Use Single-Sign-On (SSO) to log in to the Editor¶
Foleon provides the option to log in to the editor using your own identity provider. This means you can use your AD FS server, for example, to authenticate and authorize people to use the Foleon platform and editor.
To make implementing this feature easy, we opted to use the SAML 2.0 standard. This standard works with most — if not all — identity providers like Azure, AD FS, Google, etc.
Attention
This document helps you set up SAML for Editor access. If you want to protect your published Foleon Docs by forcing people to authenticate when viewing them, see this page.
To set up SSO for the Editor, you will need to provide us with some information. This document will guide you through the process of gathering this information.
Terminology¶
To clarify some of the terminology used in this document, we’ve provided a list of definitions.
| Term | Definition |
|---|---|
| SAML 2.0 | The standard used by Foleon to simplify implementing Single Sign On. |
| SSO | Single sign on. |
| SP | Service provider, in this case, Foleon is the SP. |
| IDP | Identity provider, in this case, you are the IDP. |
| ACS URL | Assertion Consumer Service URL. This is the URL where the SAML response is sent when the IDP has finished handling the authentication. |
| Federation Metadata | A publicly available XML file that describes the requirements for connecting to a federation service (for instance an SP or IDP in a SAML connection). |
| 2FA | 2 Factor Authentication, also known as multi-factor authentication, is a mechanism in which a user is required to provide multiple pieces of evidence to their authenticity. |
Considerations¶
There are some things to consider when you request SSO to be set up for your account.
Supported suppliers¶
All suppliers that provide support for the SAML 2.0 standard are supported by Foleon. This list includes (but is not limited to):
Editor SSO is SP initiated¶
The SSO is SP initiated. Foleon initiates the connection between the IDP and the SP. This means that Foleon forwards you to the IDP when attempting to log in.
We don't support SLO¶
We don’t provide Single Log Out (SLO). Logging out from the dashboard does not log your users out of their other SSO enabled applications. Logging out on the IDP might log you out from Foleon, though.
2FA is not required¶
We don’t require 2FA and it’s not required for setting up SSO with Foleon. Foleon allows the IDP to decide whether or not to enable 2FA.
Roles and Teams¶
The roles your users in Foleon have and the teams they are a part of are managed in the Foleon platform. We do not support cross domain identity management (SCIM) or identity and role propagation.
Finding your account alias¶¶
To set up SSO we need to know your Foleon account's alias. This alias will be used to communicate between the SP and the IDP. To find your account alias, use the steps below.
- Log in to the Foleon dashboard.
- Click Projects in the sidebar.
- Click the Project Settings button.
- Observe the Your domain setup section.
- Under the Use a (free) domain header, you will see the potential URL of your Foleon Docs in this specific project.
- The first part, before
.foleon.com, is your account alias. If it saysfoleon-demo.foleon.com,foleon-demowill be your account alias.
Please see the following screenshot for more information, the URL you are looking for is annotated by a red box.
Gathering the information¶
Now that you have the account alias, you can use it to create the following URLs. Please replace <account-alias> with your account-alias when you provide us with these links.
| Property | Value |
|---|---|
| Entity ID | https://api.foleon.com/auth/saml/<account-alias> |
| Login URL | https://api.foleon.com/auth/saml/<account-alias> |
| Assertion Consumer Service URL | https://api.foleon.com/auth/saml/<account-alias> |
| SP Federation Metadata XML URL | https://api.foleon.com/auth/saml/<account-alias>/federationmetadata.xml |
Claims¶
To make the connection work we need some information to identify the user that is attempting to log in. Since logging in through SSO will result in a user created in your account at Foleon, we need to know the user's first name, last name and email address. In SAML 2.0, you do this by providing so-called "claims". When the IDP sends these claims in the SAML response to the SP, Foleon retrieves the information about the user.
The claims required are as follows:
| Claim name | Claim format |
|---|---|
| Email address | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress |
| Given name (first name) | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname |
| Surname | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname |
Make sure to set up these claims in your federation set up in your IDP of choice.
What's next¶
After setting up the federation on your side, we need a federation metadata file to finish the setup on our end. Because of certificate rollover we strongly suggest you host this file somewhere public so the SSO connection doesn’t break when your SSL certificate expires. This federation metadata file is a XML file that you can send the URL for to us through your contact/customer success manager. They will pick it up from there, finishing up the connection setup.
Frequently asked questions / Known issues¶
- When using AD FS, we have observed issues when using SAML 2.0. The main issue we observed is that the SP and IDP will start redirecting to each other multiple times because of missing session information not sent by AD FS where expected. This issue is easily resolved by following the documentation on the Microsoft support website. AD FS by default does not have SAML 2.0 fully enabled and all steps in this document need to be taken to fully support SAML 2.0.