Single sign-on (or SSO) is a system in which access to applications is mediated by an identify provider, or IDP. In essence, the IDP is a single authentication server through which users connect to applications. Typically, it can be accessed only from within your corporate network. That system has multiple advantages:

• Only users who are logged in to your corporate network have access to Pulpstream.
• Once they are logged in, users (with permission) can access every application in your organization's application suite, without having to remember and supply an additional set of credentials for each.
• When a user logs off, all of the applications they were using are closed. (There is no need to sign off of each one individually or, worse, forget to log off one of them, creating an unintentional security hole.)

To set up single sign-on, you configure the identify provider so it can access Pulpstream, and you configure Pulpstream so it knows how to interact with that provider. 

 

Requirement:

The identify provider must be compliant with SAML 2.0--as, for example, OneLogin or Ping Identity.
(SAML stands for "Security Assertion Markup Language"--basically, it's a language the computer systems use to talk to each other, to see if a user is authorized to do what they're trying to do. Both systems have to be speaking the same language, of course, or nothing much happens.)

 

SAML Response

Pulpstream expects the User Name present in Pulpstream to match with the contents of <subject> attribute present in the SAML Response

​

To set up single sign-on, start in Pulpstream:

1. Go to the Gear Menu
2. Click Account Management.
3. Click Company Info.
4. Go to the Single Sign-On tab.
5. Click Enable Single Sign-On.
   The information you need to give to the identify provider appears, along with several
   empty fields that need to be configured with information you get from your provider.
   
   

Next, configure your identity provider:

1. ​Add Pulpstream as an application.
   
   
2. Give your identify provider the Pulpstream Access URL.
   This is the URL the identify provider uses to access Pulpstream.
   
   
3. Give your identify provider the SAML Assertion Consumer Service (ACS) URL.
   This is the URL the identify server invokes once a user has been granted permission to access Pulpstream.

Finally, use the information you get from the identify provider to configure Pulpstream:

1. Service Provider Entity ID
   The entity ID your provider gave you to use as an identifier. (In effect, it's "name"--but in this case the name it gives you to use helps to identify who it is talking to--sort of like "caller ID" on your phone.
   
   

2. Identity Provider URL
   If a user access Pulpstream as their first application, they provide their login credentials. Pulpstream then sends the credentials to this URL, for authentication. In an IDP, this URL may also be called the Initiate Single Sign-On (SSO) URL.
   
   

3. Identity Provider URL-invocation method
   The type of HTTP request the system should sent to the Identity Provider for authentication.
   Typically, that value is 'POST'.
   
   

4. Identity Provider X509 certificate
   This is an optional "certificate" given to you by your identity provider.
   Basically, it is a long Text of hieroglyphics that starts with
   -----BEGIN CERTIFICATE-----
   
   and ends with
   -----END CERTIFICATE-----
   
   Copy everything, including those beginning and ending lines, and paste into the field.