Configuring Advanced Single Sign On Options

Chris Quiroz -

In addition to letting users sign in with their Facebook, LinkedIn, or Twitter accounts, FluidReview also supports the use of Single Sign On (referred to as SSO) which allows them (users) to log-in through a site hosted by your domain, and be redirected to a functional FluidReview account. We support SSO through:

  • SAML 2.0
  • NetForum
  • CAS
  • OAuth 2.0

To enable SSO within your FluidReview site, administrators will want to access the Edit Your Site -> The Basics page, then open the 'registration' tab located here.  The bottom of this tab has a button labelled as 'Conrfigure Advanced options'.

TIP! If you only want your users to be able to sign on using your site/domain, make sure that the FluidReview, Facebook, Twitter, and LinkedIn options under Single Sign On are not selected.  This will remove the registration and fluidreview log-in sections from your Fluidreview site homepage, replacing it with the Single Sign On log-in.

SAML

SAML is an open, XML-based standard for authorization. To enable SAML single sign on from your system you will need to add your system as an Identification Provider (IdP). You can add as many IdPs as needed.

When an applicant visits a FluidReview site with SAML SSO enabled, they can choose between all added IdPs and login with their credentials for that provider.

Our SAML metadata can be found at: https://myreviewroom.com/saml2/metadata/v2/

To add an IdP:

Required steps:

  1. Click the edit your site icon and click The Basics, selecting the registration tab followed by the "Configure Advanced Options" button.
  2. From the SAML tab, click + Add idP.
  3. Give your IdP a name and enter your Unique identifier.
  4. Add your IdP's Entity ID. This is the main URL to your IdP
  5. Enter your Metadata. This will be an XML string. You must include the EntityDescriptor tag along with all of its contents.
  6. Access the 'Lookup' tab and apply a 'field to use' and 'field to match'.  This is the information FluidReview uses to create new accounts, or match the passed user information to an existing user account within FluidReview.  This will prevent duplicate FluidReview accounts, we typically recommend using the e-mail address as the match, however you can also use metadata.
  7. Review Optional steps, and click Save at the bottom of the page.

Optional Steps:

  1. Add a Logo by uploading an image file through the information tab.
  2. Add Help text which will be displayed to applicants 
  3. Add a Logout redirect.  When the user logs in via SSO, they are redirected to their FluidReview account.  Likewise, when the user logs out they will be left on the FluidReview site by default.  If you wish to 'push' the user back to your own site you can add this logout redirect.  Once the user logs out of FluidReview, they will be directed to the link you enter here.
  4. Create Attribute mappings which work to pull information over from the user's account into FluidReview, such as first and last names or any custom metadata the user may have applied to their account. This is another optional step, available from the Attribute Mapping tab.  Unlike the 'Lookup' tab, Attribute mapping will not check what is in the account, it will simply write whatever information it can to the account.

NetForum

NetForum is a CRM system from Avectra. Currently, the plan supported for use with SSO is NetForum Enterprise. To enable single sign on with NetForum:

Required Steps:

  1. Click the edit your site icon and click The basics, selecting the registration tab followed by the "Configure Advanced Options" button.
  2. Click the NetForum tab.
  3. Enter your Service Name and the WSDL URL for your client application.
  4. Enter your Avectra xWeb Username and Password which are necessary to validate the NetForum connection.
  5. Select which group you would like to enable SSO for from the Entry group drop down.  This dropdown will only list Applicant groups.  Currently only one applicant group can be selected for NetForum's SSO connection.
  6. Review Optional steps, and click 'Save Netforum Settings' at the bottom of the tab.

Optional Steps:

  1. Add a Logout redirect.  When the user logs in via SSO, they are redirected to their FluidReview account.  Likewise, when the user logs out they will be left on the FluidReview site by default.  If you wish to 'push' the user back to your own site you can add this logout redirect.  Once the user logs out of FluidReview, they will be directed to the link you enter here.
  2. Enter any Extra data objects as a comma separated list. By default, we will pick up any attributes under Individual and Customer objects.  These will be written as user metadata, which we will generate fields for if they do not already exist

CAS

CAS is an open protocol for single sign on. Enable CAS by providing the base URL to where your instance is set up. All of the fields for setting up CAS are required, in order to enable CAS:

  1. Click the edit your site icon and click The basics, selecting the registration tab followed by the "Configure Advanced Options" button.
  2. Select the Registration tab and click the Configure advanced options button at the bottom of the page.
  3. Click the CAS tab.
  4. Enter a Service Name and Service URL, the base URL to where your CAS instance is set up.
  5. Check the 'Path' field to verify it is correct, in most cases you should not need to change this field.
  6. Select which group you would like to enable SSO for from the Entry group drop down.  Currently CAS may only be integrated to a single applicant group, other user groups (such as reviewers) will not be included in this list.
  7. If your instance uses an attribute name that is not ID or UID for unique identifiers, enter that attribute name in the UID attribute name box. By default, we will look for either 'id', 'uid', or 'user'
  8. Click Save CAS Settings at the bottom of the tab.

OAuth

OAuth is an open standard for authorization. To enable SSO via Oauth:

Required Steps:

  1. Click the edit your site icon and click The basics, selecting the registration tab followed by the "Configure Advanced Options" button.
  2. Click the OAuth tab.
  3. Enter your Service name, Consumer key, and Consumer secret.
  4. Provide the Authorize URL and Access Token URL, for your resource server.
  5. Select which group you would like to enable SSO for from the Entry group drop down. Currently CAS may only be integrated to a single applicant group, other user groups (such as reviewers) will not be included in this list.
  6. Review optional steps, then click Save OAuth Settings at the bottom of the tab.

Optional Steps:

  1. Add the Authenticate URL for your resource server, an example format would be https://example.com/oauth/authenticate
  2. Add the Profile URL for your resource server.  An example format for this would be https://example.com/oauth/profile
Have more questions? Submit a request

1 Comments

  • 0
    Avatar
    Anirudh Pandya

    I want to implement SAML for SSO in FluidReview. I am not sure what data should I enter in following fields while configuring SAML:
    Entity ID
    Unique Identifier
    Metadata

    Can you please provide me some sample code for implementing the SSO using SAML in C#.net or in PHP

Article is closed for comments.