Configure SAML authentication

Security Assertion Markup Language (SAML) authentication allows you to use common external identity providers (IdP) to authenticate usernames and passwords for Calabrio ONE, the service provider (SP). This method of user authentication and password management is commonly referred to as “single sign-on.”

After SAML authentication is configured through your external IdP, the metadata needs to be downloaded, exported, and given to a Calabrio Professional Services Account Representative who will complete the configuration procedure within Calabrio ONE. See Export SAML Metadata for more information.

IMPORTANT   If the user’s email address is not mapped to the “mail” attribute on your external IdP, then you need to contact Calabrio Professional Services and tell the Calabrio representative the name of the attribute that contains the user email.

NOTE   If your IdP X.509 certificate is changed, for reasons such as a new expiration date, you need to provide the new X.509 certificate or the new SAML metadata file to Calabrio Professional Services. Otherwise, users will not be able to login.

NOTE   Tenant administrators who have been added by a system administrator can always log in using their Calabrio ONE credentials. This is true even if Calabrio ONE authentication is disabled and another form of authentication (SAML or Active Directory) is enabled.

Configuring identity providers

Calabrio ONE integrates with all IdPs that support SAML 2.0 authentication. The following general parameters apply when configuring the SAML assertion in an IdP.

Assertion Component Configuration

Attributes

The IdP must send an assertion containing your users’ email address as an attribute. This email address must match the address used for Calabrio ONE authentication. Attribute names are case sensitive.

EXAMPLE   

The specific name of the email attribute depends on the IdP that you use. The following are examples:

  • emailAddress
  • email
  • mail
  • user.email

Signatures

The SAML assertion must be signed. The signing key is provided in the XML data. The SAML assertion signature algorithms are listed below.

  • rsa-sha256

  • rsa-sha1

  • rsa-md5

  • rsa-ripemd160

  • rsa-sha384

  • rsa-sha512

  • dsa-sha1

Key sizes

Encrypted assertions are supported only with a maximum key size of 128 bits.

Prerequisites

You need to setup an application for Calabrio IAM (identity and access management) in your IdP. The following list contains values required to setup this application.

  1. Assertion Consumer Service URL. After successful authentication of your IdP the user is redirected to this URL with the SAML response. The URL varies depending on the domain name of your environment. Use the domain for your region.

    IAM Domain Names
    United States https://id.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp

    European Union (includes Australia and the UK)

    https://id-eu.calabriocloud.com/am/Consumer/metaAlias/bravo/calabriosp
  2. Service Provider Entity ID: calabriosp

  3. The email address must be passed in an attribute named "mail".

  4. If the SAML request needs to be signed, the signing certificate for it can be found in the Calabrio Identity and Access Management (IAM) Service Provider metadata for your region that’s detailed below.

    IAM Service Provider Metadata
    United States https://id.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo
    European Union (includes Australia and the UK) https://id-eu.calabriocloud.com/am/saml2/jsp/exportmetadata.jsp?entityId=calabriosp&realm=bravo
  5. (Optional) Service Provider initiated Sign-on URL. When a user opens this URL, the service provider, Calabrio, redirects to your IdP to authenticate and sign on the user. This is not required for most IdPs. Use the Calabrio IAM Service for your region.

    IAM Service
    United States https://id.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]
    European Union (includes Australia and the UK) https://id-eu.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=[IDP_ENTITY_ID_URL_ENCODED]

    EXAMPLE   In this example for the United States IAM service, https://www.example.com/123 is the IDP entity ID that becomes https%3A%2F%2Fwww.example.com%2F123 when the URL is encoded.
    https://id.calabriocloud.com/am/saml2/jsp/spSSOInit.jsp?metaAlias=/bravo/calabriosp&idpEntityID=https%3A%2F%2Fwww.example.com%2F123

  6. You need to assign users or groups who need access to Calabrio ONE to this application.