SSO integration guide
⚠️ Access to the SSO configuration requires specific permissions (company manager rights in Javelo).
In order to configure SSO, you need to follow these steps:
Go to "Settings" (⚙️ icon) in the upper right corner of your Javelo account.
Select “SSO” from the navigation menu under the Company section.
Here you have all available SSO integrations, and more specifically OneLogin:
Find OneLogin panel and click "Configure" to open the configuration modal:
Configuration order
Due to some requirement on OneLogin and Javelo side, it’s best to follow a specific order described here below :
Define the provider value on Javelo modal configuration
Start the configuration of Identity provider on OneLogin side
Use technical information on the bottom of Javelo modal configuration to fill mandatory information on OneLogin.
Ensure the attribute mapping on Javelo and OneLogin side matches.
Finish the Javelo SAML V2 service provider by setting the identity provider entity ID and metadata URL you will get on OneLogin side.
Test the metadata URL with the button on Javelo modal configuration
Enable OneLogin SSO on Javelo
Test the connection from OneLogin
Configuration of Javelo Service Provider
Here is a description for the configuration of your SAML service provider in Javelo. Please follow the instruction below. You will be then able to get any information you need to configure the Identity provider.
Provider
As stipulated here above, the first step of the SSO configuration is to choose the name of Provider.
Javelo generates unique dedicated endpoints for your identity provider integration.
The name you will choose will be the base for these endpoints. Please ensure it only contains letters, number, underscore or hyphen.
Example:
my-company_1 ✅
@my#organization_ ❌
⚠️ You should fill this value first, because some Identity provider configuration element are dependent.
Entity ID
Once you have completed the configuration on OneLogin side, you can proceed with filling the value of Entity ID of the Identity provider. It is required when Javelo will fetch metadata to select the appropriate settings. It should be the identifier of the OneLogin side, not https://api.teamrise.io.
Metadata URL
Once you have completed the configuration on Azure side, you can proceed with filling the value of Metadata URL of the identity provider.
Javelo relies highly on identity provider metadata to configure the services provider. These metadata are frequently automatically refreshed.
👉🏻 A valid URL is mandatory. The format of the provided URL is automatically tested by the form. A red message will appear below the field to inform you if the URL is invalid.
Configuration of Identity provider in OneLogin
Here is the information you may need to configure the SAML V2 identity provider, and what you may need to test.
Javelo Callback URL : SAML Assertion service provider endpoint
Javelo Entity ID : service provider entity ID
Javelo Metadata URL : service provider metadata endpoint
Javelo Test URL : link to access The SAML identity provider in test mode
In OneLogin:
Go to applications → Add App
Search for saml test connector
And name your new app Javelo
Configuration
Follow the image here below to configure your App
You will need to use the URLs that are found on the configuration modal.
Audience ⇒ fill with Javelo Entity ID value
Recipient & ACS URL ⇒ fill with Javelo Callback URL
Fill Login URL with [
https://app.javelo.io/auth/login?provider=](<https://app.javelo.io/auth/login?provider=>)<*Provider>👉🏻❗Replace<*Provider>with the value that you have entered as Provider on Javelo configuration modal.
Adding the necessary parameters
Requests attributes
👉🏻 Three pieces of information are required during a SAML authentication process on Javelo :
The user email
The user first name
The user last name
Users may be created through SAML, and this is the very minimal payload that may be used in that purposed.
These elements must appear as an Attribute elements of the assertion request. For example:
<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
<AttributeValue>DUPOND</AttributeValue>
</Attribute>
Infos for the parameters configuration OneLogin
Field name | Column | Format |
urn:oasis:names:tc:SAML:2.0:attrname-format:uri | ||
First Name | urn:oasis:names:tc:SAML:2.0:attrname-format:uri | |
Last Name | urn:oasis:names:tc:SAML:2.0:attrname-format:uri |
To add those parameters:
Go to "Parameters" on the left panel and click on the "plus" icon
Fill the field name
Don't forget to check "Include in SAML assertion"
Search for the value in the dropdown and save
❗ ⚠️ Repeat the same for the 2 other parameters
Set up SSO
Go to SSO on the left panel in OneLogin
Set the SAML Signature Algorithm to SHA-256
Don’t forget to save your configuration
Fill in the Onelogin SSO modal in Javelo
👉🏻 Copy and paste Issuer URL from the previous screenshot for both Entity ID and Metadata URL in Javelo configuration modal.
Options
Force usage
Force usage parameter will change the behavior of the authentication process. If chosen, users are directly redirected to the SSO authentication page once the company is selected (through it’s subdomain or an email).
❗ Beware to use this option only if you are certain that all users are allowed to use your SSO.
Test mode
This option allows to setup the SSO configuration without any impact on the authentication process. Users will not be exposed to SAML V2 authentication, but it is available on a single, specific URL :
https://${SUBDOMAIN}.javelo.io/auth/login?provider=${PROVIDER}, see below to find that information.
You will be able to try your configuration, and make corrections if required.
We recommend using this option for the first configuration of your SSO. Once you have made sure your SSO is correctly configured, you can deactivate the Test mode by deselecting this option.
Allow user creation from SSO
This option allows to enable/disable the creation of new users from a connection done via SSO.
If the user does not already exist, it is created.
We recommend disabling this option if you are also using a synchronization in order to avoid creation of unwanted accounts or duplicates with different email addresses linked to the same user.
Important information
There are few points to keep in mind with Saml V2 SSO integration on Javelo:
The SSO is mono-tenant
An SSO configuration may only be used to authenticate users for the same Javelo organization. If you have many organizations on the Javelo platform, you should have distinct SSO configurations for each.
There is one SSO configuration allowed per organization
Javelo doesn’t support for the moment more than one Saml V2 SSO configuration per organization.
Troubleshooting FAQ
email not found in request
This error means the attribute configuration is not correct for email. “Email” attribute is missing in the SAML assertion request.
name not found in request
This error means the attribute configuration is not correct for the first name. “Name” attribute is missing in the SAML assertion request.
last_name not found in request
This error means the attribute configuration is not correct for the last name. “Last name” attribute is missing in the SAML assertion request.
your account has been deactivated
The user has been deactivated on Javelo. Authentication is impossible.
Lexicon
Identity provider ⇒ The tool or service you use (KeyCloak for instance)
Service provider ⇒ SAML V2 Javelo side
Assertion request ⇒ http request from the identity provider to Javelo service provider sent after a successful authentication. It contains all attributes of an authenticated user.