This article outlines how to set up and configure SAML based Single Sign-On with Sequr. If your identity provider (IdP) supports SAML 2.0, then you can enable Single Sign-On (SSO) for all of your employees.
When you use SAML to connect Sequr with your identity provider (IdP), it’s easy to provide your admins and employees with Single Sign-On access to the Sequr Dashboard, as well as the Sequr Mobile app. You’ll also increase your office security by reducing the risk of password theft.
# Configuring SAML for Common IdP's
You can connect Sequr to any SSO provider with SAML 2.0. We’ve provided guides for a few common IdP's:
# SAML Configuration Instructions
We support both IdP initiated SSO as well as SP initiated SSO. Please follow below instructions to configure your IdP( Identity Provider) and SP ( Service Provider - Sequr).
Step 1. Configure Your Identity Provider
Please obtain the following values from your Identity Provider. We will need to enter these values into Sequr. Please follow our IdP specific guide to get these values.
- Identity Provider's Single Sign-On Service URL (HTTP URL)
- Identity Provider X.509 signing certificate (Base64 encoded)
We need to enter the "RelayState" value to make both IdP initiated as well as SP initiated SSO work. You can obtain this value from your Sequr dashboard as shown in below steps while configuring the Service Provider side (Sequr). Please follow your IdP specific guide to configure this value on your IdP dashboard.
Step 2. Configure Service Provider ( Sequr Dashboard)
- Login to your Sequr dashboard and navigate to the "Integrations" page. Under the Single Sign-On SAML integration box, click "Install."
2. Enter your Identity Provider's values.
- Enter your Identity Provider HTTP SAML URL.
- Drag and drop or manually enter the X.509 certificate.
3. Click "Install" to save.
4. Please make a note of "RelayState" value and follow your IdP specific guide to configure it on your IdP dashboard. At this point Single Sign-On will be enabled for all of your admins and employees.
# Exempt Users From Single Sign-On
There could be cases where you may want to exempt certain users from single sign-on process. For example, you may want to send "mobile key" to your vendors, contractors who are not on your Identify platform. Its really easy to add SSO exemption with Sequr once you have enabled SAML integration
- Go to Integrations > SAML Integration > Exempted Users
- Click on "Add SSO Exemption". Search and add any existing user to exempt them from SSO.
- if you have already assigned "Mobile Key" prior to adding user to SSO exemption then please go to user profile and click on "Resend Sign-up Email". This time user will receive notification with registration link to signup.
# SSO Back Door URL
Sometimes, there might be a mistake in the SAML configuration – or something changes in SAML IDP endpoints. In any case, you do not want to be completely locked out. Having a backdoor available for Admins to use to access a locked system becomes extremely important.
You can enable SSO backdoor as shown below. "SSO backdoor" URL only works for Administrators. Sequr "SSO backdoor" URL is : https://login.sequr.io/?sso=false
# How to Disable Single Sign-On
To disable SAML SSO, navigate to the "Integrations" page on your Sequr dashboard. Click "Manage" under the Single Sign-On SAML integration box. Next click on the "Edit" button, then click "Delete."
If you need assistance setting up SAML-based SSO for your organization, or if you'd like to share feedback, you can always reach the Sequr Support Team via live chat in your Sequr web app. You can also contact us via email at firstname.lastname@example.org.