/
Sso Implementation

Sso Implementation

How to Implement SSO in Leon for Your Organisation?

Table of Contents

Security Assertion Markup Language (SAML)

SAML (Security Assertion Markup Language) is an open standard based on XML that enables the exchange of authentication and authorisation data between different domains. It is a key mechanism used to implement Single Sign-On (SSO), allowing users to log in once and gain access to multiple applications without needing to re-enter their password.

What SAML Consists Of?

The SAML architecture includes three main components:

  1. Principal (User): The person attempting to access a service.

  2. Identity Provider (IdP): The system that authenticates the user and issues the SAML assertion (e.g., Google Workspace, Microsoft Entra ID, etc.).

  3. Service Provider (SP): The service (application) the user is trying to access, which relies on the IdP for identity verification. In our case, Leon is the Service Provider.

The SAML Process involves the IdP sending a secure “assertion” containing user information to the SP after successful authentication, which grants the user access to the SP’s service.

Why use SSO with SAML?

Implementing SAML for SSO brings several benefits to an organisation:

  • Better User Experience (UX): Users log in only once, eliminating the need to remember multiple passwords.

  • Increased Security: Passwords are centrally managed by the IdP, reducing the risk associated with phishing. It allows easy enforcement of Multi-Factor Authentication (MFA) in one place.

  • Simplified Access Management: Streamlining Onboarding/Offboarding processes by centrally granting and revoking access within the IdP.

  • Compliance and Audit: Centralised login management facilitates monitoring and auditing user access to systems.

Why is it Worth Implementing SAML/SSO?

Implementing SSO based on SAML is a standard for security and efficiency. It is worth doing because:

  • Minimises Risk: Centralised authentication drastically lowers the risk associated with weak passwords and human errors.

  • Saves Time and Cost: Reduces the number of IT helpdesk tickets related to password resets.

  • Scalability: It is a scalable solution that integrates easily with new applications as the organisation grows.

How to Enable SAML Connection?

The process of enabling a SAML connection involves configuration steps on both the Identity Provider (IdP) side (e.g., Microsoft Entra ID or Google Workspace) and the Service Provider (SP) side (Leon).

IMPORTANT: Using SAML SSO is only possible for users with a company e-mail address set up as a work email address in Leon.

1. Configuration Examples (Identity Providers - IdP)

Below is an outline of the steps required to configure a connection using Microsoft Entra ID (formerly Azure AD) and Google Workspace as the Identity Providers.

SAML Configuration using Microsoft Entra ID (IdP)

Microsoft Entra ID is a common IdP for many organisations.

  1. Create a New Enterprise Application:

    • In the Microsoft Entra admin centre, navigate to Enterprise applications.

    • Click New application and then Create your own application.

    • Enter the application name, for example, Leon SAML.

    • Select Integrate any other application you don’t find in the gallery (Non-gallery).

  2. Set up Single Sign-On (SSO):

    • Go to the new application’s management page and select Single sign-on.

    • Choose SAML as the SSO method.

  3. Basic SAML Configuration:

    • Enter the details obtained from Leon (SP):

      • Identifier (Entity ID): The Entity ID provided by Leon.

      • Reply URL (Assertion Consumer Service URL): The ACS URL provided by Leon.

  4. User Attributes & Claims:

    • Set up attribute mapping. Currently supported in Leon are: firstName, lastName, code, role (not required because we can configure the ‘Default role for new user’ on Leon’s side)

  5. SAML Signing Certificate:

    • Download the Federation Metadata XML file and upload it to Leon.

  6. Assign Users/Groups:

    • In the application’s Users and groups section, assign the users or groups that should have access to Leon via SSO.

SAML Configuration using Google Workspace (IdP)

Google Workspace is another popular choice for organisations.

  1. Add a SAML App:

    • In the Google Admin console, navigate to Apps > Web and mobile apps.

    • Click Add App and select Add custom SAML app.

  2. App Details:

    • Provide a name (e.g., “Leon SSO”) and an icon.

  3. Google Identity Provider Details:

    • On the next screen, you will see the IdP information. Click on “download metadata” to download the IdP Metadata XML file. This data will be required when configuring SAML in Leon.

  4. Service Provider Details:

    • Enter the details obtained from Leon (SP):

      • ACS URL: The ACS URL provided by Leon.

      • Entity ID: The Entity ID provided by Leon.

      • Check the box to sign the response.

  5. Attribute Mapping:

    • Define which Google user attributes correspond to the SAML attributes Leon expects (e.g., map First Name (in Google directory attributes side) to firstName (App attributes side) format or a specific attribute name).

    • Currently supported in Leon are: firstName, lastName, code, role (not required because we can configure the ‘Default role for new user’ on Leon’s side)

2. Configuration in Leon (Service Provider - SP)

In Leon, SAML Single Sign-On (SSO) can be enabled in Settings > General Settings > Security.

  1. In the “Single sign-on settings” section, check the “Enable SSO” box.

  2. In the expanded section, select “SAML” from the “SSO Provider” drop-down list.

  3. Configure the “SAML settings”:

    1. SAML Provider: Select the Identity Provider (IdP) used in your organisation.

    2. Default role for new users: Choose the default role (privileges group) that will be automatically assigned to users who create their Leon account via SAML SSO.

    3. Default homebase: Set the default homebase for new accounts created using SAML SSO.

    4. Source of IdP SAML metadata: Upload the XML file containing the IdP metadata.

How does it work?

Test it

Once SAML has been configured, upon attempting to log in to Leon, you will see your SAML provider’s logo and the “Login with…” option on the Leon login page. This allows you to log in using SAML SSO. At this juncture, you should utilise this feature to verify that the configuration is correct. It is available in both the web application and the mobile application.

When a user who already holds a Leon account attempts to log in using SAML, they will be logged into the Leon account linked to the SAML identity.

Should a user without a Leon account try to log in for the first time, their account will be created based on the identity provided by the IdP, as well as the default parameters set within Leon - SAML settings.

Furthermore, by default, new users are unable to log into their account after creating it with SAML, unless an administrator has approved them. However, such users can be permitted to log in immediately after creating their account with SAML. To enable this feature for your new users, simply tick the “Allow Login for New Users” box.

Force it

Once the test is successfully completed, you can begin using SAML in Leon for your organisation. To enhance the level of security, you can mandate the use of SAML for all your users. To do this, simply visit the Security settings in Leon, and tick the “Disable login and password access” box. From that point onwards, all your users will be obliged to use SAML SSO.

Handle non-standard cases

While SAML is the most secure and the recommended method for logging into Leon, in some instances, you might be unable to compel some users to utilise it. For example, having certain users from outside your organisation (such as freelancers, etc.) may preclude them from logging in using your SAML IdP. To resolve this issue, you can navigate to Settings > Users, locate the user unable to use SAML, open their profile to edit it, and proceed to the “Admin” tab. Within this tab, tick the “Enable login and password authentication” checkbox. Subsequently, the user will be able to log into Leon the ‘traditional’ way, with a username and a password. If such situations are present in your organisation, consider mandating the use of 2FA for all your users, to enhance your security level.

Maintain your SAML configuration

Periodically review your SAML configuration and adjust it to your organisation’s needs. Remember to change the certificate to a new one before it expires.