Setup Custom Single Sign-On (SSO) with Affinity
What is SSO?
Single Sign-On is an authentication method that allows users to use one set of login credentials to log into multiple applications.
Note: Custom SSO is only available for Affinity customers on the Enterprise tier.
How to set up SSO with SAML 2.0?
- Affinity needs the following information from your IT/Admin:
- Audience URI/Client/SP Entity ID (eg. affinity)
- Name ID Format set to Email Address
- Your Identity Provider (IdP) - (e.g. Okta, Azure, etc.)
- Your Metadata URL. (This will contain the cert)
- (Optional) Set relay state to IDP-INITIATED-FLOW. This is only necessary if you wish to configure a seamless IDP flow.
- Redirect (reply) URIs for the Affinity Web Application. Also known as Single sign on URL.
- https://{your deployment name}.affinity.co/auth/sso/saml-callback (login)
- https://{your deployment name}.affinity.co/sso/callback (needed for mobile login)
- https://{your deployment name}.affinity.co/logout (logout)
- Setting up data sync:
- If your team is on Azure (Office 365, cloud), Microsoft Graph Client Credentials flow is needed to sync data.
- OR - - If your team is on Microsoft Exchange (On-Premise), then an Impersonation Service Account is needed to sync data. Note - users on Office 365 will not be able to use an impersonation account.
- If your team is on Azure (Office 365, cloud), Microsoft Graph Client Credentials flow is needed to sync data.
How to set up SSO with Open ID?
Using OpenID, you will most likely need to set up two apps - one for web (see Step 2) and one for mobile (see Step 3).
- Affinity needs the following information from your IT/Admin:
- Audience URI/Client/SP Entity ID (eg. affinity)
- Client Secret
- Name ID Format set to Email Address
- Identity Provider (IdP) - (e.g. Okta, Azure, etc.)
- OIDC Discovery Endpoint
- Mobile Client ID
- Mobile Client Secret
- (Optional) Set relay state to IDP-INITIATED-FLOW. This is only necessary if you wish to configure a seamless IDP flow.
- Redirect (reply) URIs for the Affinity Web Application (for web)
- Sign in: https://{companysubdomain}.affinity.co/auth/sso/openid-callback
- Sign out: https://{companysubdomain}.affinity.co/logout
- Mobile Login/Logout redirect URIs (for mobile)
- AffinitySSOLogin://login
- AffinitySSOLogin://logout
- Setting up data sync:
- If your team is on Azure, then Microsoft Graph Client Credentials flow is needed to sync data.
- OR - - If your team is on Microsoft Exchange (On-Premise), then an Impersonation Service Account is needed to sync data. Note - users on Office 365 will not be able to use an impersonation account.
- If your team is on Azure, then Microsoft Graph Client Credentials flow is needed to sync data.
Frequently Asked Questions
What type of SSO does Affinity support?
Affinity currently supports SAML 2.0 or OpenID Connect as an authentication method. Custom SSO integrations are only available for users who use Microsoft Exchange or Office365 as an email provider.
Does Affinity support Service Provider initiated(Web Browser) SSO?
Yes. Set relay state to IDP-INITIATED-FLOW.
What claims does Affinity require in the callback request?
We only require the user’s email address.
What’s the most secure hash algorithm that Affinity accepts?
SHA256.
Does Affinity require token encryption?
We do not require token encryption. We won’t be making any additional requests after initial authentication so this shouldn’t be necessary.
Does Affinity require Relaying Party-Initiated(RP) Sign-On?
No. Since the Affinity application is a cloud application that is accessible over the public internet, most of our users access the application directly by our URL on their browser.
Does Affinity require Relay State support?
No.
Have you enabled your site to automatically update your federated metadata information?
Yes. We periodically refresh the metadata stored for your organization from your metadata URL. For example, if your public key changes, Affinity will detect the change and continue to valid signatures accordingly.