1. Help Center
  2. General
  3. Semji connections and integrations

How to use the SSO connection via SAML?

For a safe connection to Semji

 

What is SSO via SAML? 

SSO (Single Sign-On) enables a user with a login and password on a dedicated platform to authenticate on several other applications or websites using the same login and password. These third-party applications or sites only have access to a small part of the user's personal information and data.

Example: I connect to an application or e-commerce site using my Google or Facebook account.

SAML (Security Assertion Markup Language) is a standard created to describe and exchange secure information.

In this exchange of information via SAML, there are three parties:

  • users
  • entity providers
  • service providers
The Identity Provider manages the identification of your users within your company or organization. It is the Identity Provider who chooses which information is transmitted to the Service Provider, and which is not.

The Service Provider is the publisher of the service provided to the user, such as the application or website. In your case, it's Semji.

Why use SSO via SAML?

Some companies require their employees to use a SAML SSO mechanism for secure, single sign-on to the various web tools and platforms they use. This mechanism provides greater security for employee access to their online tools, and centralizes user management.

Who can configure an organization's SSO?



In Semji, users with the role of Organization Admin can activate and configure SSO. Find out more about user roles

How do I configure an SSO connection via SAML in Semji? 


As an Admin user, log on to the Semji application:

  • Click on your profile, then click on Settings

settings app

  • Select Security in Organization settings to access the SAML SSO configuration screen.

security orga

Semji positions itself as a SAML service provider.
Semji is configured so that only users with e-mail addresses belonging to domains linked to your organization can use SAML SSO authentication.

For example, if your organization is associated with the domain monsite.com :

  • the address utilisateur@monsite.com will be able to log in
  • the address utilisateur@sous-domaine.monsite.com will not be able to connect using SSO
  • the address utilisateur@mon-autre-site.com will not be able to connect with SSO
If you wish to add a new domain to your organization, please contact support.

1. Setup your Identity Provider

You need to configure your SAML identity provider to authenticate your users on the Semji application.

You must first configure how you will allow SSO connection via SAML to Semji:

  • Off : only classic authentication is allowed
  • Optional : your users will be able to choose either classic authentication or authentication via your SAML identity provider
  • Required for all members with an organization email address / Mandatory : your users will only be able to authenticate to Semji through your identity provider

 

Even with a mandatory SSO connection, users with the OWNER role on the organization will still be able to authenticate on Semji with their classic dedicated credentials. They will be able to administer the SAML configuration.

Then, Semji provides you with two pieces of information, required when configuring your identity provider:

  • the ACS URL of the service provider (Semji ACS URL),
  • the Service Provider Entity Identifier (Semji Entity Identifier).

 

IMPORTANT : When configuring your provider, you must set it to use your users' email address as the primary identifier (Name Identifier).

Some Identity Providers require the Service Provider to sign their requests when making authentication requests. If your Identity Provider requires this signature, you can enable Service Provider requests signature and copy the Service Provider's public key (Semji Entity Provider X.509 certificate) into your Identity Provider's configuration.

2. Setup Semji

After configuring your Identity Provider, you must enter the following three pieces of information into Semji:

  • the URL of the Identity Provider's Sign-in page (URL),
  • the Entity Identifier of the Identity Provider, (Entity Identifier),
  • the public key of the Identity Provider certificate (X.509 certificate).

How do I connect to Semji via my SAML SSO?

  1. Go to the Semji login page (https://app.semji.com/login)
  2. Click on Sign In with SAML SSO, under the "Sign in" button

 

3. Enter your email address, then click Sign in. Semji checks that the domain linked to your email is configured to use SAML authentication.

 

4. If your company or organization's domain is set up correctly, you can authenticate using your identity provider. If you are not yet connected to this identity provider, a screen appears asking you to enter your login and password. You must enter your Identity Provider's credentials here, not your regular Semji credentials. Once entered, your authentication is done on Semji and you access your dashboard.

Even authenticated with your identity provider, users must have an active account created on Semji to access the application.