==General Information==
SmartSimple provides oSingle Single Sign-On (SSO) integration through [[Single_Sign-On#SAML_2.0|SAML 2.0]]
Implementation of SSO requires configuration both within SmartSimple and within the system that will provide the authentication.
Implementation of Single Sign On requires configuration both within SmartSimple and within the system that will provide the authentication. SmartSimple's implementation of Single Sign On SSO acts as the '''Service Provider''' and assumes the client has the infrastructure and resources to host, configure, and manage the Identity Provider service. Please contact your account manager or [[How the SmartSimple Support Desk Works|SmartSimple Support]] for further information.
==SAML 2.0==
SmartSimple supports SAML ('''Security Assertion Markup Language''') 2.0 as the Service Provider through our own proprietary implementation of this standard. As the Service Provider, the user will first authenticate on the client side system/infrastructure and then be directed into SmartSimple.
Only Identity Provider-initiated authentication is supported, meaning the end user will first authenticate on the client-side system/infrastructure and then be forwarded to SmartSimple. The client Identity Provider service will construct a base64-encoded SAML assertion and send this to the user’s user's browser. The user’s user's browser will then relay this assertion to the SmartSimple server for SSO authentication.
===Prerequisites===
* You must provision your own Identity Provider service, third-party or otherwise, for use with this feature. Enabling and maintaining the Identity Provider is your responsibility.
* You must provide SmartSimple with a public key in base64-encoded X.509 Certificate format for digital signature validation.
===SSO SettingsConfiguration in SmartSimple===Within SmartSimple, SSO settings are accessed through the Global Setting, Connectivity tab. [[image:sso-001.png]] [[image:sso-002.png]]
<ul><li>"SSO settings Alias" is used to identify the SSO connection and should be configured by default to be 'SAML2'. If multiple SSO connections are accessed through to be configured then </li><li>"Unique Identifier Field (UID)" is used to identify the user account and needs to be an attribute that is unique to each user in SmartSimple. This needs to be an attribute common to both the SmartSimple and the client-side system (typically e-mail address or employee ID).</li><li>"X509Certificate (SAML2 Only)" is the signing certificate to be provided by the Global Settingclient. The formatting of this should be the certificate value without the "begin certificate" and "end certificate" header and footer lines. Also, Connectivity tabdepending on how the client-side system sends this value within the SAML assertion the certificate value will typically be formatted to just a single line but could also be multiple lines and so must be entered into SmartSimple in the same format.</li></ul>
[[image:sso===SSO Configuration in Client-001Side System===The elements required for setup of the client-side identity provider connection are listed below.png]]
===Required Information===<ul><li>Unique user identifier. Within the SAML assertion, this value can be sent in the standard <NameID> element, or optionally within an <Attribute> element named ''UID''.</li><li>Assertion Consumer Service URL. This will be equal to '/SAML2/' suffixed to your SmartSimple instance URL, e.g. '''https://alias.smartsimple.com/SAML2/'''</li><li>Service Provider's Entity ID. This can be equal to the same as above Assertion Consumer Service URL.</li><li>Service Provider metadata XML. This is available upon request.</li></ul>
[[image:sso-002====Active Directory Federation Services====If using ADFS refer to the below steps as related to SmartSimple for setup. Some steps unrelated to your SmartSimple configuration have been omitted.png]]
<ul>
<li>Unique user identifierAdd a new "Relying Party Trust". This can be sent in the <NameID/li><li> element within Select Data Source: Import the Service Provider metadata XML file obtained from SmartSimple.<Subject/li> element, or optionally within an <Attributeli> element named Display Name: Give the trust a display name, e.g. 'SmartSimple'UID.</li><li>In the claim rules editor select the "Issuance Transform Rules" tab and add a new rule. The LDAP attribute should be mapped to the agreed upon user identifier and an Outgoing Claim Type of 'NameID'.</li><li>Assertion Consumer Service To test or use this connection you will need to use the AD FS login URLand specify the loginToRp parameter as the SmartSimple SAML entity ID, e. This will be equal to g. '''https:/SAML2/' prefixed by your SmartSimple instance URL (iadfs.yourlocaldomain.ecom/adfs/ls/idpinitiatedsignon. aspx?loginToRp=https://alias.smartsimple.com/SAML2/)</li><li>Service Provider's Entity ID. This can be equal to the same as above Assertion Consumer Service URL''</li>
</ul>
</ul>
===SAML Response Assertion Example===The following is an example of a complete SAML ResponseAssertion :
<pre style="white-space: pre-wrap; white-space: -moz-pre-wrap; white-space: -pre-wrap; white-space: -o-pre-wrap; word-wrap: break-word;">