenticate


The user will be redirected to the IDP. 

After successful authentication, the user will be redirected back to Userlane and the Browser Extension will be authenticated.

Users with given permission will be authenticated and end up on the overview page:


User Icon

Thank you! Your comment has been submitted for approval.