Setup Custom Single Sign-On (SSO) with Affinity

Avatar
Aaron H.
  • Updated

What is SSO?

Single Sign-On is an authentication method that allows users to use one set of login credential to log into multiple applications.

How to Implement SSO?

How to set up SSO with SAML 2.0?

  1. Information Affinity needs from your IT/Admin:
    • Identity Provider (IdP) - (e.g. Okta, Azure, etc.)
    • Metadata URL (or XML file for the Metadata)
      Use “affinity” as your Client ID (this is case sensitive)
  2. Redirect (reply) URIs for the Affinity Web Application
    • https://{your deployment name}.affinity.co/sso/callback​ (login)
    • https://{your deployment name}​.affinity.co/logout​ (logout)
  3. Set up an Impersonation Service Account to sync your emails

How to set up SSO with Open ID?

  1. Information Affinity needs from your IT/Admin:
    • Identity Provider (IdP) - (e.g. Okta, Azure, etc.)
    • Metadata URL (or XML file for the Metadata)
    • Mobile Client ID
    • Mobile Client Secret
    • Client ID (this is case sensitive)
  2. Redirect (reply) URIs for the Affinity Web Application
    • https://{companysubdomain}.affinity.co/sso/callback​ (login)
    • https://{companysubdomain}​.affinity.co/logout​ (logout)
  3. Mobile Login/Logout redirect URIs
    • AffinitySSOLogin://login
    • AffinitySSOLogin://logout
  4. Set up an Impersonation Service Account to sync your emails

FAQ

  • What type of SSO does Affinity support?
    Affinity currently supports SAML 2.0 or OpenID Connect as an authentication method. Custom SSO integrations are only available for users who use Microsoft Exchange or Office365 as an email provider.

  • Does Affinity support Service Provider initiated(Web Browser) SSO?
    Yes.

  • What claims does Affinity require in the callback request?
    We only require the user’s email address.

  • What’s the most secure hash algorithm that Affinity accepts?
    SHA256.

  • Does Affinity require token encryption?
    We do not require token encryption. We won’t be making any additional requests after initial authentication so this shouldn’t be necessary.

  • Does Affinity require Relaying Party-Initiated(RP) Sign-On?
    No. Since the Affinity application is a cloud application that is accessible over the public internet, most of our users access the application directly by our URL on their browser.

  • Does Affinity require Relay State support?
    No.

  • Have you enabled your site to automatically update your federated metadata information?
    Yes. We periodically refresh the metadata stored for your organization from your metadata URL. For example, if your public key changes, Affinity will detect the change and continue to valid signatures accordingly.

Related articles

Articles in this section