SSO integration guide
⚠️ Access to the SSO configuration requires specific permissions (company manager rights in Javelo).
In order to configure SSO, you need to follow these steps:
Go to "Settings" (⚙️ icon) in the upper right corner of your Javelo account
Select “SSO” from the navigation menu under the Company section.
Here you have all available SSO integrations, and more specifically Microsoft ADFS:
Find Microsoft ADFS panel and click "Configure" to open the configuration modal:
Configuration order
Due to some requirement on ADFS and Javelo side, it’s best to follow a specific order described here below:
Define the provider value in Javelo modal configuration
Start the configuration of Identity provider on ADFS side
Use technical information at the bottom of Javelo modal configuration to fill mandatory information on Azure side.
Ensure the attribute mapping on Javelo and ADFS side matches (default values are compatibles).
Finish the Javelo SAML V2 service provider by setting the identity provider entity ID and metadata URL you will get on ADFS side.
Test the metadata URL with the button on Javelo modal configuration
Enable ADFS SSO in Javelo
Test the connection from ADFS
Configuration of Javelo Service Provider
Here is a description for the configuration of your SAML service provider in Javelo. Please follow the instruction bellow. You will be then able to get any information you need to configure the Identity provider.
Configuration of Javelo Service Provider
Here is a description for the configuration of your SAML service provider in Javelo. Please follow the instruction bellow. You will be then able to get any information you need to configure the Identity provider.
Provider
As stipulated here above, the first step of the SSO configuration is to choose the name of Provider.
Javelo generates unique dedicated endpoints for your identity provider integration.
The name you will choose will be the base for these endpoints. Please ensure it only contains letters, number, underscore or hyphen. Example:
my-company_1 ✅
@my#organization_ ❌
⚠️ You should fill this value first, because some Identity provider configuration element are dependent.
Entity ID
Once you have proceeded with the configuration of the Identity Provider on ADFS side you will be able to fill the value for this field on Javelo side.
Entity ID of the Identity provider has the following format:
http://[your-adfs-domain]/adfs/services/trust
It is required in order to permit Javelo to fetch metadata to select the appropriate settings.
Metadata URL
After completing the configuration on Microsoft ADFS side, you can proceed to enter the Metadata URL of the identity provider.
Javelo relies highly on identity provider metadata to configure the service provider.
A valid URL is mandatory. The format of the provided URL is automatically tested by the form. A red message will appear below the field to inform you if the URL is invalid.
Metadata URL of ADFS identity provider has the following format:
https://[your-adfs-domain]/FederationMetadata/2007-06/FederationMetadata.xml
This metadata is frequently automatically refreshed.
Requests attributes
Three pieces of information are required during a SAML authentication process on Javelo :
The user email
The user first name
The user last name
Users may be created through SAML, and this is the very minimal payload that may be used for that purpose.
These elements must appear as Attribute elements inside the assertion request. For example :
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>DUPOND</AttributeValue>
</Attribute>
Here is the configuration of these attributes for Javelo :
💡 Default values on ADFS are compatible with Javelo service provider SAML V2 attributes configuration.
In case of custom implementation on ADFS side, please check the documentation and the configuration of your identity provider to set up this information correctly in order to ensure all of them are sent and to get their name and format.
Options
Force usage
The Force usage parameter will change the behaviour of the authentication process. If chosen, users are directly redirected to the SSO authentication page once the company is selected (through its subdomain or an email).
❗ Beware to use this option only if you are certain that all users are allowed to use your SSO.
Test mode
This option allows to set up the SSO configuration without any impact on the authentication process. Users will not be exposed to SAML V2 authentication, but it is available on a single, specific URL :
https://${SUBDOMAIN}.javelo.io/auth/login?provider=${PROVIDER} , see below to find that information.
You will be able to try your configuration, and make corrections if required.
We recommend using this option for the first configuration of your SSO. Once you have made sure your SSO is correctly configured, you can deactivate the Test mode by deselecting this option.
Allow user creation from SSO
This option allows to enable/disable the creation of new users from a connection done via SSO.
If the user does not already exist, it is created.
We recommend disabling this option if you are also using a synchronization, in order to avoid creation of unwanted accounts or duplicates with different email addresses linked to the same user.
Configuration of Identity provider
Here is the information you may need to configure the SAML V2 identity provider, and what you may need to test.
Javelo Callback URL : SAML Assertion service provider endpoint
Javelo Entity ID : service provider entity ID
Javelo Metadata URL : service provider metadata endpoint
Javelo Test URL : link to access The SAML identity provider in test mode
On ADFS, you have to create, or use an existing enterprise application :
You must add a Relying Party Trust in your ADFS Management. You can refer to the official documentation: while reading the items below. At the step of adding a Relying Party Trust, choose “Claims aware“.
Then, on the Select Data Source screen, use the option "Import data about the relying party published online or on a local network", use the Javelo URL.
The rest of the configuration should auto-populate from the information in the URL. In the last step, “Finish” check the box to configure the claims rules. You arrive on the following screen:
First, add a "Send LDAP Attributes as Claims" type rule:
On the next screen, use the Active Directory attribute store to configure request attributes XXXXXX mapping.
Also add the Given Name and Surname attributes in the same way.
Create another rule by clicking on “Add rule”, but this time select “Transform an Incoming Claim” as template:
On the next screen:
Select Email-Address as the Incoming Claim Type.
For Outgoing Claim Type, select Name ID.
For Outgoing Name ID Format, select Email.
Keep the default, Pass through all claim values.
You should now be ready to test single sign-on!
Metadata refresh
Once created, you can manually refresh identity provider metadata on Javelo service provider. It is really useful in case you make some change on identity provider certificate for instance.
Important information
There are few points to keep in mind with Saml V2 SSO integration on Javelo:
The SSO is mono-tenant
An SSO configuration may only be used to authenticate users for the same Javelo organization. If you have many organizations on the Javelo platform, you should have distinct SSO configurations for each.
There is one SSO configuration allowed per organization
Javelo doesn’t support for the moment more than one Saml V2 SSO configuration per organization.
Troubleshooting FAQ
email not found in request
This error means the attribute configuration is not correct for email. “Email” attribute is missing in the SAML assertion request.
name not found in request
This error means the attribute configuration is not correct for the first name. “Name” attribute is missing in the SAML assertion request.
last_name not found in request
This error means the attribute configuration is not correct for the last name. “Last name” attribute is missing in the SAML assertion request.
your account has been deactivated
The user has been deactivated on Javelo. Authentication is impossible.
Lexicon
Identity provider ⇒ The tool or service you use (KeyCloak for instance)
Service provider ⇒ SAML V2 Javelo side
Assertion request ⇒ http request from the identity provider to Javelo service provider sent after a successful authentication. It contains all attributes of an authenticated user.