Enabling SSO authentication for your account allows you to leverage your existing Identity Provider to manage your GoCanvas users. This is especially valuable if you are managing a large number of users and need more control over who has access to their GoCanvas account.
Note: You cannot use both SSO and LDAP simultaneously.
To begin, ask your GoCanvas sales representative or account manager to enable SSO integration for your account. Once that's done, visit the SSO settings page by navigating to Home>Account>Customize>SSO Settings and clicking the edit icon.
On this screen, you're presented with several fields:
- Issuer URI: This is the Issuer URI of the Identity Provider. This value is usually the SAML Metadata EntityID of the IDP EntityDescriptor.
- Sign In URL: The URL to which the authentication request should be sent. This would be on the identity provider.
- X509 Signing Certificate: This is the certificate of the Identity Provider used to verify SAML message and assertion signatures.
- Sign Out URL: This is the URL location where the single logout response will be sent.
- User Id Attribute: This is the attribute in the SAML token that will be mapped to the user_id property.
- Metadata URL: This is the Identity Provider metadata URL. An Identity Provider metadata contains keys, services, and URLs that define its SAML endpoints.
- Sign Request: Specifies whether to sign SAML AuthnRequest messages that are sent from GoCanvas to Identity Provider. When enabled, the SAML authentication request will be signed. Download the certification (open up the View setup instruction for IDP provider section) and give it to the Identity Provider that will receive the signed assertion so it can validate the signature.
- Sign Request Algorithm: Specifies the signature algorithm used to sign SAML AuthnRequest messages sent to the Identity Provider.
- Sign Request Digest Algorithm: Determines the digest algorithm used to digitally sign the SAML assertion and response.
- Enable for All Users: Checking this will enable SSO authentication for all users on the account. If you would like to manually enable SSO authentication for users, leave this unchecked. To enable SSO for individuals, visit their Profile page by clicking on their name on the Users page under the Account section.
- View setup instruction for IDP provider: This is the help block to provide instruction for IDP provider setup. Click on this to view different configuration values those are required to setup your Identity Provider. You can also download the certificate and give it to the Identity Provider that will receive the signed assertion so it can validate the signature.
You can add your SSO users to GoCanvas by visiting Home>Account>Add Users. You can choose to add users one by one or you can add multiple user seats at once and then populate them with your users by clicking the "Fill Seat" button for any empty seat.
In either case, if you have SSO configured within your account, the form will choose the "Use SSO Authentication" checkbox for you. If you wish to set up any particular user to not use SSO for authentication, unchecking this box will present you with options for setting the user's password directly within GoCanvas.
Disabling a user within your authentication server will not disable their GoCanvas account, but it will prevent them from logging in. Note that already authenticated users will remain authenticated on the web, but will be unable to log in or sync via the GoCanvas mobile application. If it's important that their access to GoCanvas be revoked immediately, disable the user on the website by visiting Home>Account>Users and clicking the Disable link for that user.
Editing a user's settings
At any time, you can turn off SSO authentication for their GoCanvas account by visiting Home>Account>Users and clicking on the user's name, then clicking "Edit SSO Settings."
Ordinarily GoCanvas provides a user who has forgotten his or her password a means by which to reset it. There's a "Forgot Password?" link underneath the login form that allows the user to have a link sent to them by which they can recover their account. However, when a user is configured to authenticate to an Identity Provider, GoCanvas is unable to provide this service. Instead, when a user visits the "Forgot Password" form and enters their email address, GoCanvas detects that they are an SSO user and prompts them to seek help from their company IT department or help desk.
How it works
GoCanvas uses a "SP-Initiated SSO" method of authenticating your users to your Identity Provider. When a user attempts to authenticate, GoCanvas looks up the identity provider settings you configured, and figures out the user's SSO settings. The request is redirected to the Identity Provider to handle authentication. If the user is not already logged on to the Identity Provider site or if re-authentication is required, the Identity Provider asks for credentials (e.g., Username and password). The Identity Provider's SSO service returns an HTML form to the browser with a SAML response containing the authentication assertion and any additional attributes. The browser automatically posts the HTML form back to the GoCanvas. If the authentication assertion for the user succeeds, GoCanvas considers the user to be authenticated and allows him/her access. If authentication assertion fails, the user is denied access.