SSO - general configuration and technical information

This guide aims to inform users about the more technical information required to setup SSO for External Share using any identity provider.

Setting up Identity Provider

This guide will help you set up secured connection between External Share and identity provider of your choice. External Share’s SSO is designed to work with any identity provider capable of using SAML. However, in case of some specific implementations, additional help from our side may be neccessary.

Basic Setup

To setup Identity Provider, you will need the following data that can be found in the SSO Configuration tab in External Share’s Global Settings:

  • Assertion Consumer URL - this URL is used in both Service Provider (SP) and Identity Provider (IDP) initiated log-ons. It’s the URL where the assertion should be posted.

  • Identifier - ID of the Service Provider.

  • Relay State - default relay state used in IDP initiated calls (note that relay state for SP-initiated calls is created dynamically and will differ from this default relay state).

Attributes

As mentioned, External Share accepts SAML Assertions with user info. We require single Attribute Statement with the following attributes:

  • First name - mapped as givenname

  • Last name - mapped as surname

  • Email address - mapped as emailaddress

Response and Assertion settings

Response should be unsigned. Assertion should be signed with RSA-SH256 algoritm, but not encrypted.

User Unique Identifier

User email address is the unique identifier used by External Share. When configuring the identity provider, please ensure that the value for unique user identifier is set to user email address.

Certificate

Currently admins are required to manually rotate certificates after the expiry date, the expiry date of certificates depends on the identity providers.

Workspace Identifier

We use the “Workspace identifier” to identify your Jira instance. You may set this value as you like, however it must be at least 3 characters long. Case, leading and trailing whitespaces are ignored. Your users have to be informed what is their Workspace Identifier, as providing it is neccessary in order to log in.

Single Sign Out

Currently, we are not supporting single sign out feature.