Talon.One supports Single Sign On with SAML 2.0. Security Assertion Markup Language (SAML) is a standard for logging users into applications based on their sessions in another context.
This has significant advantages over logging in using a username/password:
- No need to type in credentials
- No need to remember and renew passwords
- Control over access via a single source through their Active Directory domain or intranet.
You can use any SAML-based Identity Provider (IDP), for example Okta, Bitium, OneLogin, or Centrify, or use GSuite to serve as your identity provider, delegating access to the application based on rules you create in your central identity management solution.
With SSO, you have centralized control over your users’ ability to authenticate or not in your IDP, and can also enforce rules like two-factor authentication or password rotation at the IDP level.
In the following guide, the Service Provider is Talon.One and the IdP, or Identity Provider, is the authenticating authority (Okta, GSuite)
Setup SAML
To get started, you’ll first need to create a custom SAML based application in your IdP. Your IdP will ask you for a few things from Talon.One, which are:
- The ACS URL (or Assertion Consumer Service URL). The ACS URL would be generated by Talon.One as soon as you hit save That way the identity provider would know where in Talon.One the SAML response should be sent. It will be generated by Talon.One as soon as the SAML connection is saved.
- The Audience URL. This is a string that can usually be set to the same value as the generated ACS URL and needs to be configured both in Talon.One and the IdP. It allows your instance to verify that it is the intended recipient of a SAML response.
These will become available later, after configuring the SAML Connection on Talon.One. You should create the SAML application in the IdP and update the fields missing from Talon.One later, after setting up the SAML connection in Talon.One. After creating the SAML application with the IdP, configure the SAML connection in Talon.One. To do so, navigate to Account > Organization > Single Sign-On:
There are two ways to configure a SAML connection in Talon.One:
- The first method is manually copying values from the Identity Provider and pasting them in Talon.One. Get the certificate in PEM format, issuer URL and login URL from the IdP SAML application you created and paste them in the empty fields in Talon.One.
- The second method is by uploading a metadata file which should be downloaded from the IdP (if supported). This file should already contain everything Talon.One side should know about the IdP.
Don’t forget to check the “SSO Enabled” check box. Otherwise the connection would be ‘live’.
In the first method described above, audience URI will default to the same value as the generated ACS URL if left empty. This method should work with all Identity Providers. This can be later changed.
Once the connection is successfully saved, the option to connect with SSO should appear in Talon.One login page.
At this point you should have everything you need to finish the configuration of the SAML Application with the IdP.
Potential configuration problems:
- For GSuite configurations - leave the Start URL field in Service Provider Details blank.
- Different IdPs have different names for the Audience URI. For example “Entity ID”, “Audience URL”, or “Service Provider Entity ID”.
- Different IdPs store your employees' records differently. NameID is the only attribute required to be mapped.. This should be the case by default.
- No RelayState is required. This is also sometimes called Target.
- We currently only support Service Provider initiated login (from Talon.One login page). Identity Provider initiated authentication is not supported due to security considerations.
- SAML Sessions last for several hours, after which a user should be automatically redirected to re-authentication flow.