Single sign-on (SSO) is a means of allowing your users to authenticate against a single identity provider to access your corporation. We support both SAML 2.0 and Google Apps SSO (OAuth 2.0).
How do I enable Single Sign-On?
Single sign-on can be enabled by Owners on the User Authentication page in the Corp Manage menu. In the Authentication section, click either Switch to SAML or Switch to Google Apps.
Enabling SAML Single Sign-On
In your identity provider
If you use Okta or OneLogin, you should be able to search for the “Signal Sciences” application. Otherwise, configure an application with the following settings:
- Recipient/Consumer URL:
- Audience URI (SP Entity ID):
- Consumer URL Validator:
A few things to note if you’re self-configuring:
- We require a signed SAML response, but don’t care about individually-signed assertions. They won’t hurt anything, but they will be ignored. Ensure your overall response is signed.
- You must allow SP (Service Provider) initiated logins to complete the handshake that sets up SAML (see below). Once that’s complete, you will be able to use IdP (Identity Provider) initiated logins.
- We do not publish metadata at present, but may in the future.
Note: If using PingFederate as your SSO provider, you will need to deselect “Require authn requests to be signed when received via the post or redirect bindings” and “Always sign the SAML assertion” settings under the “Signature Policy” settings.
In Signal Sciences
After clicking Switch to SAML, you’ll be required to specify the SAML 2.0 Endpoint and x.509 public certificate from the app configured in your identity provider.
Enabling Google Apps Single Sign-On
Google Apps Single Sign-On uses OAuth 2.0 to authenticate. After clicking Switch to Google Apps, you’ll be redirected to Google to authenticate. The domain of the email you authenticate against will be used as the SSO domain for the corp.
After you’ve authenticated, you’ll be redirected back to Signal Sciences. You will be shown the domain you selected and be required to enter your password to confirm. If you chose the wrong domain, change the domain by clicking Switch domains.
What if the email from my identity provider doesn’t match the email in my Signal Sciences account?
If the email from your identity provider doesn’t match the email in your Signal Sciences account, you will be alerted that your Signal Sciences email will be changed to your identity provider’s email when you enable SSO.
If the email you choose doesn’t match the email in your Signal Sciences account and conflicts with an email already in the system, you will be shown an error message and be required to choose another email.
After enabling Single Sign-On
Once you enable SSO, the passwords/2FA tokens for any existing users will be deleted, and they’ll be sent an email to set up SSO on their accounts. This email will be valid for 3 days.
If the SSO binding link expires, resend it by clicking the Resend SSO email button next to the Pending SSO status in the Users panel on the User Management page.
To enforce SSO, all other users will have their active sessions expired.
What do existing users see when I enable single sign-on?
Existing users will receive an email telling them that they need to set up single sign-on to authenticate against Signal Sciences. Once they successfully configure SSO, they will receive an email confirming the change.
If they attempt to sign in before following the SSO link in their email, they will receive an error message telling them that SSO has been enabled for their corp and to follow the link in their email.
What if an existing user authenticates with an email address in their identity provider that doesn’t match the email in their Signal Sciences account?
If the email they authenticate with in their identity provider doesn’t match the email in their Signal Sciences account, they will be alerted that their Signal Sciences email will be changed to the email address of the identity provider when they finish authenticating their account.
If the email they choose doesn’t match the email in their Signal Sciences account and conflicts with an email already in the system, they will be shown an error message and be required to choose another email.
What if an existing user didn’t receive the SSO email?
If the existing user didn’t receive the email or the SSO link expires, resend it by clicking the Resend SSO email button next to the “Pending” SSO status next to the user’s name in the Users panel on the User Management page.
What do new users see when I enable single sign-on?
When new users accept an invitation, they’ll be prompted to authenticate via the identity provider associated with the corporation.
How does sign-in work?
When users visit the Signal Sciences sign-in page, they’ll need to enter in their email.
If the corporation has single sign-on enabled, they will be prompted to authenticate with SSO or will be automatically signed-in if they’re already authenticated. If SSO is not enabled, they’ll be prompted to enter their password.
If they authenticate with an email that is different from the email they entered, they will receive an error message.
What happens if I have two-factor auth enabled?
When single sign-on is enabled, all passwords and 2FA tokens are deleted. 2FA is not enforced and we recommend you configure two-factor auth with your identity provider.
How do I disable single sign-on?
Single sign-on can be disabled by Owners on the User Authentication page under the Corp Manage menu. Under Built-in Auth in the Authentication section, click Switch to built-in auth.
You will be required to set up a new password to continue. Once you disable single sign-on, all other users in your corporation will have their active sessions expired and will receive an email telling them that SSO has been disabled with a link to set a new password.
Do you support automatic provisioning, or deprovisioning?
We don’t support automatic provisioning / deprovisioning at this time. If this is something you’re interested in, reach out to us with your use case.
What is a single sign-off endpoint (SAML Logout Endpoint)?
If your corp’s IT department determines you need to use a custom logout URL to handle logout redirects and cookie updates, it is possible to supply an optional logout endpoint. There are no parameters necessary, the browser will do a GET request and follow any sign-out/redirects supplied by your IT department.