Single Sign-on (SSO) via SAML 2.0
- Configuring Single sign-on (SAML 2.0 SSO) Integration
- Optional configuration of display name and email attributes
- Helpful terminology
- Troubleshooting tips
- Azure Active Directory tips
- Need help?
- Related content
You can use Single Sign-on (SSO) to restrict access to your feedback board so that only authenticated members of your organisation can view and add suggestions.
Feature Upvote uses the widely-supported SAML 2.0 standard for SSO.
SAML 2.0 is supported by many services, including Microsoft’s Azure Active Directory and Google’s G Suite (aka Google Apps for Work and Google Apps for Your Domain). You should be able to use any SAML 2.0 service. The main challenge is that each SAML 2.0 service seems to use different terminology for the same concepts.
Configuring SAML 2.0 for Feature Upvote requires technical knowledge. It should be performed by someone with experience in SAML 2.0 configuration or administration.
Configuring Single sign-on (SAML 2.0 SSO) Integration
You’ll need to switch backwards and forwards between configuring Feature Upvote and configuring your SAML 2.0 service. Start by configuring Feature Upvote.
The process is as follows:
- From your Feature Upvote dashboard, go to Feedback Boards > Board Settings > Integrations, find SAML 2.0 SSO and click Enable
- Start to enable the SAML 2.0 SSO integration on Feature Upvote. You won’t yet be able to save the configuration form that you see, but you’ll be able to see the info needed by your SAML 2.0 service.
- Take note of the Reply URL and Entity ID supplied by Feature Upvote
- In your SAML 2.0 service create an app using the Reply URL and Entity ID supplied by Feature Upvote. Note that Reply URL might be called “ACS URL” or “Assertion Consumer URL”. Entity ID might be called “Relying Party Identifier”.
- Take note of the Identity Provider URL and X509 Certificate supplied by your SAML 2.0 service for the Feature Upvote app. Identity Provider URL might be called “SSO URL”.
- Return to Feature Upvote’s SAML 2.0 SSO integration configuration screen and add the Identity Provider URL and X509 Certificate info, then click the Save button. If your certificate begins with
----------BEGIN CERTIFICATE----------and ends with
----------END CERTIFICATE----------it is okay to include these text fragments.
- Important: Return to your SAML 2.0 service and grant access to users, roles, or groups from your organisation to the app you created in your SAML 2.0 service. This is an easily overlooked step but is essential. If you don’t do this, your users will most likely be presented with an error message from your SAML 2.0 service after they’ve been authenticated.
Once you save Feature Upvote’s SAML 2.0 integration, you’ll now see a link to test your SSO configuration. The link is shown immediately after successfully saving your SAML 2.0 settings, and can be found at any time by going to Feedback Boards > Board settings > Integrations > Single sign-on (SAML 2.0 SSO) > Configure.
The test link is in the format of
https://yourproductcode.featureupvote.com/saml/test. This test page is invaluable for checking your SAML 2.0 SSO configuration.
Optional configuration of display name and email attributes
Your SAML 2.0 service optionally sends user attributes to Feature Upvote on successful sign-in. You should be able to configure the names and values of these attributes using your SAML 2.0 service.
If these attributes include the user’s email address and/or display name, you can configure Feature Upvote to use these to auto-fill forms where appropriate.
Each text field can accept two attributes, separated by a space. So, for example, display name might be:
- In Feature Upvote, go to Feedback Boards > Board settings > Integrations > Single sign-on (SAML 2.0 SSO) > Configure
- Add the attribute names to the Display Name attribute and Email attribute fields
- Click the Save button
Determining the correct values to use for the Display Name attribute and Email attribute fields can be tricky. The correct values are determined by the configuration of your SAML 2.0 SSO service provider and can’t be automatically determined by Feature Upvote.
Typical values for Azure Active Directory are:
- Display Name attribute: http://schemas.microsoft.com/identity/claims/displayname
- Email attribute: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
In SAML 2.0 terminology:
- Feature Upvote is the service provider or sp
- Your SAML 2.0 SSO service is the Identity provider or IdP
- Your Feature Upvote feedback board has a unique SAML identifier known as entity ID, relying party identifier, or application id
- Your identity provider has an “entity ID”, which is not used by Feature Upvote. Be careful not to confuse this with your Feature Upvote feedback board’s entity id.
- Your identity provider has an identity provider URL, also known as the SSO URL. This is where Feature Upvote redirects unauthenticated users to that they can sign in.
- Your Feature Upvote feedback board has a Reply URL, which is where your identity provider redirects users upon successful authentication. This is also known as Assertion Consumer Service URL or ACS URL.
- Your identity provider has a public credential, usually in the form of an X509 certificate, sometimes known simply as a certificate. This is a long amount of text which, when correctly processed, is used to check the validity of user authentication responses sent by your identity provider.
If your identity provider (IdP) allows you to set a Signature Algorithm, please select RSA-SHA256
‘Invalid status code’ error message
Are you seeing this cryptic message?
Error handling SAML response: com.coveo.saml.SamlException: Invalid status code: urn:oasis:names:tc:SAML:2.0:status:Requester
This is how an SAML identity provider (IdP) informs you that your settings in Feature Upvote don’t match your settings in the IdP. Please carefully double-check all settings in your IdP, especially the Reply URL.
Azure Active Directory tips
Use these settings for display name and email:
- Display Name: http://schemas.microsoft.com/identity/claims/displayname
- Email: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress
Need help with your SAML 2.0 SSO integration?
Let us know at firstname.lastname@example.org. We’ve been through this process with several SAML 2.0 SSO services and can help.
Need more help with this?