SAML 2.0 SSO: Technical details (Old SSO integration)

Learn more about the technical aspects and considerations of integrating SAML 2.0 SSO.

Important: A new SSO integration workflow is available via Product Settings > SSO. The information here applies to the old workflow via the App Center, which is only available to customers who have already used it to implement SSO. For information about the new workflow, see Quick start: SSO setup.

Note:

Community supports SAML 2.0.
Community does not support automatic user creation.
For the SSO to function, Community requires a valid email address to authenticate the user. This email address must match exactly what is sent by the Identity Provider.
Community only parses the payload for common element naming conventions for email addresses. Custom fields will not be parsed and stored.
Community supports a single external Identity Provider at a time.
Community SSO customers cannot use the Tableau integration.
Users that are associated with the configured external Identity Provider may only access Community using SSO. Alternatively, users who login exclusively using email and password can be created. You can specify this in the Manage Users page. For more information, see Add a user or Edit a user.

Required attributes and claims

The required attributes are email + firstname/ lastname OR username. We look for many variations to accommodate as wide a set of login providers as possible. The variations we use are:

Table 1. Variations for email
Email claim names
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/email`
`user.email`
`email`
`emailAddress`
`mail`

Table 2. Variations for first name
First name claim names
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/First Name`
`user.firstname`
`first_name`
`firstname`
`first name`
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname`
`Given Name`

Table 3. Variations for last name
Last name claim names
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/Last Name`
`user.lastname`
`last_name`
`lastname`
`last name`
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname`
`Surname`

Table 4. Variations for user name
User name claim names
`http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name`
`user.name`
`name`

User provisioning

Platform users are not auto-provisioned. Each user must be created on the Alida platform with all the requisite permissions they need to perform their job.

Role-based dashboard users can be auto-provisioned if you are using hierarchical, role-based dashboard features. These users will have no access to the typical platform areas such as surveys, community, hubs, or settings. They will only be able to see dashboards that have been published to all viewers.

Metadata

All metadata URLs must be publicly accessible. The install process will access the file and evaluate it. If either access or the evaluation fails, the install will not be successful.

If you have a file and need Alida to host it for you, we can accommodate that. Please contact Technical Support or your Customer Success Manager.