SSO integration guide
⚠️ Access to the SSO configuration requires specific permissions (company manager rights in Javelo).
In order to configure SSO, you need to follow these steps:
Go to "Settings" (⚙️ icon) in the upper right corner of your Javelo account.
Select “SSO” from the navigation menu under the Company section.
Here you have all available SSO integrations, and more specifically Azure Active Directory:
Find Azure Active Directory panel and click "Configure" to open the configuration modal:
Configuration order
Due to some requirement on Azure and Javelo side, it’s best to follow a specific order described here below:
Define the provider value in Javelo modal configuration
Start the configuration of Identity provider on Azure side
Use technical information at the bottom of Javelo modal configuration to fill mandatory information on Azure side.
Ensure the attribute mapping on Javelo and Azure side matches (default values are compatibles).
Finish the Javelo SAML V2 service provider by setting the identity provider entity ID and metadata URL you will get on Azure side.
Test the metadata URL with the button on Javelo modal configuration
Enable Azure SSO in Javelo
Test the connection from Azure
Configuration of Javelo Service Provider
Here is a description for the configuration of your SAML service provider in Javelo. Please follow the instruction bellow. You will be then able to get any information you need to configure the Identity provider.
Provider
As stipulated here above, the first step of the SSO configuration is to choose the name of Provider.
Javelo generates unique dedicated endpoints for your identity provider integration.
The name you will choose will be the base for these endpoints. Please ensure it only contains letters, number, underscore or hyphen. Example:
my-company_1 ✅
@my#organization_ ❌
⚠️ You should fill this value first, because some Identity provider configuration element are dependent.
Entity ID
Once you have completed the configuration on Azure side, you can proceed with filling the value of Entity ID of the Identity provider. It is required when Javelo will fetch metadata to select the appropriate settings. It should be the identifier of the azure side, not https://api.teamrise.io.
Metadata URL
Once you have completed the configuration on Azure side, you can proceed with filling the value of Metadata URL of the identity provider.
Javelo relies highly on identity provider metadata to configure the services provider. These metadata are frequently automatically refreshed.
👉🏻 A valid URL is mandatory. The format of the provided URL is automatically tested by the form. A red message will appear below the field to inform you if the URL is invalid.
Requests attributes
👉🏻 Three pieces of information are required during a SAML authentication process on Javelo:
The user email
The user first name
The user last name
Users may be created through SAML, and this is the very minimal payload that may be used in that purposed.
These elements must appear as an `Attribute` elements of the assertion request. For example:
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>DUPOND</AttributeValue>
</Attribute>
Here is the configuration of these attributes for Javelo:
💡 Default values on Azure are compatible with Javelo service provider SAML V2 attributes configuration.
In case of custom implementation on Azure side, please check the documentation and the configuration of your identity provider to setup this information correctly in order to ensure all of them are sent and to get their name and format.
Options
Force usage
The Force usage parameter will change the behaviour of the authentication process. If chosen, users are directly redirected to the SSO authentication page once the company is selected (through it’s subdomain or an email).
❗ Beware to use this option only if you are certain that all users are allowed to use your SSO.
Test mode
This option allows to setup the SSO configuration without any impact on the authentication process. Users will not be exposed to SAML V2 authentication, but it is available on a single, specific URL:
https://${SUBDOMAIN}.javelo.io/auth/login?provider=${PROVIDER} , see below to find that information.
You will be able to try your configuration, and make corrections if required.
We recommend to use this option for the first configuration of your SSO. Once you have made sure your SSO is correctly configured, you can deactivate the Test mode by deselecting this option.
Allow user creation from SSO
This option allows to enable/disable the creation of new users from a connexion done via SSO.
If the user does not already exists, it is created.
We recommend to disable this option if you are also using a synchronization in order to avoid creation of unwanted accounts or duplicates with different email addresses linked to the same user.
Multi-environment mode
This option allows having one Azure AD tenant to be used for multiple environment via a different Azure AD application for each environment. When enabling this option, the Javelo Entity ID changes to a value that is linked to the Provider value you entered.
Configuration of Identity provider
Here is the information you may need to configure the SAML V2 identity provider, and what you may need to test.
Javelo Callback URL : SAML Assertion service provider endpoint
Javelo Entity ID : service provider entity ID
Javelo Metadata URL : service provider metadata endpoint
Javelo Test URL : link to access The SAML identity provider in test mode
In Azure, you have to create, or use an existing enterprise application:
And choose Saml V2.
You will find four configuration cards. In the first one, you should set the service provider entity ID, and the callback URL (Assertion service provider) you will find on the configuration modal:
⚠️ Ensure the provider is correctly set before in Javelo configuration. The URL of assertion service relies upon that value.
In the second one, are request attributes mapping configuration:
If you use default mapping value, you shouldn’t do anything here.
In the third and the fourth one, you will retrieve some general information you need to configure Javelo Service provider:
The “Azure AD Identifier” Stand for Identity provider entity ID (you will need to enter this value as Entity ID on Javelo), and App Federation Metadata Url, for Identity provider Metadata URL (you will need this value to fill Metadata URL on Javelo).
Metadata refresh
Once created, you may manually the refresh of identity provider metadata in Javelo service provider. It is really useful if you make some change on identity provider certificate for instance.
Important information
There are few points to keep in mind with Saml V2 SSO integration on Javelo:
The SSO is mono-tenant
An SSO configuration may only be used to authenticate users for the same Javelo organization. If you have many organizations on the Javelo platform, you should have distinct SSO configurations for each.
There is one SSO configuration allowed per organization
Javelo doesn’t support for the moment more than one Saml V2 SSO configuration per organization.
Troubleshooting FAQ
Email not found in request
This error means the attribute configuration in is not correct for email. “Email” attribute is missing in the SAML assertion request.
Name not found in request
This error means the attribute configuration in is not correct for the first name. “Name” attribute is missing in the SAML assertion request.
last_name not found in request
This error means the attribute configuration in is not correct for the last name. “Last name” attribute is missing in the SAML assertion request.
Your account has been deactivated
The user has been deactivated on Javelo. Authentication is impossible.
Lexicon
Identity provider ⇒ The tool or service you use (KeyCloak for instance)
Service provider ⇒ SAML V2 Javelo side
Assertion request ⇒ http request from the identity provider to Javelo service provider sent after a successful authentication. It contains all attributes of an authenticated user.