SAML SSO

[add-on]

Security Assertion Markup Language, or SAML, can be configured as an option for authenticating users. This allows an organization to set up users in a single, centralized place and manage their access to multiple applications. Users only have to remember a single set of credentials across the systems they use. Administrators can enforce their desired password policies at the SAML identity provider, and many providers support additional security features such as multi-factor authentication (MFA).

The SAML SSO add-on and “Manage team” permission flag is required to view and change the SAML SSO configuration.

SP Details

The SP Details form provides the information needed to configure SAML SSO with your identity provider. It also provides an easy way to copy these values for use in setting up your SAML single sign-on. These values cannot be altered via this form.

  • Entity ID: The unique ID used by your identity provider to identify your PathcoreFlow team
  • Assertion Consumer Service URL: The URL used by the identity provider to send the SAML assertion. This is sometimes also called a "Reply URL"
  • Name ID Format: The format of the user identifier expected by PathcoreFlow in responses from the identity provider. The only format that is accepted is email address
To view the SAML service provider (SP) details
  1. Click on the Settings Settings button from the Navigation Menu

  2. Click on the SAML SSO tab

  3. Review the values in the SP Details section

  4. (Optional) Click on the Copy to Clipboard button to the right of a field to copy its contents to the clipboard

IdP Details

In order to enable SSO, an identity provider must be configured in PathcoreFlow by a team administrator.

  • Entity ID: This is a unique identifier for your configured SSO application at the identity provider
  • Single Sign On URL: The URL at the identity provider where users are redirected to complete the log in
  • Certificate: A public key provided by your identity provider in either PEM or DER format
Only one identity provider can be configured for a team at a time.

Instructions for external providers are provided for convenience. If you require assistance in setting up the SAML identity provider, please contact the support for that provider.

To configure Google Workspace as your identity provider
The user setting up SAML SSO must also be an active user in Google Workspace.
  1. Click on the Settings Settings button from the Navigation Menu

  2. Click on the SAML SSO tab

  3. Review the values in the SP Details section

  4. Follow the instructions for setting up your own custom SAML app in Google Workspace Admin Help

    1. The following table lists the PathcoreFlow SP Details and their equivalent fields in Google Workspace's Service Provider Details section:

      PathcoreFlow SettingGoogle Workspace Field
      Entity IDEntity ID
      Assertion Consumer Service URLACS URL
      (unused)Start URL
    2. Set the following Name ID settings in Google Workspace:

      • Name ID format: "UNSPECIFIED"
      • Name ID: "Primary email"
    3. Configure the following in SAML attribute mapping:

      Google DirectoryApp
      Primary emailemail
      First namename
  5. Enter information from Google Workspace into the fields under the IdP Details section. The following table lists the PathcoreFlow settings and their equivalent fields in Google Workspace:

    PathcoreFlow SettingGoogle Workspace Field
    Entity IDEntity ID
    Single Sign On (SSO) URLSSO URL
    CertificateCertificate
  6. Complete the configuration by following the instructions in the Configuration section

To configure JumpCloud as your identity provider
  1. Click on the Settings Settings button from the Navigation Menu

  2. Click on the SAML SSO tab

  3. Review the values in the SP Details section

  4. Follow the instructions for setting up SSO using Custom SAML Application Connectors in JumpCloud Support

    1. The following table lists the PathcoreFlow SP Details and their equivalent fields in JumpCloud's SSO section:

      PathcoreFlow SettingJumpCloud
      Entity IDSP Entity ID
      Assertion Consumer Service URLACS URLs -> Add URL
    2. Set the following Name ID settings in JumpCloud:

      • SAMLSubject NameID: "email"
      • SAMLSubject NameID Format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
    3. Configure the following User Attribute mappings:

      Service Provider Attribute NameJumpCloud Attribute Name
      emailemail
      namedisplayname
  5. Download the certificate from JumpCloud and paste the contents of the file into the Certificate field under the IdP Details section

  6. Enter information from JumpCloud into the fields under the IdP Details section. The following table lists the PathcoreFlow settings and their equivalent fields in JumpCloud:

    PathcoreFlow SettingJumpCloud Field
    Entity IDIdP Entity ID
    Single Sign On (SSO) URLIDP URL
  7. Complete the configuration by following the instructions in the Configuration section

To configure Microsoft Entra ID (formerly Azure AD) as your identity provider
  1. Click on the Settings Settings button from the Navigation Menu

  2. Click on the SAML SSO tab

  3. Review the values in the SP Details section

  4. Follow the instructions for enabling SSO for an enterprise application in Microsoft Learn. You will need to Create your own application

    1. The following table lists the PathcoreFlow SP Details and their equivalent fields in Microsoft Entra's Basic SAML Configuration section:

      PathcoreFlow SettingMicrosoft Entra Field
      Entity IDIdentifier (Entity ID)
      Assertion Consumer Service URLReply URL (Assertion Consumer Service URL)
      (unused)Sign on URL
      (unused)Relay State
      (unused)Logout Url
    2. Configure the following in Attributes & Claims:

      Claim NameValue
      Unique User Identifier (Name ID)user.userprincipalname
      emailuser.userprincipalname
      nameuser.displayname
  5. Download the Certificate (Base64) from Microsoft Entra and paste the contents of the file in the Certificate field under the IdP Details section

  6. Enter information from Microsoft Entra into the fields under the IdP Details section. The following table lists the PathcoreFlow settings and their equivalent fields in Microsoft Entra's Set up <Application Name> section:

    PathcoreFlow SettingMicrosoft Entra Field
    Entity IDMicrosoft Entra Identifier
    Single Sign On (SSO) URLLogin URL
  7. Complete the configuration by following the instructions in the Configuration section

To configure Okta as your identity provider
  1. Click on the Settings Settings button from the Navigation Menu

  2. Click on the SAML SSO tab

  3. Review the values in the SP Details section

  4. Follow the instructions to create a SAML app integration in Okta Docs

    1. The following table lists the PathcoreFlow SP Details and their equivalent fields in Okta's Application Integration Wizard:

      PathcoreFlow SettingOkta
      Entity IDAudience URI (SP Entity ID)
      Assertion Consumer Service URLSingle sign-on URL
    2. Set the following Name ID settings in Okta:

      • Application username: "Email"
      • Name ID format: "EmailAddress"
    3. Configure the following Attribute Statements:

      NameValue
      emailuser.email
      nameuser.firstName + " " + user.lastName
  5. Enter information from Okta into the fields under the IdP Details section. The following table lists the PathcoreFlow settings and their equivalent fields in Okta:

    PathcoreFlow SettingOkta Field
    Entity IDIdentity Provider Issuer
    Single Sign On (SSO) URLIdentity Provider Single Sign-On URL
    CertificateX.509 Certificate
  6. Complete the configuration by following the instructions in the Configuration section

To configure OneLogin as your identity provider
  1. Click on the Settings Settings button from the Navigation Menu

  2. Click on the SAML SSO tab

  3. Review the values in the SP Details section

  4. Follow the instructions for setting up an Advanced SAML Custom Connector and Configuring SSO for SAML-Enabled Applications in OneLogin Support

    1. The following table lists the PathcoreFlow SP Details and their equivalent fields in OneLogin:

      PathcoreFlow SettingOneLogin
      Entity IDAudience (EntityID)
      Assertion Consumer Service URLRecipient
      (the regex escaped ACS URL)ACS (Consumer) URL Validator
      Assertion Consumer Service URLACS (Consumer) URL
    2. Set the following Name ID settings in OneLogin:

      • SAML initiator: "OneLogin"
      • SAML nameID format: "Email"
    3. Configure the following Parameters:

      Service Provider Attribute NameOneLogin Parameter Name
      emailEmail
      nameName
  5. Enter information from OneLogin into the fields under the IdP Details section. The following table lists the PathcoreFlow settings and their equivalent fields in OneLogin:

    PathcoreFlow SettingOneLogin Field
    Entity IDIssuer URL
    Single Sign On (SSO) URLSAML 2.0 Endpoint (HTTP)
    CertificateX.509 Certificate
  6. Complete the configuration by following the instructions in the Configuration section

To configure another service as your identity provider
The terms used by your identity provider may differ.
  1. Click on the Settings Settings button from the Navigation Menu

  2. Click on the SAML SSO tab

  3. Review the values in the SP Details section

  4. Follow the instructions from your identity provider to set up a new SAML application

    1. The following table lists the PathcoreFlow SP Details and some common equivalent fields used by identity providers:

      PathcoreFlow SettingAlternate Names
      Entity IDAudience, Identifier, Issuer, SP ID
      Assertion Consumer Service URLACS URL, Reply URL, Single Sign-On URL, SSO URL
    2. Set the following Name ID settings. Name ID may also be called SAMLSubject, Unique User ID, or App Username:

      • Name ID: A user's primary email address
      • Name ID format: "EmailAddress" or urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
    3. Configure the following SAML attribute mappings:

      NameValue
      emailUser's email address
      nameUser's display name or full name
  5. Enter information from your identity provider into the fields under the IdP Details section. The following table lists the PathcoreFlow settings and some common equivalent fields used by identity providers:

    PathcoreFlow SettingAlternate Names
    Entity IDIdentifier, Identity Provider Issuer, IdP Entity
    Single Sign On (SSO) URLLogin URL, SSO URL
    CertificatePublic key, X.509
  6. Complete the configuration by following the instructions in the Configuration section

Configuration

  • Default Permissions: The role to assign to users created in PathcoreFlow by JIT Provisioning
  • Default Accessible Content: The data group to assign to users created in PathcoreFlow by JIT Provisioning. Can be set to "Nothing" so that an administrator must assign accessible content to new users after they successfully log in
  • Enable SAML Authentication: This toggle enables the option to log in using the configured identity provider
  • Enforce SAML SSO: This toggle will require that all users log in using the configured identity provider. Enabling this will automatically Enable SAML Authentication
Users with the system-defined Administrator role can always login via their password to prevent being locked out entirely.
To finalize your SAML SSO configuration
  1. Select the desired role from the Default Permissions dropdown

  2. Select the desired data group from the Default Accessible Content dropdown

  3. Click on the Verify Configuration link to validate your configuration. This must complete successfully before you can save your changes

  4. (Optional) Enable the Enable SAML Authentication toggle

  5. (Optional) Enable the Enforce SAML SSO toggle if you want to require all users to use the designated identity provider to log in

  6. Click on the Save Changes button

If you have enabled Enforce SAML SSO, all users on the team must authenticate through the configured identity provider (IdP). Therefore, all users will require valid credentials for the designated provider.
To disable SAML SSO for a team
  1. Click on the Settings Settings button from the Navigation Menu

  2. Click on the SAML SSO tab

  3. Disable the Enable SAML Authentication toggle

  4. Click on the Save Changes button

JIT Provisioning

PathcoreFlow supports just-in-time (JIT) provisioning of users by default when SAML SSO is enabled. JIT provisioning creates users in PathcoreFlow the first time they attempt to log in from their identity provider using SSO. This allows administrators to manage access to PathcoreFlow directly through their identity provider.

A user created by JIT provisioning will be assigned the role and data group set in the Configuration section.
First time JIT log in steps
  1. Log in to your identity provider. Contact your team administrator if you require assistance

  2. Locate the PathcoreFlow app and launch it. The name of this app within your identity provider is configured by your team administrator and may be something different (e.g. "Pathcore" or "Flow"). You will be redirected to the PathcoreFlow login page

  3. You will need to activate your account to continue. Check your email for a message which has instructions to activate your account. Follow those instructions. You need to set a password for PathcoreFlow, but then you will be able to log in using your identity provider credentials

  4. You are now registered with the PathcoreFlow team

A user only needs to activate their account once per team.