CIC supports SAML, allowing you to use your preferred authentication systems. It can integrate with identity providers (IDP) like OneLogin, Auth0, or Azure Active Directory, where the IDP handles the credentials. This means you don't have to manage IDs separately within CIC.
In CIC, SAML is configured at the tenant level while SSO is enforced at the domain level. This means:
- An administrator enables SAML for a specific CIC tenant.
- One or more email domains are associated with that tenant.
- Any user whose email address belongs to a SAML‑enabled domain is automatically redirected to the identity provider when signing in.
- Users from SAML‑enabled domains always authenticate using SSO.
- Users from other domains continue to use standard CIC login methods.
- A single SAML configuration can apply consistently across multiple tenants, depending on domain association.
Note: Cleo Support must enable SAML for your tenant before you can access the SAML page.
Before Configuring CIC
Before you configure CIC to use SAML, make sure the following configuration is done on your system.
-
Ensure the SAML identity provider's SAML responses to Cognito contain an audience restriction as follows:
<saml:AudienceRestriction> <saml:Audience> urn:amazon:cognito:sp:us-west-2_lQQzMSzLQ </saml:AudienceRestriction> -
Ensure all SAML responses contain an
InResponseToelement in theResponseobject that matches the request ID in the authentication request as in the following example:<samlp:Response ... InResponseTo="originalSAMLrequestId"> -
Ensure that a
SubjectConfirmationDataattribute hasRecipientandInResponseTovalues set as follows:<saml:SubjectConfirmation> <saml:SubjectConfirmationData ... Recipient="https://yourUserPoolDomain/saml2/idpresponse" InResponseTo="originalSAMLrequestd"> </saml:SubjectConfirmation>
Configuring CIC to use SAML
Use the Admin > SAML page to configure Cleo Integration Cloud to use SAML for single sign-on.
Use these fields to customize your application. Changes you make are previewed as you make them.
| Field | Description |
|---|---|
| Enable SAML for all users of the domain |
Select this check box to authenticate all users of the domain via IDP using the SAML protocol. If you select only this option, your SAML login page is displayed when users invoke Cleo Integration Cloud. Also allows you to disable SAML so that an administrator can log in using their user name and password, for example, to the system to troubleshoot. Important: Before you select this check box, make sure you have imported your IDP information and your IDP has your SP information. |
| Session Inactivity Timeout (seconds) |
Administrators can use this field to configure inactivity timeout duration per tenant/per domain, giving organizations direct control over their session security policy. CIC automatically signs out users based on this configuration. Notes:
|
Service Provider
Cleo provides you with the information in this section of the page to configure your IDP. You provide this information to your IDP to enable the IDP to trust Cleo Integration Cloud.
Note: Your IDP might use different names for the data provided in the fields below. Check with your IDP for more information.
| Field | Description |
|---|---|
| Entity ID (Audience) | Identifies the application for which single sign-on is being configured. Sometimes also referred to as audience. |
| Assertion Consumer Service |
Identifies the URL that expects to receive the SAML assertion.
|
| Sign In URI | The Cleo Integration Cloud login page. Sometimes required for IDP configuration. |
Identity Provider
You provide access to a metadata file containing information about the Identity Provider (IDP).
| Field | Description | ||||
|---|---|---|---|---|---|
| Metadata XML |
Provides information (as metadata) about the IDP in .xml format. You can provide an address from which to download a file or select a file to import directly.
|
Attribute Mappings
Attribute mappings allow Cleo Integration Cloud to identify various parts of a SAML assertion.
| Field | Description |
|---|---|
| Email Attribute | The attribute name used by the IDP to identify the email address in the SAML assertion. |
Verifying your IDP
After making the changes in your IDP provider (for example Okta, Azure AD, Onelogin), verify that your SAML integration still works and has the required fields.
-
Open a browser and pull down the ... menu.
-
Go to More Tools and open Developer Tools. It might take a few seconds to open the Developer Tools in the browser.
-
Go to the Network tab and make sure the Doc button is selected.
- With the Network tab open, go www.cleointegration.cloud, enter your email, and click Next. This should route you to your IDP Login.
- Enter your IDP login information.
-
Once it redirects to the CIC, notice the Network tab now contains data from your network traffic. Find idpresponse in the Name column.
-
Click on idpresponse, go to the Payload tab and copy the payload value.
- In a new browser tab and go to samltool.com/base64.php.
-
In the Decode section, paste the payload and click the BASE64 DECODE XML button.
-
The decoded payload is displayed. Review the decoded payload to verify it contains the three items mentioned in the initial email (saml audience, InResponseTo, and the SubjectConfirmationData attributes).
Comments
0 comments
Please sign in to leave a comment.