SSO - general configuration and technical information
This guide aims to inform users about the more technical information required to setup SSO for External Share using any identity provider.
Setting up Identity Provider
This guide will help you set up secured connection between External Share and identity provider of your choice. External Share’s SSO is designed to work with any identity provider capable of using SAML. However, in case of some specific implementations, additional help from our side may be neccessary.
Basic Setup
To setup Identity Provider, you will need the following data that can be found in the SSO Configuration tab in External Share’s Global Settings:
Assertion Consumer URL - this URL is used in both Service Provider (SP) and Identity Provider (IDP) initiated log-ons. It’s the URL where the assertion should be posted.
Identifier - ID of the Service Provider.
Relay State - default relay state used in IDP initiated calls (note that relay state for SP-initiated calls is created dynamically and will differ from this default relay state).
Attributes
As mentioned, External Share accepts SAML Assertions with user info. We require single Attribute Statement with the following attributes:
First name - mapped as givenname
Last name - mapped as surname
Email address - mapped as emailaddress
Response and Assertion settings
Response should be unsigned. Assertion should be signed with RSA-SH256 algoritm, but not encrypted.
User Unique Identifier
User email address is the unique identifier used by External Share. When configuring the identity provider, please ensure that the value for unique user identifier is set to user email address.
Certificate
Currently admins are required to manually rotate certificates after the expiry date, the expiry date of certificates depends on the identity providers.
Workspace Identifier
We use the “Workspace identifier” to identify your Jira instance. You may set this value as you like, however it must be at least 3 characters long. Case, leading and trailing whitespaces are ignored. Your users have to be informed what is their Workspace Identifier, as providing it is neccessary in order to log in.
Single Sign Out
Currently, we are not supporting single sign out feature.