Skip to main content
All CollectionsMarketplace integrationsSSO
SAML V2.0
SAML V2.0
Updated this week

SSO integration guide

⚠️ Access to the SSO configuration requires specific permissions (company manager rights in Javelo).

In order to configure SSO, you need to follow these steps:

  1. Go to "Settings" (⚙️ icon) in the upper right corner of your Javelo account

  2. Select “SSO” from the navigation menu under the Company section.

    Here you have all available SSO integrations, and more specifically SAML V2.0:

  3. Find SAML V2.0 panel and click "Configure" to open the configuration modal:

Configuration order

Because of the need for Javelo to have a valid identity provider metadata URL, the configuration of the identity provider must be done before the service provider one.

  1. Define the provider value in Javelo modal configuration

  2. Start the configuration of Identity provider using technical information on the bottom of Javelo SAML V2.0 configuration modal

  3. Fill in the values for the attribute mapping in Javelo and make sure the mapping matches between Javelo and Identity provider

  4. Finish the Javelo SAML V2 service provider by setting the identity provider’s entity ID and metadata URL that are available on Identity provider’s side.

  5. Test the metadata URL with the button in Javelo modal configuration

  6. Enable SSO in Javelo

  7. Test the connection from your Identity Provider

Configuration of Javelo Service Provider

Here is a description for the configuration of your SAML service provider in Javelo. You will be then able to get any information you need to configure the Identity provider.

Provider

As stipulated here above, the first step of the SSO configuration is to choose the name of Provider.

Javelo generates unique dedicated endpoints for your identity provider integration.

The name you will choose will be the base for these endpoints. Please ensure it only contains letters, number, underscore or hyphen. Ex:

  • my-company_1 ✅

  • @my#organization_ ❌

⚠️ You should fill this value first, because some Identity provider configuration element are dependent.

Entity ID

Once you have completed the configuration on Identity Provider’s side, you can proceed with filling the value of Entity ID of the Identity provider. It is required when Javelo will fetch metadata to select the appropriate settings.

Metadata URL

Once you have completed the configuration on Azure side, you can proceed with filling the value with Metadata URL of the identity provider.

Javelo relies highly on identity provider metadata to configure the services provider. This metadata is frequently automatically refreshed.

👉🏻 A valid URL is mandatory. The format of the provided URL may be tested directly with the Test URL button.

Requests attributes

👉🏻 Three pieces of information are required during a SAML authentication process on Javelo :

  • The user email

  • The user first name

  • The user last name

Users may be created through SAML, and this is the very minimal payload that may be used in that purposed.

This elements must appear as an Attribute elements of the assertion request.

For example:

<Attribute Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name">
  <AttributeValue>DUPOND</AttributeValue>
</Attribute>

Two parameters are necessary to correctly extract the data :

  • The value of the “name” attribute

  • The format of the data. It may change how the data is formatted into the assertion request. Here are few examples :

    • urn:oasis:names:tc:SAML:2.0:attrname-format:uri

    • urn:oasis:names:tc:SAML:2.0:attrname-format:basic

    • urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

This is where this information should be set in Javelo:

Please check the documentation and the configuration of your identity provider to set up this information correctly in order to ensure all of them are sent and to get their name and format.

Options

Force usage

The Force usage parameter will change the behaviour of the authentication process. If chosen, users are directly redirected to the SSO authentication page once the company is selected (through it’s subdomain or an email).

❗ Beware to use this option only if you are certain that all users are allowed to use your SSO.

Test mode

This option allows to setup the SSO configuration without any impact on the authentication process. Users will not be exposed to the SSO (SAML V2 authentication), and will be able to login via mail / password.

But the SAML V2 authentication will be available for testing purpose on a single, specific URL :

https://${SUBDOMAIN}.javelo.io/auth/login?provider=${PROVIDER} (see below to find that information) or directly with a button (with “test”).

You will be able to try your configuration, and make corrections if required.

We recommend using this option for the first configuration of your SSO. Once you have made sure your SSO is correctly configured, you can deactivate the Test mode by deselecting this option.

Allow user creation from SSO

This option allows to enable/disable the creation of new users from a connection done via SSO.

If the user does not already exist, it is created.

We recommend disabling this option if you are also using a synchronization in order to avoid creation of unwanted accounts or duplicates with different email addresses linked to the same user.

Configuration of Identity provider

Here are the information you may need to configure the SAML V2 identity provider, and what you may need to test.

  • Javelo Callback URL : SAML Assertion service provider endpoint

  • Javelo Entity ID : service provider entity ID

  • Javelo Metadata URL : service provider metadata endpoint

  • Javelo Test URL : link to access The SAML identity provider in test mode

Metadata refresh

Once created, you may manually the refresh of identity provider metadata in Javelo service provider. It is really useful if you make some change on identity provider certificate for instance.

Important information

There are few points to keep in mind with Saml V2 SSO integration on Javelo:

  • The SSO is mono-tenant

An SSO configuration may only be used to authenticate users for the same Javelo organization. If you have many organizations on the Javelo platform, you should have distinct SSO configurations for each.

  • There is one SSO configuration allowed per organization

Javelo doesn’t support for the moment more than one Saml V2 SSO configuration per organization.

Troubleshooting FAQ

  • email not found in request

This error means the attribute configuration is not correct for email. “Email” attribute is missing in the SAML assertion request.

  • name not found in request

This error means the attribute configuration is not correct for the first name. “Name” attribute is missing in the SAML assertion request.

  • last_name not found in request

This error means the attribute configuration is not correct for the last name. “Last name” attribute is missing in the SAML assertion request.

  • your account has been deactivated

The user has been deactivated in Javelo. Authentication is impossible.

Lexicon

  • identity provider ⇒ The tool or service you use (KeyCloak for instance)

  • service provider ⇒ SAML V2 Javelo side

  • assertion request ⇒ http request from the identity provider to Javelo service provider sent after a successful authentication. It contains all attributes of an authenticated user.

Related Articles
Microsoft Azure Active Directory
Okta
OneLogin
Microsoft ADFS
PeopleSpheres
Did this answer your question?