For a safe connection to Semji
Why use SSO via SAML?
Some companies require their employees to have a unique and secure authentication via a SAML SSO mechanism on the different tools and web platforms they use. This mechanism allows to better secure the access of the employees to their online tools, and to centralize users management.
What is SSO via SAML?
SSO (Single Sign-On) allows a user with a login and password to enter several applications or websites using the same login and password. These third party applications or websites only have access to a small part of the user's personal information and data.
Example: I log in to an application or an e-commerce site using my Google or Facebook account access.
SAML (Security Assertion Markup Language) is an open standard for exchanging authentication and authorization data between parties.
Three parties are involved in this exchange of information via SAML:
- entity providers
- service providers
The Identity Provider manages the identification of your users within your company or organization. It is the Identity Provider who chooses what information is transmitted to the Service Provider.
The Service Provider is the publisher of the service provided to the user, for example the application or the website. In your case, it is Semji.
Who can configure an organization's SSO?
In Semji, the user with the owner role of an organization can activate and configure the SSO. Learn more about user roles.
Do not hesitate to contact your Customer Success Manager to upgrade your plan and benefit from it.
Where to setup an organization's SSO?
As an OWNER user logged into the Semji application:
- Click on your profile, then click on Settings
- Select Security to access the SAML SSO configuration screen.
How to setup the SAML SSO ?
Semji is configured as a SAML service provider.
It is setup so that only users with email addresses belonging to domains related to your organization can use SAML SSO authentication.
For example, if your organization is associated with the domain mysite.com :
- the address email@example.com will be able to log in
- the address firstname.lastname@example.org will not be able to connect using SSO
- the address email@example.com will not be able to connect in SSO
If you want to add a new domain to your organization, please contact support.
1. Setup your Identity Provider
You need to configure your SAML identity provider to authenticate your users on the Semji application.
You must first configure how you will allow SSO connection via SAML to Semji:
- Off : only classic authentication is allowed
- Optional : your users will be able to choose either classic authentication or authentication via your SAML identity provider
- Required for all members with an organization email address / Mandatory : your users will only be able to authenticate to Semji through your identity provider
Even with a mandatory SSO connection, users with the OWNER role on the organization will still be able to authenticate on Semji with their classic dedicated credentials. They will be able to administer the SAML configuration.
Then, Semji provides you with two pieces of information, required when configuring your identity provider:
- the ACS URL of the service provider (Semji ACS URL),
- the Service Provider Entity Identifier (Semji Entity Identifier).
IMPORTANT : When configuring your provider, you must set it to use your users' email address as the primary identifier (Name Identifier).
Some Identity Providers require the Service Provider to sign their requests when making authentication requests. If your Identity Provider requires this signature, you can enable Service Provider requests signature and copy the Service Provider's public key (Semji Entity Provider X.509 certificate) into your Identity Provider's configuration.
2. Setup Semji
After configuring your Identity Provider, you must enter the following three pieces of information into Semji:
- the URL of the Identity Provider's Sign-in page (URL),
- the Entity Identifier of the Identity Provider, (Entity Identifier),
- the public key of the Identity Provider certificate (X.509 certificate).
How do I connect to Semji via my SAML SSO?
- Go to the Semji login page (https://app.semji.com/login)
- Click on Sign In with SAML SSO, under the "Sign in" button
3. Enter your email address, then click Sign in. Semji checks that the domain linked to your email is configured to use SAML authentication.
4. If your company or organization's domain is set up correctly, you can authenticate using your identity provider. If you are not yet connected to this identity provider, a screen appears asking you to enter your login and password. You must enter your Identity Provider's credentials here, not your regular Semji credentials. Once entered, your authentication is done on Semji and you access your dashboard.
Even authenticated with your identity provider, users must have an active account created on Semji to access the application.