Use Single-Sign-On (SSO) as access control for my Foleon Docs¶
Foleon provides the option to secure your Foleon Docs so that only approved users can view them. When attempting to view a Foleon Doc, users will be redirected to your own identity provider. This means you can use your AD FS server, for example, to authenticate and authorize viewers before they are allowed to view your Foleon Doc.
To make implementing this feature very easy, we opted to use the SAML 2.0 standard. This standard is available at most — if not all — identity providers like Azure, AD FS, Google, etc.
Attention
This document helps you set up SAML for published Foleon Doc access. If you want to allow your users to use the editor using your own IDP, see this page
To set up SSO for published Foleon Docs you will need to provide us with some information. This document will guide you through the process of gathering this information.
Terminology¶
To clarify some of the terminology used in this document, we provide a list of definitions.
| Term | Definition |
|---|---|
| SAML 2.0 | The standard used by Foleon to simplify implementing Single Sign On. |
| SSO | Single sign on. |
| SP | Service provider, in this case, Foleon is the SP. |
| IDP | Identity provider, in this case, you are the IDP. |
| ACS URL | Assertion Consumer Service URL. This is the URL where the SAML response is sent when the IDP has finished handling the authentication. |
| Federation Metadata | A publicly available XML file that describes the requirements for connecting to a federation service (for instance an SP or IDP in a SAML connection). |
| 2FA | 2 Factor Authentication, also known as multi-factor authentication, is a mechanism in which a user is required to provide multiple pieces of evidence to their authenticity. |
Considerations¶
There are some things to consider when you request SSO to be set up for your account.
Supported suppliers¶
All suppliers that provide support for the SAML 2.0 standard are supported by Foleon. This list includes (but is not limited to):
Editor SSO is SP initiated¶
The SSO is SP initiated. Foleon initiates the connection between the IDP and the SP. This means, that Foleon forwards you to the IDP when attempting to log in.
We don't support SLO¶
We don’t provide Single Log Out (SLO) (Single Log Out). Logging out from the dashboard does not log your users out of their other SSO enabled applications. Logging out on the IDP might log you out from Foleon, though.
2FA is not required¶
We don’t require 2FA and(Two Factor Authentication). This means it’s not required for setting up SSO with Foleon. Foleon allows the IDP to decide whether or not to enable 2FA.
Finding your account alias¶
To set up SSO we need to know your Foleon account's alias. This alias will be used to communicate between the SP and the IDP. To find your account alias, use the steps below.
- Log in to the Foleon dashboard.
- Click Projects in the sidebar.
- Click the Project Settings button.
- Observe the Your domain setup section.
- Under the Use a (free) domain header, you will see the potential URL of your Foleon Docs in this specific project.
- The first part, before
.foleon.com, is your account alias. If it saysfoleon-demo.foleon.com,foleon-demowill be your account alias.
Please see the following screenshot for more information, the URL you are looking for is annotated by a red box.
Gathering the information¶
Now that you have the account alias, you can use it to create the following URLs. Please replace <account-alias> with your account-alias when you provide us with these links.
| Property | Value |
|---|---|
| Entity ID | https://<account-alias>.foleon.com/saml |
| Login URL | The published Foleon Doc's URL. |
| Assertion Consumer Service URL | https://<account-alias>.foleon.com/saml |
For Foleon Docs, we do not provide a publicly available federation metadata file. We require no scopes for this system and all required information is in the aforementioned table.
Claims¶
Since we trust the IDP in its judgement of the user trying to access the published Foleon Doc, we only require a successful login to validate if someone can access the contents of a Foleon Doc. This is why we don't require any claims.
What's next¶
After setting up the federation on your side, we need a federation metadata file to finish the set up on our end. Because of certificate rollover we strongly suggest you host this file somewhere public so the SSO connection doesn’t break whenever it breaks as soon as your SSL certificate expires. This federation metadata file is a XML file that you can send the URL for to us through your contact/customer success manager. They will pick it up from there, finishing up the connection setup.
Known issues¶
- When using AD FS, we have observed issues when using SAML 2.0. The main issue we observed is that the SP and IDP will start redirecting to each other multiple times because of missing session information not sent by AD FS where expected. This issue is easily resolved by following the documentation on the Microsoft support website. AD FS by default does not have SAML 2.0 fully enabled and all steps in this document need to be taken to fully support SAML 2.0.