Single Sign On (SSO) and SAML Integration
If you are on the Enterprise plan, you can connect Paligo to a Single Sign On (SSO) service. It means that you can use your SSO provider to handle all the company's user accounts (create, edit and delete) and permissions (assign and remove) in one place and allow users to log in to several systems with a single ID.
This has many benefits, including:
-
Reduced administration time - You can manage all software-as-a-service (SaaS) user accounts from a single SSO service. This is especially useful in larger organizations where the workforce regularly changes due to people joining, moving departments, leaving and retiring.
-
Easier access - Users can log in to applications without entering their username and password each time.
-
Security - With centralized user accounts, you can apply security measures to all users, such as password strength, multi-factor authentication and more.
Tip
To find out about setting your SSO service to connect to Paligo, see Set Up Your SSO Service. That topic is a general overview of what you need to set up for SSO. We also have more detailed instructions for Okta and JumpCloud integrations.
To use SSO with Paligo, you first need to set up your SSO service to connect to Paligo . The key things here are that the SSO service is able to authenticate a Paligo user's user account, password, and user group.
When your SSO service is set up to connect to Paligo, the log-in process for users is:
-
User opens Paligo in a browser and selects a Sign in button. They do not need to enter a user name or password.
-
Paligo redirects to the SSO service for the user's log-in details.
-
The SSO service responds to Paligo:
If the user is signed-in to the SSO service already, the SSO service provides Paligo with the user's username, password, and user group. The user is logged in to Paligo automatically.
If the user is not signed-in to the SSO service, Paligo redirects them to the SSO service sign-in. When they sign-in, Paligo can log them in automatically.
You can also manage your user accounts in the SSO service. If you add a new user to a Paligo user group in the SSO service, Paligo will create these new users automatically (when a new user attempts to log in to Paligo).
Note
To delete a Paligo user, log in to Paligo as an administrator user and delete the user account manually. SSO services are not designed to delete user accounts.
Before you connect Paligo to your SSO service, you should Set Up Your SSO Service so that it can provide user authentication data to Paligo. As part of the setup, you will export a metadata file that you will be able to import into Paligo.
When the SSO service is set up, you can connect Paligo to it:
-
Log in to Paligo via a user account that has administrator permissions.
-
Sign in to Paligo using a user account that has administrator permissions.
-
Select the avatar in the top-right corner.
-
Select Settings from the menu.
-
Select the Integrations tab.
-
Select Add in the SAML 2.0 section to expand the connection settings.
-
Enter the Provider Name, a display name for the SSO service, for example, Okta or JumpCloud.
-
Select Upload metadata file and select the metadata file that you exported from the SSO service when it was set up.
-
In most cases, you should be able to ignore the Advanced Settings section. These settings are filled automatically, as the values come from the SAML XML file you uploaded in the previous step. If, for some reason, the settings need to be added or changed, you can make the changes manually.
-
Entity ID - The identifier for your SAML endpoint. This is sometimes called the identity provider issuer.
-
SSL Certificate - The secure socket layer (SSL) certificate for the SSO service.
-
Single Signon Service URL - The address of the single sign-on service.
-
Single Signout Service URL - The address of the single sign-out service, if used. When this is used, logging out of Paligo logs the user out of the SSO service as well, not just Paligo. This is empty if the feature is not used.
-
-
Check the Enable sign-in alternative checkbox so that users can sign in to Paligo manually as well with SSO. This is important the first time you set up SSO, as if there is an error, you will need to be able to log in to Paligo without SSO to fix it.
-
Check the Force authentication to set the
forceAuthn
parameter to true in the request to the identity provider. This will require the user to authenticate themselves even if there is an active session with the IdP. -
Check the Enable SSO box to activate single-sign in.
Note
If you want to store the settings without activating SSO, clear this checkbox. You can return to this page and enable SSO later if needed.
-
Select Save.
-
Log out of Paligo.
Caution
Do not log out of Paligo if the Enable sign-in alternative setting is not checked and you have not yet tested SSO. Logging out could result in you being unable to log in to Paligo.
-
Log back in again. You should now see an SSO sign in option that, when selected, logs you into Paligo.
Note
If you do not see the SSO sign in option or if the SSO sign-in attempt is unsuccessful, log in with your username and password and check that you have completed the steps described in this topic correctly.
Usually, failed SSO sign-ins are due to incorrect configuration in the SSO service. Please make sure that you have entered the correct URLs and have set the correct attributes for firstname, lastname and email.
The most common error is that the user group is incorrectly set up in the SSO service. The SSO service has to be able to provide Paligo with the username, email, and usergroup metadata. For more information on the SSO service settings, see Set Up Your SSO Service.
-
Once SSO works as expected, enter the SAML 2.0 settings.
-
Clear the checkbox for Enable sign-in alternative.
If this option is disabled the users can no longer use username and password to login. They have to use SSO to log in.
-
Select Save.
To use an SSO service with Paligo, the SSO service has to be configured to communicate with Paligo using SAML. Typically, this configuration work is performed by IT specialists who have an in-depth understanding of the SSO service.
There are many different SSO services available and the terminology and settings they use can vary between vendors. This means we cannot provide a detailed set of general instructions that will work for all SSO services. But the main principles are the same, and most SSO services do require similar types of information (see below).
The general instructions for connecting an SSO service to Paligo.
In your SSO provider:
-
Create one user account for each Paligo user account.
-
Create a custom SAML 2.0 application.
-
Configure the SAML 2.0 application. The terminology used for the settings can vary, but you will need to:
-
Set the Assertion Consumer Service (ACS) URL for Paligo, the endpoint where the SSO service provider connects to Paligo.
Use this URL:
https://your.paligoapp.com/saml/acs
. Replace your with the domain name of your Paligo instance, for example: https://acme.paligoapp.com/saml/acs -
Set the Service Provider (SP) URL for Paligo.
Use this URL:
https://your.paligoapp.com/saml/metadata
. Replace your.paligoapp.com with the domain name of your Paligo instance. -
Set the application user name or ID to:
email
-
Create attribute mapping for Paligo's user credentials:
-
user.firstname
-
user.lastname
-
user.email
Note
There may be additional settings required, depending on your SSO Service.
-
-
Map them to the equivalent attributes in your SSO service. Refer to your SSO service documentation for information on those.
-
-
Create a group attribute for Paligo. Depending on the SSO service you are using, this should have the name / value
paligo.usergroup
orpaligo_usergroup
. -
Export the SSO service's metadata file so that you can import it into Paligo.
-
Create a user group for each Paligo user group. This step is required in some SSO services, whereas with others, you can add the user group name to the user settings.
In Paligo, every user account belongs to a user group, such as administrators, authors, contributors, reviewers, publishers, it admins or translation managers. When users log in to Paligo using SSO, Paligo needs the SSO service to provide the user group information (as well as the first name, last name and email). User groups are not included in the default metadata, so you need to add them in your SSO service.
-
Associate each user account with the appropriate user group.
-
Associate each user group with the SAML 2.0 application that you have created to represent Paligo.
-
In Paligo, use the SSO integration settings to Connect Paligo to your SSO Service.
You can connect Paligo to Okta for single sign on (SSO). This is only available on the Enterprise plan.
To use Okta with Paligo, you need to set up Okta to provide metadata to Paligo. The metadata includes the name of the user, the user's email address, and the user group that the user belongs to.
Note
The metadata describing the user group is not part of the standard metadata. You must add this metadata to the SAML response.
To be able to Connect Paligo to your SSO Service you need to set up Okta to integrate with Paligo.
Note
For this section, we assume that you have already created your user accounts in Okta.
The first stage of setting up Okta to communicate with Paligo is to create a new application connector.
In Okta:
-
Locate your applications and select Add application and then Create New App.
-
Apply the following settings for your new application:
-
Platform - set to Web
-
Sign on method - set to SAML 2.0
-
-
Select Create.
-
In the General settings, enter
Paligo
as the App name and then select Next. -
Define the SAML settings.
In the General section, enter the following (replace my.paligoapp.com with your Paligo instance name, for example:
acme.paligoapp.com
).Setting
Value
Single sign on URL
https://my.paligoapp.com/saml/acs
Audience URL
https://my.paligoapp.com/saml/metadata
Default RelayState
https://my.paligoapp.com
Application username
Choose email
-
In the Attribute statements section, add the following attributes:
Name
Name format
Value
user.firstname
Basic
user.firstName
user.lastname
Basic
user.lastName
user.email
Basic
user.email
paligo.usergroup
Basic
appuser.paligo_usergroup
Your settings should look like this:
-
Double-check that your attribute statements are exactly as described in the previous step. Look out for typing mistakes as any errors may prevent the connector from working.
-
Select Next.
The next stage in Okta is to Add the User Group to the Okta SAML Response.
When users login to Paligo via Okta, Okta sends metadata to Paligo. The metadata includes the user's first name, last name, email address, and information about which user group they belong to.
The user group metadata is not a standard part of the Okta default metadata. So you need to add the user group to the metadata SAML assertion:
-
Select Directory > Profile Editor.
-
Select the Profile button for the Paligo app.
-
Select Add attribute and enter the details for the Paligo user group.
Setting
Value
Display name
Paligo user group
Variable name
paligo_usergroup
Description
Optional. You can leave this blank or add a description to explain the purpose of the user group attribute.
Data type
string
Attribute length
Between. You do not need to define a min and max value, leave those fields empty.
Attribute required
Check Yes.
Scope
Check the User personal box if you want to assign the user group attribute (for Paligo) to user accounts individually.
If you clear the User personal box, the user group attribute (for Paligo) will apply to all user accounts in the Okta user group. Please refer to Okta documentation for more information.
-
Double-check that you have entered the correct details for the Paligo user group. Look out for typing mistakes as they could prevent the login from working as expected.
-
Save the attribute.
Each user that is going to use Okta to access Paligo needs to be assigned to the Paligo application and a Paligo user group.
In Okta:
-
Select Directory > People and then select a user account.
-
On the Applications tab, select Assign Applications.
-
Select Assign for the Paligo application.
-
In the Paligo user group field, enter the appropriate syntax for the user's role in Paligo. The following table shows the possible values you can use:
-
Save the user.
-
Repeat this process for each user account that is going to have access to Paligo via Okta.
-
Double-check your users to make sure that you have entered the correct syntax. Look out for typing mistakes as any errors could prevent the logins from working.
Note
Next: Get the Metadata from Okta.
The final steps to take in Okta are to get the metadata file that is needed for the connection.
In Okta:
-
Select Applications > Applications.
-
Select Sign On.
-
Right-click on the Identity Provider Metadata link and choose to save the link as a file. Give the file a name and an .xml extension, for example, metadata.xml. You will need this XML when you set up the Paligo integration.
You have now completed the configuration that is needed in Okta. The next step is to Connect Paligo to your SSO Service.
You can connect Paligo to JumpCloud (https://www.jumpcloud.com) for single sign on (SSO). This is only available on the Enterprise plan.
To use JumpCloud with Paligo, you need to set up JumpCloud to provide metadata to Paligo. The metadata includes the name of the user, the user's email address, and the user group that the user belongs to. The metadata describing the user group is not part of standard metadata. You must add this metadata to the SAML response.
Note
For this section, we assume that you have already created your user accounts in JumpCloud.
To be able to Connect Paligo to your SSO Service you need to set up JumpCloud to integrate with Paligo.
The first stage of setting up JumpCloud to communicate with Paligo is to create a new application connector.
In JumpCloud:
-
Go to the JumpCloud console and select SSO and then add an application.
-
Select Custom SAML App.
-
In the Settings panel, apply these values (replace the your in your.paligoapp.com with the address of your Paligo instance, for example, acme.paligoapp.com).
Name
Value
Display Label
Paligo (example)
IDP Entity ID
paligo/jumpcloud/sso
SP Entity ID
https://your.paligoapp.com/saml/metadata
ACS URL
https://your.paligoapp.com/saml/acs
Samlsubject NameID
email
Samlsubject NameID Format
urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
Signature algorithm
RSA-SHA256
Attributes
Create attributes for:
user.firstname
firstname
user.lastname
lastname
user.email
email
Groups Attributes
Include Group Attribute
Checked. This option must be checked/enabled.
Groups Attribute Name
paligo.usergroup
-
Select Save.
Next, you need to Create User Groups in JumpCloud .
You should create one user group for each Paligo user group (administrators, authors, contributors, reviewers, publishers, it admins or translation managers) in JumpCloud.
-
Select Groups.
-
Create a user group for each Paligo user group.
-
Select the Applications tab.
-
Select Paligo to associate the Paligo application with the user group.
-
Select Save Group.
-
Repeat this procedure for all Paligo user groups.
In JumpCloud, you need to associate the user accounts with the user groups that you have set up for Paligo.
-
Select Users.
-
Select the user you want to add to a Paligo user group.
-
Select the User Groups tab.
-
Select the checkbox for the Paligo user group that the user should belong to.
-
Select Save user.
-
Repeat this process for each user account that needs access to Paligo.
You can now Connect Paligo to your SSO Service.
Before Paligo and Azure can be connected, you need to create an enterprise app registration for Paligo, see Quickstart: Add an enterprise application - Microsoft Entry.
After registering the App and locating the SSO settings in Enterprise Applications:
-
Select the app you registered → Single sign-on. There will be the claim settings. Some of those are detailed in Set Up Your SSO Service.
-
In the claims settings, the paligo.usergroup should have the value
user.assignedroles
and be added as a regular claim (not a group claim). You can mirror the settings below: -
You also need to create App roles in the Paligo app registration. You can find these by going to Azure Active Directory → App registrations → Paligo (or whatever you named the app on registration) → App roles.
Important
Make sure you have App roles for each Paligo user group. Below you can see the correct configuration with the paligo.admin role as an example. Make sure you also "enable this app role" with the checkbox at the bottom of the Edit app role window.
-
Return to your Paligo Enterprise application and select Users and groups to add the Azure users you created in the main Azure active directory.
-
Select ✚ Add user/group and choose the user.
-
Assign the user to one of the roles (you created in the "App roles" above).
-
Return to your enterprise app Single sign-on settings to create a certificate.
-
Download the Federation metadata XML.
-
When you upload this file to your Paligo SSO integration, make sure to skip validation if the validation fails.
-
After your metadata uploads, expand the Advanced settings in the Paligo SSO integration and delete the Single signout service url.