Setting up Single Sign-On with SAML 2.0 involves two steps:
1) Enter your metadata into your Identity Provider as a new enterprise application connection
2) Share your metadata certificate with us.
Once these steps are complete and both parties have configured connections, contact support to provision a test user and try the sign-on challenge end to end.
Create a new enterprise application connection
Our metadata and entity ID are the same string: https://api.togetherplatform.com/mentoring/authorize/saml/metadata.xml
Most identity provider clients should parse this xml file and fill out most of the configuration for you. If not, ensure the EntityID is the URL above, and that our certificate is entered.
The NameID assertion format in your configuration should be employee ID when possible. If that is not possible, email address can be used instead.
For user attributes, email address must be included.
Setting up Just-In-Time user provisioning with Single Sign On with SAML 2.0:
If you wish to set up Just-In-Time user provisioning, your SAML 2.0 response needs to contain the following assertions:
Supplying attributes with these claim formats will assure compatibility.
Share your metadata and certificates with us
We need your single sign-on login URL, logout URL, and certificate. Please send these to email@example.com.
- We currently only support SHA256 hashing at this time, not SHA512.
- We support staging environments for testing. Please contact firstname.lastname@example.org for more information.