CIC supports SAML to enable you to bring on your own, preferred authentication systems. CIC can integrate with identity providers (for example, OneLogin, Auth0, or Azure Active Directory) and the IDP manages the credentials. You don't need to manage IDs separately in CIC.
In CIC, SAML is managed on a per-tenant basis, which means, as an Admin, you can configure SAML for a tenant you have Admin privileges for. Any domains that Cleo has associated with that tenant are subject to that SAML configuration. SSO is enforced on a per-domain basis, which means that any user belonging to a domain configured for SAML will use SSO for any tenant they attempt to log in to.
Note: Cleo Support must enable SAML for your tenant before you can access the SAML page.
Before Configuring CIC
Before you configure CIC to use SAML, make sure the following configuration is done on your system.
- Ensure the SAML identity provider's SAML responses to Cognito contain an audience restriction as follows:
<saml:AudienceRestriction>
<saml:Audience> urn:amazon:cognito:sp:us-west-2_lQQzMSzLQ
</saml:AudienceRestriction> - Ensure all SAML responses contain an
InResponseTo
element in theResponse
object that matches the request ID in the authentication request as in the following example:<samlp:Response ... InResponseTo="originalSAMLrequestId">
- Ensure that a
SubjectConfirmationData
attribute hasRecipient
andInResponseTo
values set as follows:<saml:SubjectConfirmation>
<saml:SubjectConfirmationData ... Recipient="https://yourUserPoolDomain/saml2/idpresponse" InResponseTo="originalSAMLrequestd">
</saml:SubjectConfirmation>
Configuring CIC to use SAML
Use the Admin > SAML page to configure Cleo Integration Cloud to use SAML for single sign-on.
Use these fields to customize your application. Changes you make are previewed as you make them.
Field | Description |
---|---|
Enable SAML for all users of the domain | Select this check box to authenticate all users of the domain via IDP using the SAML protocol. If you select only this option, your SAML login page is displayed when users invoke Cleo Integration Cloud.
Also allows you to disable SAML so that an administrator can log in using their user name and password, for example, to the system to troubleshoot. Important: Before you select this check box, make sure you have imported your IDP information and your IDP has your SP information. |
Service Provider
Cleo provides you with the information in this section of the page to configure your IDP. You provide this information to your IDP to enable the IDP to trust Cleo Integration Cloud.
Note: Your IDP might use different names for the data provided in the fields below. Check with your IDP for more information.
Field | Description |
---|---|
Entity ID (Audience) | Identifies the application for which single sign-on is being configured. Sometimes also referred to as audience. |
Assertion Consumer Service | Identifies the URL that expects to receive the SAML assertion.
|
Sign In URI | The Cleo Integration Cloud login page. Sometimes required for IDP configuration. |
Identity Provider
You provide access to a metadata file containing information about the Identity Provider (IDP).
Field | Description | ||||
---|---|---|---|---|---|
Metadata XML | Provides information (as metadata) about the IDP in .xml format. You can provide an address from which to download a file or select a file to import directly.
|
Attribute Mappings
Attribute mappings allow Cleo Integration Cloud to identify various parts of a SAML assertion.
Field | Description |
---|---|
Email Attribute | The attribute name used by the IDP to identify the email address in the SAML assertion. |
Verifying your IDP
After making the changes in your IDP provider (for example Okta, Azure AD, Onelogin), verify that your SAML integration still works and has the required fields.
- Open a browser and pull down the ... menu.
- Go to More Tools and open Developer Tools. It might take a few seconds to open the Developer Tools in the browser.
- Go to the Network tab and make sure the Doc button is selected.
- With the Network tab open, go www.cleointegration.cloud, enter your email, and click Next. This should route you to your IDP Login.
- Enter your IDP login information.
- Once it redirects to the CIC, notice the Network tab now contains data from your network traffic. Find idpresponse in the Name column.
- Click on idpresponse, go to the Payload tab and copy the payload value.
- In a new browser tab and go to samltool.com/base64.php.
- In the Decode section, paste the payload and click the BASE64 DECODE XML button.
- The decoded payload is displayed. Review the decoded payload to verify it contains the three items mentioned in the initial email (saml audience, InResponseTo, and the SubjectConfirmationData attributes).
Comments
0 comments
Please sign in to leave a comment.