Follow

Single Sign On

Figure Eight Single Sign On (SSO) feature lets users access the Figure Eight platform using
one login. Customers who choose to integrate via SSO can validate usernames and passwords
against their corporate user database rather than Figure Eight managing separate passwords
for each user.
 
Federated authentication using Security Assertion Markup Language (SAML) lets you send
authentication and authorization data between Figure Eight and your corporate network. To
enable Single Sign On for your team, contact your Customer Success Manager.
 

Benefits of Single Sign On

  1. Users have to memorize fewer passwords, thereby increasing usage and time savings.
  2. All password policies that you’ve established for your corporate network are in effect increasing security for users who have access to sensitive data.
 

Integration Details

In order to integrate with Figure Eight SSO, the following details are required from each
customer.
 

Provide XML metadata for setup

Option 1:

Provide a URL with IdP metadata (See example below)
https://idp.ssocircle.com/
 

Option 2:

Send XML metadata file to Customer Success representative (See example below).
Note: Replace ${certificate} with client certificate

 

<md:EntityDescriptorxmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="http://www.okta.com/exk2en8uYL5E4ldZ4355">
  <md:IDPSSODescriptor WantAuthnRequestsSigned="false"protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <ds:KeyInfoxmlns:ds="http://www.w3.org/2000/09/xmldsig#">
      <ds:X509Data>
        <ds:X509Certificate>${certificate}
        </ds:X509Certificate>
      </ds:X509Data>
    </ds:KeyInfo>
  </md:KeyDescriptor>
  <md:NameIDFormat>
    urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  </md:NameIDFormat>
  <md:NameIDFormat>
    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  </md:NameIDFormat>
  <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://nearsoft.okta.com/app/nearsoft_f8test_1/exk2en8uYL5E4ldZ4355/sso/saml" />
  <md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://nearsoft.okta.com/app/nearsoft_f8test_1/exk2en8uYL5E4ldZ4355/sso/saml" />
  </md:IDPSSODescriptor>
</md:EntityDescriptor>

 

Setup SAML assertion details in IdP

  • Figure Eight requires the SAML assertion to follow this template.
  • Variables starting with $ are user specific
  • Variables starting with # are Identity Provider (IdP) / customer specific
  • Note: You will need to specify the following URL in your IdP with customer name
    • https://make.figure-eight.com/saml/consume?customer_name=#{customer-name}

 

<?xml version="1.0" encoding="UTF-8"?>
<saml2:Assertionxmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="#{id}"IssueInstant="#{dateAutogeneratedFromIdP}" Version="2.0">
  <saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">#{entityId}</saml2:Issuer>
  <saml2:Subject>
    <saml2:NameIDFormat="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">${emailAddress}</saml2:NameID>
    <saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
      <saml2:SubjectConfirmationData NotOnOrAfter="#{dateAutogeneratedFromIdP}"Recipient="https://make.figure-eight.com/saml/consume?customer_name=#{customer-name[oracle|twitter|etc]}"/>
      </saml2:SubjectConfirmation>
  </saml2:Subject>
  <saml2:Conditions NotBefore="#{dateAutogeneratedFromIdP}"NotOnOrAfter="#{dateAutogeneratedFromIdP}">
    <saml2:AudienceRestriction>
      <saml2:Audience>com.figure-eight.sp</saml2:Audience>
    </saml2:AudienceRestriction>
  </saml2:Conditions>
  <saml2:AuthnStatement AuthnInstant="#{dateAutogeneratedFromIdP}">
    <saml2:AuthnContext>

<saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml2:AuthnContextClassRef>
    </saml2:AuthnContext>
  </saml2:AuthnStatement>
  <saml2:AttributeStatement>
    <saml2:Attribute Name="team_id"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValuexmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">${uuid}
      </saml2:AttributeValue>
    </saml2:Attribute>
    <saml2:Attribute Name="emailAddress"NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
      <saml2:AttributeValuexmlns:xs="http://www.w3.org/2001/XMLSchema"xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">${emailAddress}
      </saml2:AttributeValue>
    </saml2:Attribute>
  </saml2:AttributeStatement>
</saml2:Assertion>

Provide Redirect URLs

Figure Eight can optionally configure the following URLs so that users are redirected back to their corporate network when required.
If these URLs are not provided, the user is redirected to default Figure Eight pages.
 
Redirect Error URL: Provide a URL the user should be redirected to when an authentication /
authorization error occurs
 
Redirect logout URL: Provide a URL the user should be redirected when the user is logged out
of the Figure Eight platform
 

Next Steps: Configure SSO in Figure Eight

Once the necessary information has been provided by a customer, Figure Eight admins will
make necessary configurations and enable SSO for all users in the organization.
  
Figure Eight offers the flexibility to enable SSO two ways, these are configuration settings on
the Figure Eight side.
 
Domain level (recommended): If this mode is used, anyone from a customer with specific
email domain will be required to use SSO and no user with the same email domain has access
to Figure Eight through Figure Eight credentials.
 
Org level: If this mode is used, only users who are in the organization associated with the
customer will be able to use SSO. Other users using their corporate emails to login to Figure
Eight continue to use Figure Eight credentials, but they will not have access to the organization
data or jobs. Example, if dan@company.com is part of Figure Eight Org named “Company” he will
use SSO to access the platform. However, if tom@company.com is not part of Figure Eight Org
named “Company” he will not be able to use SSO but can login using Figure Eight credentials.

Was this article helpful?
4 out of 4 found this helpful


Have more questions? Submit a request
Powered by Zendesk