Skip to main content

Arculix SAML (SP-initiated) integration

Use this guide as a reference to configure a SAML (IdP-initiated) application integration to enable multi-factor authentication (MFA) and single sign-on (SSO) in Arculix.

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

This is a general SAML integration guide to help provide configuration details with SAML (IdP-initiated) application integrations. For specific integrations, see Integrations, otherwise, you can use this guide for most other integrations.Integrations

Prerequisites

  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Configured Arculix LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • Application that supports SAML authentication

  • User account with administrative privileges to a service provider application

  • Access to service provider information about SAML configurations on their side as a service provider

Service provider configuration

In this section, you'll configure your application as a service provider (SP).

  1. Download the SAML metadata and certificate for your organization from Arculix.

    Metadata download: https://sso.acceptto.com/<myorganization>/saml/download/metadata

    View metadata: https://sso.acceptto.com/<myorganization>/saml/metadata

    Certificate download: https://sso.acceptto.com/<myorganization>/saml/download/cert

  2. Go to your service provider instance and configure the application to use Arculix as SAML authentication.

    You will need to have the Arculix metadata on hand and access to the service provider instructions for the SAML configuration.

  3. Save your changes in the configurations on the service provider side.

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:

    Name

    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, Acme.

    Type

    Set to SAML Service Provider.

    Out of Band Methods

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    arculix_saml_app_001.png
  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Configure as needed, according to the service provider instructions for the application. You might find the applicable information in the service provider metadata to help fill out these fields.

    For documentation purposes, all available fields for adding an application are described next.

    Upstream IdP

    This check box is commonly used for integrations with another IdP to and use Arculix as an IdP factor MFA.

    Issuer or Entity ID

    Enter the Issuer / Entity ID of your service provider application server or instance.

    Log in URL

    Enter the URL for the end user login to service provider application.

    Metadata URL

    If applicable, enter the metadata URL provided by the service provider.

    NameID Format

    By default, this is set to Email Address.

    This is the username format in which it asserts the user identity in the SAML application. The most common one is the Email Address. You can change this to different name ID format.

    Name Identifier

    By default, this is set to Email.

    The identifier associated with the NameID format; in most cases this is set to Email. You can change this to a different name identifier attribute.

    Application Logo

    Optional. Display the application logo in the SSO portal.

    The format for this field is the image address.

    ACS URL

    The Assertion Consumer Service (ACS) URL is the endpoint of the service provider (SP) where Arculix sends the SAML assertion after successfully authenticating a user.

    Single Logout URL

    If applicable, enter the single logout URL for the service provider.

    When the user logs out, this ensures that it will logout the user from all other authenticated sessions associated with this service provider.

    Algorithm

    By default, this is set to RSA-SHA256, which is stronger than RSA-SHA1.

    Certificate

    If applicable, paste the certificate information from the service provider.

    Identity Provider EntityID

    Optional. This field allows you to customize the IdP Issuer / Entity ID for each application.

    arculix_saml_app_002.png
  5. If your service provider requires it, you can include Asserted Attributes like the following:

    Friendly Name

    Name

    Value

    Name Format

    Optional. Human-readable form of the attribute's name, which might be useful in cases where the actual Name is complex or opaque.

    For example, First Name

    Name that the application uses to reference this attribute.

    For example, FirstName

    User directory attribute used to get this value.

    For example, givenName

    URI reference that represents the Name attribute format provided to your application.

    For example, unspecified

    arculix_saml_app_003.png

    Examples of asserted attributes

  6. Save your changes.

Test your application integration

We recommend that you configure a separate URL in addition to the usual authentication URL, to test SAML while leaving the local authentication option available.

  1. Test your application integration.

  2. You will be redirected to the Arculix SSO page.

    Application login page with QR code
  3. After successful authentication, select your preferred MFA method to approve access to the application.

    Select MFA method
  4. You will be redirected and logged in to the application.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.