Overview
Apperio supports SSO using SAML 2.0 which allows users to authenticate to Apperio through their corporate identity provider. Apperio has tested SSO with Microsoft ADFS and Okta. Other identity providers which support SAML 2.0 are likely to work and we are happy to help with configuration.
We support both SP-initiated and IDP-initiated SSO. We support the HTTP redirect binding for SAML requests and the HTTP POST binding for SAML responses. We require that SAML assertions in responses are signed and we sign outgoing SAML requests which can be verified using the certificate provided.
We support both SP-initiated and IDP-initiated SAML Single Logout (SLO). We support the HTTP redirect binding for all SLO requests and responses as well as the HTTP POST binding for SAML responses from the IDP only. We require that SLO requests and responses are signed and we sign outgoing SLO requests and responses using the same certificate used for SAML requests.
Apperio uses the domain portion of a user’s email address to determine how they will authenticate. If you wish to set up SSO, we will need to verify your ownership of a domain using a TXT DNS record.
Apperio’s Configuration Settings
To set up your identity provider, we have a metadata URL with our SAML configuration details:
https://app.apperio.com/sso/saml/sp/
You can either use this metadata URL or these details for manual configuration:
- Entity ID: https://app.apperio.com/sso/saml/sp/
- ACS URL: https://app.apperio.com/sso/saml/acs/
- Logout URL: https://app.apperio.com/sso/saml/sls/
- Our signing certificate downloadable from https://app.apperio.com/sso/saml/certificate/
The following SAML attributes should be provided:
- Email Address (name "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress") - Required
- Given Name (name "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname") - Optional
- Surname (name "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname") - Optional
Given name and surname are optional but recommended as we will then use them to update the Apperio user account in the event of name changes.
Please refer to the following guides on setting up common identity providers:
Your Configuration Settings
We need the following information from you to set up SSO:
- The email domains you wish to enable SSO for
- Your SAML entity ID
- Your SAML endpoint URL which we will use for SAML requests
- Your SAML logout URL which we will use for logout requests (optional)
- A base64-encoded version of your certificate used to sign SAML assertions
If you have one enabled, you can provide us with a metadata URL for this information (other than the email domains).
Configuring Single Logout is optional. If you do not provide us with a logout URL we will not enable Single Logout.
Please create a support ticket with this information. We will set up the configuration in Apperio and can help with the configuration of your identity provider.