Follow

Single Sign On

Figure Eight Single Sign On (SSO) feature lets users access the Figure Eight platform using
one login. Customers who choose to integrate via SSO can validate usernames and passwords
against their corporate user database rather than Figure Eight managing separate passwords
for each user.
 
Federated authentication using Security Assertion Markup Language (SAML) allows you to send
authentication and authorization data between Figure Eight and your corporate network. To
enable Single Sign On for your team, contact your Customer Success Manager.
 

Benefits of Single Sign On

  1. Users have to memorize fewer passwords, thereby increasing usage and time savings.
  2. All established password policies for your corporate network are in effect increasing security for users who have access to sensitive data.

Guide to Set-up SSO Integration

Step 1: Provide SSO Configuration Details in Figure Eight

  1. Contact your Customer Success Manager or Account Executive to get access to the capability.
  2. In the Figure Eight platform, navigate to your Account Page --> SSO tab.
    • If you cannot find the SSO tab, please reach out to your Figure Eight Customer Success Manager or Support team.

Note" Only your Organization Admin or Team Admins have access to set up the integration. The SSO tab will not be visible to standard users.

    • Screen_Shot_2019-11-26_at_4.23.58_PM.png 
      Figure 1: Figure Eight Account Page
  1. Provide your IdP XML metadata. You have 2 options to enter the metadata
    • Provide a URL with IdP metadata (ex: https://idp.ssocircle.com/) OR copy and paste the XML metadata in the textbox.
    • See the example below. Note: Replace ${certificate} with client certificate
    • <md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exk2en8uYL5E4ldZ4355">
       <md:IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
         <md:KeyDescriptor use="signing">
           <ds:KeyInfo xmlns"http://www.w3.org/2000/09/xmldsig#">
             <ds:X509Data>
               <ds:X509Certificate>${certificate}
               </ds:X509Certificate>
             </ds:X509Data>
           </ds:KeyInfo>
         </md:KeyDescriptor>
         <md:NameIDFormat>
           urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
         </md:NameIDFormat>
         <md:NameIDFormat>
           urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
         </md:NameIDFormat>
         <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://nearsoft.okta.com/app/nearsoft_f8test_1/exk2en8uYL5E4ldZ4355/sso/saml" />
         <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://nearsoft.okta.com/app/nearsoft_f8test_1/exk2en8uYL5E4ldZ4355/sso/saml" />
       </md:IDPSSODescriptor>
      </md:EntityDescriptor>
    • Screen_Shot_2019-11-27_at_11.08.56_AM.png 
      Figure 2: SSO Settings - Setup SSO
  2. Provide Redirect URLs
    • Figure Eight can optionally configure the following URLs so that users are redirected back to their corporate network when required. If you do not want redirect URLs, please enter the default Figure Eight URL (https://make.figure-eight.com/).
    • Important: HTTPs header is required
      • Redirect Error URL: Provide a URL the user should be redirected to when an authentication/authorization error occurs.
      • Redirect logout URL: Provide a URL the should be redirected to when the user is logged out of the Figure Eight platform.
  3. Select the SSO mode of your choice. Figure Eight offers the flexibility to enable SSO in two ways. 
    • Domain-Level: If this mode is used, anyone from a customer with a specific email domain will be required to use SSO and no user with the same email domain has access to Figure Eight through Figure Eight credentials. If this mode is selected, any user who signs up in the platform will be automatically added to your Organization in Figure Eight.
    • Org-level (default): If this mode is used, only users who are in the Figure Eight organization associated with the customer will be able to use SSO. Other users from your company using their corporate emails to login to Figure Eight continue to use Figure Eight credentials, but they will not have access to the organization data or jobs.
      • Example: If Dan@company.com is part of the Figure Eight Org named "Company", he will use SSO to access the platform. However, if tom@company.com is not part of the Figure Eight Org named "Company", he will not be able to use the SSO but can log in using Figure Eight credentials.
  4. Go ahead and 'Save' the settings.
  5. After the set-up is completed successfully, you will receive a SAML assertion template to configure in your IdP.

    Screen_Shot_2019-11-26_at_4.47.49_PM.png

    Figure 3: SSO Settings - SAML Assertion Template

  6. Copy the SAML assertion.
  7. You can go back and edit your SSO set-up by clicking the edit button present in the "SSO Settings" tab.

Step 2: Set-up SAML Assertion Details in IdP

Figure Eight requires the SAML assertion to follow this template provided to you after you complete SSO set-up.

  1. Variables starting with $ are user-specific
  2. Variables starting with # are Identity Provider (IdP) / customer-specific
<?xml version=​"1.0" ​encoding=​"UTF-8"​?>
<saml2​:Assertion ​xmlns:​saml2​="urn:oasis:names:tc:SAML:2.0:assertion" ​ID="#{id}" IssueInstant="#{dateAutogeneratedFromIdP}" ​Version="2.0">
<saml2​:Issuer ​Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">#{entityId}</saml2​:Issuer​>
<saml2​:Subject​>
<saml2​:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">${emailAddress}</saml2​:NameID​>
<saml2​:SubjectConfirmation ​Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml2​:SubjectConfirmationData ​NotOnOrAfter="​#{dateAutogeneratedFromIdP}​" Recipient="https://make.figure-eight.com/saml/consume?customer_name=​#{customer-name}​"/>
</saml2​:SubjectConfirmation​>
</saml2​:Subject​>
<saml2​:Conditions ​NotBefore="​#{dateAutogeneratedFromIdP}​" NotOnOrAfter="​#{dateAutogeneratedFromIdP}​">
<saml2​:AudienceRestriction​>
<saml2​:Audience​>com.figure-eight.sp</saml2​:Audience​>
</saml2​:AudienceRestriction​>
</saml2​:Conditions​>
<saml2​:AuthnStatement ​AuthnInstant="​#{dateAutogeneratedFromIdP}​">
<saml2​:AuthnContext​>
<saml2​:AuthnContextClassRef​>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2​:AuthnContextClassRef​>
</saml2​:AuthnContext​>
</saml2​:AuthnStatement​>
<saml2​:AttributeStatement​>
<saml2​:Attribute ​Name="team_id" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2​:AttributeValue
​xmlns:​xs​="http://www.w3.org/2001/XMLSchema"
​xmlns:​xsi​="http://www.w3.org/2001/XMLSchema-instance" ​xsi​:type="xs:string">${teamId}
</saml2​:AttributeValue​>
</saml2​:Attribute​>
<saml2​:Attribute ​Name="emailAddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
<saml2​:AttributeValue
​xmlns:​xs​="http://www.w3.org/2001/XMLSchema"
​xmlns:​xsi​="http://www.w3.org/2001/XMLSchema-instance" ​xsi​:type="xs:string">${emailAddress}
</saml2​:AttributeValue​>
</saml2​:Attribute​>
</saml2​:AttributeStatement​>
</saml2​:Assertion​>

Assertion Timeout:

  • Figure Eight enforces the "Conditions" field with "NotBefore" and "NotOnOrAfter" values in assertions. If the assertion comes to Figure Eight before one hour the "NotBefore" timestamp value or one hour after the "NotOnOrAfter" timestamp value, the assertion will fail.
  • The one-hour standard delta is to account for system time lag or other possible time differences. The customer will be responsible to post the assertion within the time values sent to Figure Eight.

Note: For <Attribute Name="emailAddress" ... /> element, we will actually accept a Name value like Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress". 

Once the necessary IdP configuration is done from your side, the users should be able to login to Figure Eight via SSO. 

Additional Instructions:

  • Supported IdPs: Our SSO integration supports SAML and all SAML based SSO Identity Providers.
  • SSO login is supported for the following scenarios:
    • When the user logs in as a job requestor and is accessing any page on https://make.figure-eight.com.
    • When the user has a job requestor account and is trying to access an internal work link to work as an internal contributor.

Screen_Shot_2019-06-25_at_10.52.57_AM.png

Figure 4: How to enable the Internal Channel option


Was this article helpful?
12 out of 12 found this helpful


Have more questions? Submit a request
Powered by Zendesk