SAML Single Sign On
[add-on]
Security Assertion Markup Language, or SAML, can be configured as an option for authenticating users. This allows an organization to set up users in a single, centralized place and manage their access to multiple applications. Users only have to remember a single set of credentials across the systems they use. Administrators can enforce their desired password policies at the SAML identity provider, and many providers support additional security features such as multi-factor authentication (MFA).
SP Details
The SP Details form provides the information needed to configure SAML SSO with your identity provider. It also provides an easy way to copy these values for use in setting up your SAML single sign-on. These values cannot be altered via this form.
- Entity ID: The unique ID used by your identity provider to identify your PathcoreFlow team
- Assertion Consumer Service URL: The URL used by the identity provider to send the SAML assertion. This is sometimes also called a "Reply URL"
- Name ID Format: The format of the user identifier expected by PathcoreFlow in responses from the identity provider. The only format that is accepted is email address
To view the SAML service provider (SP) details
Click on the Settings button from the Navigation Menu
Click on the SAML Single Sign On tab
Review the values in the SP Details section
(Optional) Click on the button to the right of a field to copy its contents to the clipboard
IdP Details
In order to enable SSO, an identity provider must be configured in PathcoreFlow by a team administrator.
- Entity ID: This is a unique identifier for your configured SSO application at the identity provider
- Single Sign On URL: The URL at the identity provider where users are redirected to complete the log in
- Certificate: A public key provided by your identity provider in either PEM or DER format
Instructions for external providers are provided for convenience. If you require assistance in setting up the SAML identity provider, please contact the support for that provider.
To configure Google Workspace as your identity provider
Click on the Settings button from the Navigation Menu
Click on the SAML Single Sign On tab
Review the values in the SP Details section
Follow the instructions for setting up your own custom SAML app in Google Workspace Admin Help
The following table lists the PathcoreFlow SP Details and their equivalent fields in Google Workspace's Service Provider Details section:
PathcoreFlow Setting Google Workspace Field Entity ID Entity ID Assertion Consumer Service URL ACS URL (unused) Start URL Set the following Name ID settings in Google Workspace:
- Name ID format: "UNSPECIFIED"
- Name ID: "Primary email"
Configure the following in SAML attribute mapping:
Google Directory App Primary email email First name name
Enter information from Google Workspace into the fields under the IdP Details section. The following table lists the PathcoreFlow settings and their equivalent fields in Google Workspace:
PathcoreFlow Setting Google Workspace Field Entity ID Entity ID Single Sign On (SSO) URL SSO URL Certificate Certificate Complete the configuration by following the instructions in the Configuration section
To configure JumpCloud as your identity provider
Click on the Settings button from the Navigation Menu
Click on the SAML Single Sign On tab
Review the values in the SP Details section
Follow the instructions for setting up SSO using Custom SAML Application Connectors in JumpCloud Support
The following table lists the PathcoreFlow SP Details and their equivalent fields in JumpCloud's SSO section:
PathcoreFlow Setting JumpCloud Entity ID SP Entity ID Assertion Consumer Service URL ACS URLs -> Add URL Set the following Name ID settings in JumpCloud:
- SAMLSubject NameID: "email"
- SAMLSubject NameID Format: "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
Configure the following User Attribute mappings:
Service Provider Attribute Name JumpCloud Attribute Name email email name displayname
Download the certificate from JumpCloud and paste the contents of the file into the Certificate field under the IdP Details section
Enter information from JumpCloud into the fields under the IdP Details section. The following table lists the PathcoreFlow settings and their equivalent fields in JumpCloud:
PathcoreFlow Setting JumpCloud Field Entity ID IdP Entity ID Single Sign On (SSO) URL IDP URL Complete the configuration by following the instructions in the Configuration section
To configure Microsoft Entra ID (formerly Azure AD) as your identity provider
Click on the Settings button from the Navigation Menu
Click on the SAML Single Sign On tab
Review the values in the SP Details section
Follow the instructions for enabling SSO for an enterprise application in Microsoft Learn. You will need to Create your own application
The following table lists the PathcoreFlow SP Details and their equivalent fields in Microsoft Entra's Basic SAML Configuration section:
PathcoreFlow Setting Microsoft Entra Field Entity ID Identifier (Entity ID) Assertion Consumer Service URL Reply URL (Assertion Consumer Service URL) (unused) Sign on URL (unused) Relay State (unused) Logout Url Configure the following in Attributes & Claims:
Claim Name Value Unique User Identifier (Name ID) user.userprincipalname email user.userprincipalname name user.displayname
Download the Certificate (Base64) from Microsoft Entra and paste the contents of the file in the Certificate field under the IdP Details section
Enter information from Microsoft Entra into the fields under the IdP Details section. The following table lists the PathcoreFlow settings and their equivalent fields in Microsoft Entra's Set up <Application Name> section:
PathcoreFlow Setting Microsoft Entra Field Entity ID Microsoft Entra Identifier Single Sign On (SSO) URL Login URL Complete the configuration by following the instructions in the Configuration section
To configure Okta as your identity provider
Click on the Settings button from the Navigation Menu
Click on the SAML Single Sign On tab
Review the values in the SP Details section
Follow the instructions to create a SAML app integration in Okta Docs
The following table lists the PathcoreFlow SP Details and their equivalent fields in Okta's Application Integration Wizard:
PathcoreFlow Setting Okta Entity ID Audience URI (SP Entity ID) Assertion Consumer Service URL Single sign-on URL Set the following Name ID settings in Okta:
- Application username: "Email"
- Name ID format: "EmailAddress"
Configure the following Attribute Statements:
Name Value email user.email name user.firstName + " " + user.lastName
Enter information from Okta into the fields under the IdP Details section. The following table lists the PathcoreFlow settings and their equivalent fields in Okta:
PathcoreFlow Setting Okta Field Entity ID Identity Provider Issuer Single Sign On (SSO) URL Identity Provider Single Sign-On URL Certificate X.509 Certificate Complete the configuration by following the instructions in the Configuration section
To configure OneLogin as your identity provider
Click on the Settings button from the Navigation Menu
Click on the SAML Single Sign On tab
Review the values in the SP Details section
Follow the instructions for setting up an Advanced SAML Custom Connector and Configuring SSO for SAML-Enabled Applications in OneLogin Support
The following table lists the PathcoreFlow SP Details and their equivalent fields in OneLogin:
PathcoreFlow Setting OneLogin Entity ID Audience (EntityID) Assertion Consumer Service URL Recipient (the regex escaped ACS URL) ACS (Consumer) URL Validator Assertion Consumer Service URL ACS (Consumer) URL Set the following Name ID settings in OneLogin:
- SAML initiator: "OneLogin"
- SAML nameID format: "Email"
Configure the following Parameters:
Service Provider Attribute Name OneLogin Parameter Name email Email name Name
Enter information from OneLogin into the fields under the IdP Details section. The following table lists the PathcoreFlow settings and their equivalent fields in OneLogin:
PathcoreFlow Setting OneLogin Field Entity ID Issuer URL Single Sign On (SSO) URL SAML 2.0 Endpoint (HTTP) Certificate X.509 Certificate Complete the configuration by following the instructions in the Configuration section
To configure another service as your identity provider
Click on the Settings button from the Navigation Menu
Click on the SAML Single Sign On tab
Review the values in the SP Details section
Follow the instructions from your identity provider to set up a new SAML application
The following table lists the PathcoreFlow SP Details and some common equivalent fields used by identity providers:
PathcoreFlow Setting Alternate Names Entity ID Audience, Identifier, Issuer, SP ID Assertion Consumer Service URL ACS URL, Reply URL, Single Sign-On URL, SSO URL Set the following Name ID settings. Name ID may also be called SAMLSubject, Unique User ID, or App Username:
- Name ID: A user's primary email address
- Name ID format: "EmailAddress" or
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Configure the following SAML attribute mappings:
Name Value email User's email address name User's display name or full name
Enter information from your identity provider into the fields under the IdP Details section. The following table lists the PathcoreFlow settings and some common equivalent fields used by identity providers:
PathcoreFlow Setting Alternate Names Entity ID Identifier, Identity Provider Issuer, IdP Entity Single Sign On (SSO) URL Login URL, SSO URL Certificate Public key, X.509 Complete the configuration by following the instructions in the Configuration section
Configuration
- Default Permissions: The role to assign to users created in PathcoreFlow by JIT Provisioning
- Default Accessible Content: The data group to assign to users created in PathcoreFlow by JIT Provisioning. Can be set to "Nothing" so that an administrator must assign accessible content to new users after they successfully log in
- Enable SAML Authentication: This toggle enables the option to log in using the configured identity provider
- Enforce SAML SSO: This toggle will require that all users log in using the configured identity provider. Enabling this will automatically Enable SAML Authentication
To finalize your SAML SSO configuration
Select the desired role from the Default Permissions dropdown
Select the desired data group from the Default Accessible Content dropdown
Click on the Verify Configuration link to validate your configuration. This must complete successfully before you can save your changes
(Optional) Enable the Enable SAML Authentication toggle
(Optional) Enable the Enforce SAML SSO toggle if you want to require all users to use the designated identity provider to log in
Click on the Save Changes button
To disable SAML SSO for a team
Click on the Settings button from the Navigation Menu
Click on the SAML Single Sign On tab
Disable the Enable SAML Authentication toggle
Click on the Save Changes button
JIT Provisioning
PathcoreFlow supports just-in-time (JIT) provisioning of users by default when SAML SSO is enabled. JIT provisioning creates users in PathcoreFlow the first time they attempt to log in from their identity provider using SSO. This allows administrators to manage access to PathcoreFlow directly through their identity provider.
First time JIT log in steps
Log in to your identity provider. Contact your team administrator if you require assistance
Locate the PathcoreFlow app and launch it. The name of this app within your identity provider is configured by your team administrator and may be something different (e.g. "Pathcore" or "Flow"). You will be redirected to the PathcoreFlow login page
You will need to activate your account to continue. Check your email for a message which has instructions to activate your account. Follow those instructions. You need to set a password for PathcoreFlow, but then you will be able to log in using your identity provider credentials
You are now registered with the PathcoreFlow team