Contact Menu

Single Sign-on (SSO)

Configuration of sign-on with SAML SSO

SAML-based single sign-on (SSO) allows users access to Firstbird through an identity provider (IdP) of your choice.

PN_SSO_1_ENG.jpg

Provisioning


Firstbird supports identity provider (IdP) initiated flow, service provider (SP) initiated flow and just-in-time provisioning.

For SP login, please go to https://YOURDOMAIN.1brd.com/login.

Your IdP should ensure that a user is authenticated and authorized before sending a request. If a user is not authorized, the request shouldn't be sent.

 

Step 1: Setup your Identity Provider (IdP)

First, create a connection for Firstbird at your IdP. Below you will find several provider created "how to" articles for activating SAML for your Firstbird account:

Manual Identity Provider (IdP) configuration

For an easy setup, you will find all important information for the configuration of your IdP directly in your Firstbird company account in "Account Preferences" - "Authentication" - Single Sign-on" (only visible when SSO was activated by Firstbird).

All important information at a glance:

  • Entity-ID
    https://YOURDOMAIN.auth.1brd.com/saml/sp

  • Post-Backup-URL for SSO-Login (SSO)
    https://YOURDOMAIN.auth.1brd.com/saml/callback

  • Address of Metadata.xml 
    https://YOURDOMAIN.auth.1brd.com/saml/sp/metadata
    (If automatic configuration is possible)

HC_SSO_Account_Einstellungen_ENG.jpg

 PLSN_SSO_2.jpg

 

Settings for the configuration of your Identity Provider

  • NameID (mandatory field)

<saml:Subject>

    <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent">

Your unique identifier

   </saml:NameID>

</saml:Subject>

 

PLSN_SSO_3.jpg

 

  • Email attribute (mandatory field)

<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

    <saml:AttributeValue

     xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">your.user@yourdomain.com

    </saml:AttributeValue>

</saml:Attribute>

 

  • First name attribute (optional)

<saml:Attribute Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

    <saml:AttributeValue

        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Max

    </saml:AttributeValue>

</saml:Attribute>

 

  • Last name attribute (optional)

<saml:Attribute Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">

<saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Mustermann</saml:AttributeValue>

</saml:Attribute>

 

  • Session duration attribute (optional)

The attribute only impacts the sign-on duration. This element contains an AttributeValue element indicating how long the user can access Firstbird via mobile app before the user must sign on again. This value is an integer indicating the number of seconds for the session. The value must be at least 1,200 seconds (20 minutes). If the attribute SessionNotOnOrAfter of the AuthnStatement is also set, the lower value of the two attributes will be used. When none of these two attributes is available, the sign-on information will apply for a period of 30 days.

 

<saml:Attribute Name="https://auth.1brd.com/saml/attributes/sessionduration">

    <saml:AttributeValue

        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">86400

    </saml:AttributeValue>

</saml:Attribute>

 

Step 2: Set-up your Firstbird account (SP configuration)

Finalize the configuration in Firstbird with the following three important items from your IdP:

  1. Entity-ID 
    This is the unique identification for the connection to Firstbird and will be provided by your IdP.
  2. SSO Service URL
    This is the address of your IdP. Firstbird will send all authentication requests to this URL.
  3. Signing Certificate
    Firstbird requires that SAML assertions are signed and that a valid X.509 .pem certificate is stored at Firstbird to verify your identity.

 

All settings described above can be found in the Metadata XML of your IdP.

Firstbird offers three options to make the configuration as easy as possible:

1. Configuration via IdP Metadata.XML upload
2. Configuration via IdP Metadata URL
3. Manual configuration

 

1. Configuration via IdP Metadata.XML upload

You can upload the Metadata XML of your IdP. If the XML was uploaded successfully, the settings are preconfigured accordingly. Changes can be done at any time.

HC_SSO_Account_Einstellungen_1_ENG.jpg

 

2. Configuration via IdP Metadata URL

You can enter the Metadata XML address of your IdP. Once we have checked the XML, the settings are preconfigured accordingly. Changes can be done at any time.

HC_SSO_Account_Einstellungen_2_ENG.jpg

 

3. Manual configuration

If none of the above options are suitable for you, the configuration can be done manually as well.

HC_SSO_Account_Einstellungen_3_ENG.jpg

PN_SSO_CA_2__ENG_.jpg

screenshot-1.png

Click the button "Save Configuration" to save your settings.

 

Step 3: Activate SSO

As soon as you saved the SSO settings, you're able to activate SSO for your Firstbird company account.

HC_SSO_Account_Einstellungen_4_ENG.jpg

After activating SSO for your company account, a new button "Login via SSO" will appear on the login page. From now on, your users will be able to login only via SSO.

HC_SSO_Account_Einstellungen_6_ENG.jpg

 

PN_SSO_3_ENG.jpg

In the case that you are having trouble with SSO, please contact our support.

 

SSO for exisiting user

You can activate SSO for your company account even if some users have already registered through your Firstbird company account. This will be done through an automatic link. The email address of the existing Firstbird user will be sent from your IdP via assertion attribute to Firstbird and must be an existing user email address in Firstbird.

If the email address is not identical, a new user account will be created.

 

 

Authentication via Single Sign-On (SSO) only

In addition to logging in with SSO and a password, there is also the option to allow log in via SSO only. This is only available if single sign-on has been enabled for your Firstbird company account and is in use.

 

Activate authentication via Single Sign-On (SSO) only


Before enforcing SSO for your Firstbird company account, make sure, together with your IT, that SSO is configured properly (see article "Configuration of Sign-on with SAML SSO"). When done, go to your "Account Preferences", "Authentication" and next to "Single Sign-On".

To enable authentication via SSO only, click on the toggle next to "Authentication via Single Sign-On only".

HC_Enforce_SSO_CA_ENG.jpg

When activated, the user will see the following login screen:

HC_Enforce_SSO_Login_ENG.jpg

PN_SSO_2_ENG.jpg

If this happens, please contact our support.

As soon as authentication via SSO only has been activated, the following features are inactive:

  • Invite users via Firstbird
  • Registration page
  • Multi-Factor Authentication
  • Password Policy

 

 

 

Your IdP Certificate Has Been Updated

In the case that your IdP's certificate has been updated, please change the certificate in your Firstbird company account as well. Otherwise, your users will not able to log in via SSO anymore.

As a precautionary measure, we recommend creating a backup administrator user with an email address that is not part of SSO, such as application@domain.com.

If your IdP certificate has changed, you'll be able to login with this backup administrator login, together with your IT department, to update the certificate under your "Account Preferences". 

To update the certificate, go to "Account Preferences", under the "Single Sign-On" heading and click the button "Expand" to show "Single Sign-On Configuration".

Depending on your current settings, please

  1. Upload a new "Metadata file",
    HC_SSO_Account_Einstellungen_1_ENG.jpg
  2. Add a new "Metadata URL" or
    HC_SSO_Account_Einstellungen_2_ENG.jpg
  3. Simply update the "Signing certificate" to "Manual settings".
    HC_SSO_Account_Einstellungen_5_ENG.jpg

PN_SSO_CA_2__ENG_.jpg

screenshot-1.png

Click on the button "Save configuration" to save your changes.

Please update the certificate together with your IT department to make sure all changes are correct.

HC_PN_SSO_Zertifikat_Update_ENG.jpg