Arculix SAML (SP-initiated) integration
Use this guide as a reference to configure a SAML (IdP-initiated) application integration to enable multi-factor authentication (MFA) and single sign-on (SSO) in Arculix.
Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.
Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.
This is a general SAML integration guide to help provide configuration details with SAML (IdP-initiated) application integrations. For specific integrations, see Integrations, otherwise, you can use this guide for most other integrations.
Prerequisites
Configured Arculix instance and user account with administrative privileges for Arculix.
Configured Arculix LDAP Agent.
For more information, see the Arculix LDAP Agent deployment guide.
Application that supports SAML authentication
User account with administrative privileges to a service provider application
Access to service provider information about SAML configurations on their side as a service provider
Service provider configuration
In this section, you'll configure your application as a service provider (SP).
Download the SAML metadata and certificate for your organization from Arculix.
Metadata download:
https://sso.acceptto.com/<myorganization>/saml/download/metadata
View metadata:
https://sso.acceptto.com/<myorganization>/saml/metadata
Certificate download:
https://sso.acceptto.com/<myorganization>/saml/download/cert
Go to your service provider instance and configure the application to use Arculix as SAML authentication.
You will need to have the Arculix metadata on hand and access to the service provider instructions for the SAML configuration.
Save your changes in the configurations on the service provider side.
Arculix SAML configuration as an Identity Provider (IdP)
In this section, you'll add an application and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.
Log in to Arculix with an administrative account and go to Applications.
Click Create New Application.
In the New Application form, on the General tab, set the following configurations:
Name
Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.
For example, Acme.
Type
Set to SAML Service Provider.
Out of Band Methods
Select the allowed methods end users can choose to approve MFA requests.
For example, Arculix Mobile app (push notifications), SMS, or Security Key.
Message for MFA Requests
Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.
Select the SAML Service Provider Configuration tab, and set the following configurations:
Configure as needed, according to the service provider instructions for the application. You might find the applicable information in the service provider metadata to help fill out these fields.
For documentation purposes, all available fields for adding an application are described next.
Upstream IdP
This check box is commonly used for integrations with another IdP to and use Arculix as an IdP factor MFA.
Issuer or Entity ID
Enter the Issuer / Entity ID of your service provider application server or instance.
Log in URL
Enter the URL for the end user login to service provider application.
Metadata URL
If applicable, enter the metadata URL provided by the service provider.
NameID Format
By default, this is set to Email Address.
This is the username format in which it asserts the user identity in the SAML application. The most common one is the Email Address. You can change this to different name ID format.
Name Identifier
By default, this is set to Email.
The identifier associated with the NameID format; in most cases this is set to Email. You can change this to a different name identifier attribute.
Application Logo
Optional. Display the application logo in the SSO portal.
The format for this field is the image address.
ACS URL
The Assertion Consumer Service (ACS) URL is the endpoint of the service provider (SP) where Arculix sends the SAML assertion after successfully authenticating a user.
Single Logout URL
If applicable, enter the single logout URL for the service provider.
When the user logs out, this ensures that it will logout the user from all other authenticated sessions associated with this service provider.
Algorithm
By default, this is set to RSA-SHA256, which is stronger than RSA-SHA1.
Certificate
If applicable, paste the certificate information from the service provider.
Identity Provider EntityID
Optional. This field allows you to customize the IdP Issuer / Entity ID for each application.
If your service provider requires it, you can include Asserted Attributes like the following:
Friendly Name
Name
Value
Name Format
Optional. Human-readable form of the attribute's name, which might be useful in cases where the actual Name is complex or opaque.
For example,
First Name
Name that the application uses to reference this attribute.
For example,
FirstName
User directory attribute used to get this value.
For example,
givenName
URI reference that represents the Name attribute format provided to your application.
For example,
unspecified
Save your changes.
Test your application integration
We recommend that you configure a separate URL in addition to the usual authentication URL, to test SAML while leaving the local authentication option available.
Test your application integration.
You will be redirected to the Arculix SSO page.
After successful authentication, select your preferred MFA method to approve access to the application.
You will be redirected and logged in to the application.
Support
If you have questions or need assistance, contact SecureAuth Support.
Sales
Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.
Disclaimer
All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.