Documentation Index
Fetch the complete documentation index at: https://support.affinity.co/llms.txt
Use this file to discover all available pages before exploring further.
How-to — task-oriented recipe.
What is SSO?
Single Sign-On (SSO) is an authentication method that allows users to use one set of login credentials to log into multiple applications.Who can set up custom SSO with Affinity?
- Only those on the Enterprise tier will be able to set up custom SSO access to their Affinity account.
What are the different syncing options available with custom SSO?
- If your team is on Google and has a different SSO provider, your IT must set up a domain-wide delegation, which will allow syncing or non-syncing at the entire organization level.
- In other words, your IT team will not be able to set up syncing permissions for some and non-syncing permissions for others at the individual level - it has to be one or the other for the entire organization.
- If your team is on Azure (Office365), then the Microsoft Graph Client Credential flow is required to sync data, which will allow syncing or non-syncing at the individual level.
- In other words, your IT team will be able to set up syncing permissions for some and non-syncing permissions for others at the individual level.
- If your team is on Microsoft On-Premise (or Hosted) Exchange, then an Impersonation Service Account is required to sync data, which will allow syncing or non-syncing at the individual level.
- In other words, your IT team will be able to set up syncing permissions for some and non-syncing permissions for others at the individual level.
How to set up SSO with SAML 2.0
-
Affinity needs the following information from your IT/Admin:
- Audience URI/Client/SP Entity ID (e.g. affinity)
- Name ID Format set to Email Address
- Your Identity Provider (IdP) - (e.g. Okta, Azure, etc.)
- Your Metadata URL. (This will contain the cert)
- (Optional) Set relay state to IDP-INITIATED-FLOW. This is only necessary if you wish to configure a seamless IDP flow.
- Note: Make sure one of the attributes is “email” (see example below).
-
Redirect (reply) URIs for the Affinity Web Application. Also known as Single sign on URL.
https://[subdomain].affinity.co/auth/sso/saml-callback(login)https://[subdomain].affinity.co/sso/callback(needed for mobile login)https://[subdomain].affinity.co/logout(logout)
-
For setting up data syncing, please follow one of the three options below:
- If your team is on Google and has a different SSO provider, your IT must set up a domain-wide delegation.
- If your team is on Azure (Office365), then the Microsoft Graph Client Credential flow is required to sync data.
- If your team is on Microsoft On-Premise (or Hosted) Exchange, then an Impersonation Service Account is required to sync data.
- Here are the necessary pieces of information that you/your team must send over to support@affinity.co to set up your Impersonation Service Account and leverage Affinity:
- Mail server EWS URL
- Impersonation Email Address
- Impersonation Username (not always required)
- Impersonation Password
- Here are the necessary pieces of information that you/your team must send over to support@affinity.co to set up your Impersonation Service Account and leverage Affinity:
How to set up SSO with Open ID
Using OpenID, you will most likely need to set up two apps - one for web (see Step 2) and one for mobile (see Step 3).-
Affinity needs the following information from your IT/Admin:
- Audience URI/Client/SP Entity ID (eg. affinity)
- Client Secret
- Name ID Format set to Email Address
- Identity Provider (IdP) - (e.g. Okta, Azure, etc.)
- OIDC Discovery Endpoint
- Mobile Client ID
- Mobile Client Secret
- (Optional) Set relay state to IDP-INITIATED-FLOW. This is only necessary if you wish to configure a seamless IDP flow.
- Note: Make sure one of the attributes is “email” (see example below).
-
Redirect (reply) URIs for the Affinity Web Application (for web)
- Sign in:
https://[subdomain].affinity.co/auth/sso/openid-callback - Sign out:
https://[subdomain].affinity.co/logout
- Sign in:
-
Mobile Login/Logout redirect URIs (for mobile)
AffinitySSOLogin://loginAffinitySSOLogin://logout
-
For setting up data syncing, please follow one of the three options below:
- If your team is on Google and has a different SSO provider, your IT must set up a domain-wide delegation.
- If your team is on Azure (Office365), then the Microsoft Graph Client Credential flow is required to sync data.
- If your team is on Microsoft On-Premise (or Hosted) Exchange, then an Impersonation Service Account is required to sync data.
- Here are the necessary pieces of information that you/your team must send over to support@affinity.co to set up your Impersonation Service Account and leverage Affinity:
- Mail server EWS URL
- Impersonation Email Address
- Impersonation Username (not always required)
- Impersonation Password
- Here are the necessary pieces of information that you/your team must send over to support@affinity.co to set up your Impersonation Service Account and leverage Affinity:
Frequently Asked Questions
What type of SSO does Affinity support?- Affinity currently supports SAML 2.0 or OpenID Connect as an authentication method.
- Yes. Set relay state to IDP-INITIATED-FLOW.
- We only require the user’s email address.
- SHA256.
- We do not require token encryption. We won’t make any additional requests after initial authentication, so this shouldn’t be necessary.
- No. Affinity is a cloud application accessible over the public internet; most of our users access the application directly by our URL on their browser.
- No.
- Yes. We periodically refresh the metadata stored for your organization from your metadata URL. For example, if your public key changes, Affinity will detect the change and continue to validate signatures accordingly.