Setup Custom Single Sign-On (SSO) with Affinity
What is SSO?
Single Sign-On is an authentication method that allows users to use one set of login credentials to log into multiple applications.
How to Implement SSO?
How to set up SSO with SAML 2.0?
- Affinity needs the following information from your IT/Admin:
- Identity Provider (IdP) - (e.g. Okta, Azure, etc.)
- Metadata URL (or XML file for the Metadata)
- Mobile Client ID
- Client ID (this is case sensitive)
- Redirect (reply) URIs for the Affinity Web Application
- https://{your deployment name}.affinity.co/auth/sso/saml-callback (login)
- https://{your deployment name}.affinity.co/sso/callback (needed for mobile login)
- https://{your deployment name}.affinity.co/logout (logout)
- If your team is on Azure, then Microsoft Graph Client Credentials are needed to sync data.
- If your team is on Microsoft Exchange (On-Premise), then an Impersonation Service Account is needed to sync data.
How to set up SSO with Open ID?
- Affinity needs the following information from your IT/Admin:
- Identity Provider (IdP) - (e.g. Okta, Azure, etc.)
- Metadata URL (or XML file for the Metadata)
- Mobile Client ID
- Mobile Client Secret
- Client ID (this is case sensitive)
- Redirect (reply) URIs for the Affinity Web Application
- https://{companysubdomain}.affinity.co/sso/callback (login)
- https://{companysubdomain}.affinity.co/logout (logout)
- Mobile Login/Logout redirect URIs
- AffinitySSOLogin://login
- AffinitySSOLogin://logout
- If your team is on Azure. A Microsoft Graph Client Credentials is needed to sync data.
- If your team is on-premise. An Impersonation Service Account is needed to sync data.
FAQ
- What type of SSO does Affinity support?
Affinity currently supports SAML 2.0 or OpenID Connect as an authentication method. Custom SSO integrations are only available for users who use Microsoft Exchange or Office365 as an email provider. - Does Affinity support Service Provider initiated(Web Browser) SSO?
Yes. - What claims does Affinity require in the callback request?
We only require the user’s email address. - What’s the most secure hash algorithm that Affinity accepts?
SHA256. - Does Affinity require token encryption?
We do not require token encryption. We won’t be making any additional requests after initial authentication so this shouldn’t be necessary. - Does Affinity require Relaying Party-Initiated(RP) Sign-On?
No. Since the Affinity application is a cloud application that is accessible over the public internet, most of our users access the application directly by our URL on their browser. - Does Affinity require Relay State support?
No. - Have you enabled your site to automatically update your federated metadata information?
Yes. We periodically refresh the metadata stored for your organization from your metadata URL. For example, if your public key changes, Affinity will detect the change and continue to valid signatures accordingly.