If you use a service that authenticates users, you can choose to allow single sign-on (SSO) into Oktopost. We support this feature using Security Assertion Markup Language (SAML) version 2.0 and higher.
Oktopost functions as a SAML Service Provider (SP), and depends on an external Identity Provider (IdP) to authenticate users. Once SSO is enabled, the IdP can validate a user's credentials. When a user wishes to use Oktopost, the IdP then sends a signed SAML message to Oktopost, acting as the SP. This message tells Oktopost that the user is authorized to use the software.
How to Setup Single Sign-on
First, go to Single Sign-On under App Settings, enable SSO and enter your Idp credentials:
- SAML Endpoint - Your Idp SSO URL.
- Issuer URL - Your Idp Issuer URL.
- X.509 Certificate - Your Idp certificate, .pem, .cert, .cer and .crt are supported.
Click Save, and you're done.
How to Send a SAML Request
Once you configured the settings, send the SSO request, which is a SAML response, to:
Make sure to map the Name ID to the users' email address.
Sample Authentication Request
Here's a sample request for an SP initiated flow:
<?xml version="1.0"?> <AuthnRequest xmlns="urn:oasis:names:tc:SAML:2.0:protocol" ID="_XXXX" Version="2.0" IssueInstant="2018-07-04T00:00:00Z" Destination="https://companyidp.com" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" AssertionConsumerServiceURL="https://app.oktopost.com/auth/acs"> <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">https://app.oktopost.com</saml:Issuer> <NameIDPolicy Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified" AllowCreate="true" /> </AuthnRequest>