Single-Sign-On

CrowdComms currently supports SSO via the SAML2 standard. This is an enterprise-grade industry standard to allow users to authenticate between Identity Providers (IDPs) and Service Providers (SPs). The CrowdComms platform is a Service Provider and examples of IDPs include Microsoft Active Directory, OneLogin, Okta and others.

FREQUENTLY ASKED QUESTIONS

Q: Do all the delegates still need to be registered on the site as usual?
A: No if they’re logging in via their company’s directory. With SSO, the user’s basic information such as First name, Last name, Email, and Phone number will be auto-populated in the event app.

 

Q: My event will consist of delegates from my own company and speakers from outside the company, can I still use SSO?
A: Yes, delegates from within the company who has been authenticated will be able to utilise the SSO function. The speakers from outside the company will be able to log in to the event app using their username and password.

 

Q: Not everyone in my company’s Active Directory will be invited to my company’s event, can I still use SSO and tailor only the relevant people to have access to the event app?
A: Yes, once your business IT contact has set up the SAML2, you can work with them to decide who from your company should get delegate access to the event app.

INTRODUCTION

SINGLE SIGN-ON (SSO)


Single sign-on (SSO) is an authentication process that allows a user to use one set of login credentials, for example, a username and password, to access multiple applications.


PURPOSE


SSO helps clients and their users with the challenge of maintaining the different credentials for different applications separately which streamlines the process of signing on without the need to re-enter the password. With SSO end-users time and efforts get minimized as they don’t need to constantly sign in and out separately into multiple applications.


PROCESS


Setting up SSO must be done by the client's IT department or technical personal. The setup will involve authenticating the Identity Prover (IDP) i.e., the client with the Service Provider (SP) i.e., Crowdcomms event platform.

 

image-1630410205581.png

 

 

 

 

SAML2

How does SSO workSSO works based upon a trust relationship set up between an application, known as the service provider, and an identity provider, like OneLogin. ... In SSO, this identity data takes the form of tokens that contain identifying bits of information about the user like a user's email address or a username.

How to set up saml2-compatible identity providers

 

Manual Set Up

SSO 4.png

Import IDP Metadata XML

Required details:

Using the above you should be able to import your metadata with the following steps:

SSO.png 

Branding the Login Page with SSO

The Front End Login page can be branded with unique text and/or with a logo in the "Display Options" section of the "Edit Auth Provider" page

SSO 3.png

 

Field Mapping

SSO 2.png

 

Logging into Front End

FE-SSO-Login-Screen.PNG



Shared SSO between apps

When setting up SSO for a client's active directory, you normally need to provide them with an Entity ID from our platform in the form of `https://saml.crowdcomms.com/<unique identifier>`. That unique identifier is specific per app. What this means is that clients can only access 1 app per active directory, and they typically re-create and re-populate new active directories if they have multiple apps with us.

There is now capability to share an active directory among multiple apps:

We provide the choice because clients may decide they want multiple Active Directories that are shared for whatever reason. So we may have `dlt1`, `dlt2`, etc that are linked to multiple apps each

Manual setup of SSO config

This doc will be useful even if doing an import using a Federation Metadata XML URL, as the field mappings are not yet importable, and they can be gleaned in the same way as in the manual setup.

The first thing we need is the Metadata XML file. If provided the URL, visit that page to find the details

We need the following from the XML contents:

An example XML file is in the code block below (from 1 of our Azure active directories), and we can find the above by searching:

<?xml version="1.0" encoding="utf-8"?>
<EntityDescriptor ID="_bdf4eff3-677d-403c-a423-f1f87b0d2e0b" entityID="https://sts.windows.net/667d9a8d-34fd-4ea9-99a5-b740e26edaac/"
	xmlns="urn:oasis:names:tc:SAML:2.0:metadata">
	<Signature
		xmlns="http://www.w3.org/2000/09/xmldsig#">
		<SignedInfo>
			<CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
			<SignatureMethod Algorithm="http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" />
			<Reference URI="#_bdf4eff3-677d-403c-a423-f1f87b0d2e0b">
				<Transforms>
					<Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature" />
					<Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#" />
				</Transforms>
				<DigestMethod Algorithm="http://www.w3.org/2001/04/xmlenc#sha256" />
				<DigestValue>qVgiVoBjIPqfd5mkAsKdIHvBesKcG/jm3AbuvzSmX6M=</DigestValue>
			</Reference>
		</SignedInfo>
		<SignatureValue>o3HzUbjf88RoxzNEV6QNhh5jyw+vWtKRxSkqrslORCH0w+P/DW9vG7sYnCjj66lVK7duHb07SBrI+hAeEXmqEkAW0bSd+dQzXhz3fG8JJOGUaolxg7zJ3K8vDkKFnboKR1XLa60YEPLuCh5ehfg3A8STeE0kp5ky+kvU0BBEkGZBKCNEVx0cqZh2m6Wembu2C8xS4Ea/M2R64dnO3/NKYkcxElvYYjS91HJoYc0MWnl2K6xHY8CCxFgqnHsnXHCNnucKZTp8N4kiM4AxSWTaJw+Pwlh3vPgZNFuQuFhIvkAsLRW8kZzlan/CAYxZ5n3qoJhzjZM31u9gJgihyqSwyw==</SignatureValue>
		<KeyInfo>
			<ds:X509Data
				xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
				<ds:X509Certificate>MIIC8DCCAdigAwIBAgIQeVvBFeMM35dJLAPSmvEdrzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTA3MTYxMzQ0MjhaFw0yNDA3MTYxMzQ0MjhaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7XgcoVwAoh3d4MufKF61mf58inL9sAyCLEC6Rhx+7ZiyT730dK9y+IwvpIU7c1G0bmfQs51oJ5EdHv+GipDepg4zR8HRlJup9HnSlOhMkaFR+BMsmV19r9rD+beLM+kbNW3/YAISBxGk6OQ0QpNbv0cw6WOdv7+WfCUFWcU6NbYx12viF3e9HlgXSA6+JoGM3dSIqw1SqE417aCFnTxuGS6b84YKBmlX7Jkr0a5Ekh3JwHqokDMvWmwFdV8/eSJm4PABqbkLOUih3wMNpdEngx/jilqnD2b26n1TEie0zB0e2F1JINLGtoJh6lFiyrql/Pd6uqLEcBli6vJPC1qo4QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDnPR2s4jABwzJPB3/W2fDSX60PGGA4HVW9YTxv1CtZVXtG/e8uqLAsjSeOhlB3TTevhAMxxPn1xx/u0i9RE2j6RMMTFS40omhwZ4+0Go02oV6YDPZPkyPvKdwTD6/TywZ0A8ZVThw0UoO4z9O85Sub3rJvVQ42cFR5RlKxRgiNvdZ5GVIZ6lZqQWPuq4Z35Iiq3OF131dYWyIglL6aWGh3AjfkqHYFD0ufqK6ZzSZXMd1vthGgzmJGAUv3B4K0X5V0YSBxQSh8rVcQ5c9Pg/k1Yg/xf9sVgimCLCEYFAn/LhX7Un2W9xOIS/zTscfLW+X/wloaD+PPMNSkpNh0b4O3</ds:X509Certificate>
			</ds:X509Data>
		</KeyInfo>
	</Signature>
	<RoleDescriptor xsi:type="fed:SecurityTokenServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706"
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
		<KeyDescriptor use="signing">
			<KeyInfo
				xmlns="http://www.w3.org/2000/09/xmldsig#">
				<X509Data>
					<X509Certificate>MIIC8DCCAdigAwIBAgIQeVvBFeMM35dJLAPSmvEdrzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTA3MTYxMzQ0MjhaFw0yNDA3MTYxMzQ0MjhaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7XgcoVwAoh3d4MufKF61mf58inL9sAyCLEC6Rhx+7ZiyT730dK9y+IwvpIU7c1G0bmfQs51oJ5EdHv+GipDepg4zR8HRlJup9HnSlOhMkaFR+BMsmV19r9rD+beLM+kbNW3/YAISBxGk6OQ0QpNbv0cw6WOdv7+WfCUFWcU6NbYx12viF3e9HlgXSA6+JoGM3dSIqw1SqE417aCFnTxuGS6b84YKBmlX7Jkr0a5Ekh3JwHqokDMvWmwFdV8/eSJm4PABqbkLOUih3wMNpdEngx/jilqnD2b26n1TEie0zB0e2F1JINLGtoJh6lFiyrql/Pd6uqLEcBli6vJPC1qo4QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDnPR2s4jABwzJPB3/W2fDSX60PGGA4HVW9YTxv1CtZVXtG/e8uqLAsjSeOhlB3TTevhAMxxPn1xx/u0i9RE2j6RMMTFS40omhwZ4+0Go02oV6YDPZPkyPvKdwTD6/TywZ0A8ZVThw0UoO4z9O85Sub3rJvVQ42cFR5RlKxRgiNvdZ5GVIZ6lZqQWPuq4Z35Iiq3OF131dYWyIglL6aWGh3AjfkqHYFD0ufqK6ZzSZXMd1vthGgzmJGAUv3B4K0X5V0YSBxQSh8rVcQ5c9Pg/k1Yg/xf9sVgimCLCEYFAn/LhX7Un2W9xOIS/zTscfLW+X/wloaD+PPMNSkpNh0b4O3</X509Certificate>
				</X509Data>
			</KeyInfo>
		</KeyDescriptor>
		<fed:ClaimTypesOffered>
			<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name"
				xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
				<auth:DisplayName>Name</auth:DisplayName>
				<auth:Description>The mutable display name of the user.</auth:Description>
			</auth:ClaimType>
			<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
				xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
				<auth:DisplayName>Subject</auth:DisplayName>
				<auth:Description>An immutable, globally unique, non-reusable identifier of the user that is unique to the application for which a token is issued.</auth:Description>
			</auth:ClaimType>
			<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"
				xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
				<auth:DisplayName>Given Name</auth:DisplayName>
				<auth:Description>First name of the user.</auth:Description>
			</auth:ClaimType>
			<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"
				xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
				<auth:DisplayName>Surname</auth:DisplayName>
				<auth:Description>Last name of the user.</auth:Description>
			</auth:ClaimType>
			<auth:ClaimType Uri="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"
				xmlns:auth="http://docs.oasis-open.org/wsfed/authorization/200706">
				<auth:DisplayName>Email</auth:DisplayName>
				<auth:Description>Email address of the user.</auth:Description>
			</auth:ClaimType>
		</fed:ClaimTypesOffered>
		<fed:SecurityTokenServiceEndpoint>
			<wsa:EndpointReference
				xmlns:wsa="http://www.w3.org/2005/08/addressing">
				<wsa:Address>https://login.microsoftonline.com/667d9a8d-34fd-4ea9-99a5-b740e26edaac/wsfed</wsa:Address>
			</wsa:EndpointReference>
		</fed:SecurityTokenServiceEndpoint>
		<fed:PassiveRequestorEndpoint>
			<wsa:EndpointReference
				xmlns:wsa="http://www.w3.org/2005/08/addressing">
				<wsa:Address>https://login.microsoftonline.com/667d9a8d-34fd-4ea9-99a5-b740e26edaac/wsfed</wsa:Address>
			</wsa:EndpointReference>
		</fed:PassiveRequestorEndpoint>
	</RoleDescriptor>
	<RoleDescriptor xsi:type="fed:ApplicationServiceType" protocolSupportEnumeration="http://docs.oasis-open.org/wsfed/federation/200706"
		xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		xmlns:fed="http://docs.oasis-open.org/wsfed/federation/200706">
		<KeyDescriptor use="signing">
			<KeyInfo
				xmlns="http://www.w3.org/2000/09/xmldsig#">
				<X509Data>
					<X509Certificate>MIIC8DCCAdigAwIBAgIQeVvBFeMM35dJLAPSmvEdrzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTA3MTYxMzQ0MjhaFw0yNDA3MTYxMzQ0MjhaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7XgcoVwAoh3d4MufKF61mf58inL9sAyCLEC6Rhx+7ZiyT730dK9y+IwvpIU7c1G0bmfQs51oJ5EdHv+GipDepg4zR8HRlJup9HnSlOhMkaFR+BMsmV19r9rD+beLM+kbNW3/YAISBxGk6OQ0QpNbv0cw6WOdv7+WfCUFWcU6NbYx12viF3e9HlgXSA6+JoGM3dSIqw1SqE417aCFnTxuGS6b84YKBmlX7Jkr0a5Ekh3JwHqokDMvWmwFdV8/eSJm4PABqbkLOUih3wMNpdEngx/jilqnD2b26n1TEie0zB0e2F1JINLGtoJh6lFiyrql/Pd6uqLEcBli6vJPC1qo4QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDnPR2s4jABwzJPB3/W2fDSX60PGGA4HVW9YTxv1CtZVXtG/e8uqLAsjSeOhlB3TTevhAMxxPn1xx/u0i9RE2j6RMMTFS40omhwZ4+0Go02oV6YDPZPkyPvKdwTD6/TywZ0A8ZVThw0UoO4z9O85Sub3rJvVQ42cFR5RlKxRgiNvdZ5GVIZ6lZqQWPuq4Z35Iiq3OF131dYWyIglL6aWGh3AjfkqHYFD0ufqK6ZzSZXMd1vthGgzmJGAUv3B4K0X5V0YSBxQSh8rVcQ5c9Pg/k1Yg/xf9sVgimCLCEYFAn/LhX7Un2W9xOIS/zTscfLW+X/wloaD+PPMNSkpNh0b4O3</X509Certificate>
				</X509Data>
			</KeyInfo>
		</KeyDescriptor>
		<fed:TargetScopes>
			<wsa:EndpointReference
				xmlns:wsa="http://www.w3.org/2005/08/addressing">
				<wsa:Address>https://sts.windows.net/667d9a8d-34fd-4ea9-99a5-b740e26edaac/</wsa:Address>
			</wsa:EndpointReference>
		</fed:TargetScopes>
		<fed:ApplicationServiceEndpoint>
			<wsa:EndpointReference
				xmlns:wsa="http://www.w3.org/2005/08/addressing">
				<wsa:Address>https://login.microsoftonline.com/667d9a8d-34fd-4ea9-99a5-b740e26edaac/wsfed</wsa:Address>
			</wsa:EndpointReference>
		</fed:ApplicationServiceEndpoint>
		<fed:PassiveRequestorEndpoint>
			<wsa:EndpointReference
				xmlns:wsa="http://www.w3.org/2005/08/addressing">
				<wsa:Address>https://login.microsoftonline.com/667d9a8d-34fd-4ea9-99a5-b740e26edaac/wsfed</wsa:Address>
			</wsa:EndpointReference>
		</fed:PassiveRequestorEndpoint>
	</RoleDescriptor>
	<IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
		<KeyDescriptor use="signing">
			<KeyInfo
				xmlns="http://www.w3.org/2000/09/xmldsig#">
				<X509Data>
					<X509Certificate>MIIC8DCCAdigAwIBAgIQeVvBFeMM35dJLAPSmvEdrzANBgkqhkiG9w0BAQsFADA0MTIwMAYDVQQDEylNaWNyb3NvZnQgQXp1cmUgRmVkZXJhdGVkIFNTTyBDZXJ0aWZpY2F0ZTAeFw0yMTA3MTYxMzQ0MjhaFw0yNDA3MTYxMzQ0MjhaMDQxMjAwBgNVBAMTKU1pY3Jvc29mdCBBenVyZSBGZWRlcmF0ZWQgU1NPIENlcnRpZmljYXRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA7XgcoVwAoh3d4MufKF61mf58inL9sAyCLEC6Rhx+7ZiyT730dK9y+IwvpIU7c1G0bmfQs51oJ5EdHv+GipDepg4zR8HRlJup9HnSlOhMkaFR+BMsmV19r9rD+beLM+kbNW3/YAISBxGk6OQ0QpNbv0cw6WOdv7+WfCUFWcU6NbYx12viF3e9HlgXSA6+JoGM3dSIqw1SqE417aCFnTxuGS6b84YKBmlX7Jkr0a5Ekh3JwHqokDMvWmwFdV8/eSJm4PABqbkLOUih3wMNpdEngx/jilqnD2b26n1TEie0zB0e2F1JINLGtoJh6lFiyrql/Pd6uqLEcBli6vJPC1qo4QIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQDnPR2s4jABwzJPB3/W2fDSX60PGGA4HVW9YTxv1CtZVXtG/e8uqLAsjSeOhlB3TTevhAMxxPn1xx/u0i9RE2j6RMMTFS40omhwZ4+0Go02oV6YDPZPkyPvKdwTD6/TywZ0A8ZVThw0UoO4z9O85Sub3rJvVQ42cFR5RlKxRgiNvdZ5GVIZ6lZqQWPuq4Z35Iiq3OF131dYWyIglL6aWGh3AjfkqHYFD0ufqK6ZzSZXMd1vthGgzmJGAUv3B4K0X5V0YSBxQSh8rVcQ5c9Pg/k1Yg/xf9sVgimCLCEYFAn/LhX7Un2W9xOIS/zTscfLW+X/wloaD+PPMNSkpNh0b4O3</X509Certificate>
				</X509Data>
			</KeyInfo>
		</KeyDescriptor>
		<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/667d9a8d-34fd-4ea9-99a5-b740e26edaac/saml2" />
		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://login.microsoftonline.com/667d9a8d-34fd-4ea9-99a5-b740e26edaac/saml2" />
		<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://login.microsoftonline.com/667d9a8d-34fd-4ea9-99a5-b740e26edaac/saml2" />
	</IDPSSODescriptor>
</EntityDescriptor>