Setup Custom Single Sign-On (SSO) with Affinity
What is SSO?
Single Sign-On is an authentication method that allows users to use one set of login credentials to log into multiple applications.
Note - custom SSO is only available for enterprise tiers only. However, if you are using SSO with your ADFS, it's supported on all tiers.
How to Implement SSO?
How to set up SSO with SAML 2.0?
- Affinity needs the following information from your IT/Admin:
- Client/Entity ID
- Identity Provider (IdP) - (e.g. Okta, Azure, etc.)
- Metadata URL (or XML file)
- (Optional) Set relay state to IDP-INITIATED-FLOW
- This is only necessary if the sign-in flow is initiated from the IDP.
- Redirect (reply) URIs for the Affinity Web Application
- https://{your deployment name}.affinity.co/auth/sso/saml-callback (login)
- https://{your deployment name}.affinity.co/sso/callback (needed for mobile login)
- https://{your deployment name}.affinity.co/logout (logout)
- Setting up data sync:
- If your team is on Azure (Office 365, cloud), Microsoft Graph Client Credentials flow is needed to sync data.
- OR - - If your team is on Microsoft Exchange (On-Premise), then an Impersonation Service Account is needed to sync data. Note - users on Office 365 will not be able to use an impersonation account.
- If your team is on Azure (Office 365, cloud), Microsoft Graph Client Credentials flow is needed to sync data.
How to set up SSO with Open ID?
- Affinity needs the following information from your IT/Admin:
- Client/Entity ID (this is case sensitive)
- Client Secret
- Identity Provider (IdP) - (e.g. Okta, Azure, etc.)
- OIDC Discovery Endpoint
- Mobile Client ID
- Mobile Client Secret
- (Optional) Set relay state to IDP-INITIATED-FLOW
- This is only necessary if the sign-in flow is initiated from the IDP.
- Redirect (reply) URIs for the Affinity Web Application
- https://{companysubdomain}.affinity.co/sso/callback (login)
- https://{companysubdomain}.affinity.co/logout (logout)
- Mobile Login/Logout redirect URIs
- AffinitySSOLogin://login
- AffinitySSOLogin://logout
- Setting up data sync:
- If your team is on Azure, then Microsoft Graph Client Credentials flow is needed to sync data.
- OR - - If your team is on Microsoft Exchange (On-Premise), then an Impersonation Service Account is needed to sync data. Note - users on Office 365 will not be able to use an impersonation account.
- If your team is on Azure, then Microsoft Graph Client Credentials flow is needed to sync data.
FAQ
- What type of SSO does Affinity support?
Affinity currently supports SAML 2.0 or OpenID Connect as an authentication method. Custom SSO integrations are only available for users who use Microsoft Exchange or Office365 as an email provider. - Does Affinity support Service Provider initiated(Web Browser) SSO?
Yes. - What claims does Affinity require in the callback request?
We only require the user’s email address. - What’s the most secure hash algorithm that Affinity accepts?
SHA256. - Does Affinity require token encryption?
We do not require token encryption. We won’t be making any additional requests after initial authentication so this shouldn’t be necessary. - Does Affinity require Relaying Party-Initiated(RP) Sign-On?
No. Since the Affinity application is a cloud application that is accessible over the public internet, most of our users access the application directly by our URL on their browser. - Does Affinity require Relay State support?
No. - Have you enabled your site to automatically update your federated metadata information?
Yes. We periodically refresh the metadata stored for your organization from your metadata URL. For example, if your public key changes, Affinity will detect the change and continue to valid signatures accordingly.