Configure single sign-on

After you configure single sign-on (SSO) with an external SAML identity provider using the following procedure, SSO is automatically enabled for your marketplace and users in your company can use that identity provider to authenticate into your marketplace.

To configure single sign-on

1. Go to Manage > > Company Settings > COMPANY SETTINGS | Single Sign-On. The single sign-on configuration page opens.

2. Set the following _required_ values:

   Value	Description
   Entity ID (Issuer)	The unique identifier for the SAML identity provider. SAML assertions sent to the marketplace must include a <saml:Issuer> attribute with a value that exactly matches this value. See User identifier and attributes to learn more.
   Login URL	Identity provider endpoint where the marketplace sends SAML authentication requests to initiate SSO.
   Verification certificate	The public certificate issued by the identity provider that is used by the marketplace to verify the digital signature in a SAML authentication response.

3. (Optional) Update the following settings according to your company’s needs:

   Value	Description
   Service provider-initiated request binding	The HTTP method the marketplace uses when sending an authentication request to the Login URL. The default is HTTP Redirect (GET). Set to HTTP POST if required by your identity provider.
   NameID policy format	This is the format set in the NameID policy of the SAML authentication request sent to the Login URL. The default is Unspecified (the most commonly accepted format by identity providers). Select Email or Persistent if required by your identity provider.
   Sign authentication request	Generates a signature verification certificate. All single sign-on SAML authentication requests from the marketplace to the identity provider are digitally signed using the certificate. The identity provider uses the public certificate to verify the signature. Click the eye icon to view the certificate details. Click to download icon to download the certificate.
   Automatic user creation	After this setting is enabled, users are automatically created in your company the first time they log into the marketplace using SSO. The default is disabled.
   Automatic user update	After this setting is enabled, users are automatically updated to reflect all recent changes when they log into the marketplace using SSO. The default is disabled.
   User account linking by email	If enabled, existing users are automatically linked by email address the first time they sign into the marketplace with SSO. The marketplace uses the Email attribute (included in the SAML response) to look up the user by their primary email address. The default is disabled.
   Force re-authentication on session expiration	After this setting is turned on the ForceAuthn attribute is included in all SAML authentication requests sent to the identity provider’s Login URL. If ForceAuthn is supported by the identity provider, users are required to log back in even if they have an active session with the identity provider. The default is enabled.
   Force SSO for end users	If enabled, all company end users must log in through the identity provider. When disabled, users can continue to log in with their marketplace username and password. Note that after this setting is enabled all user passwords are reset and can no longer be managed through the marketplace. This setting does not apply to company administrators. The default is disabled.
   Update user roles	Automatically updates user roles when a user logs in with your SAML identity provider.
   Authorization Rules	Authorization rules restrict access to the marketplace based on attribute values sent in the SAML assertion. After the marketplace receives a valid SAML assertion from the identity provider, the marketplace compares the user’s assertion attributes to the authorization rules that the Company Administrator configured. If the attributes match, the marketplace grants access to the user. If they do not match, the marketplace denies access. You can optionally configure an error result code and an authorization policy error URL to which users are redirected when they are denied access to the marketplace. The error code is used to define what is displayed on the policy error URL—for example, an error message, an action the user can take, and so on. If you configure more than one authorization rule, only one needs to be true in order for the user to be granted access to the marketplace.

4. (Optional) If the names that the IDP uses for any attributes are different from those used in the marketplace, map them to their marketplace equivalents. See Add attribute mapping .

5. (Optional) If the names that the IDP uses for any roles are different from those used in the marketplace, map them to their marketplace equivalents. See Add role mapping.

6. Click Save. SSO is automatically enabled for your company (the Enabled toggle turns green). Additionally, the service provider Entity ID (issuer) and the ACS URL are automatically added to the Service provider configuration pane. IDP SSO can be disabled later.

7. Scroll to the Service Provider Configuration pane and copy the Entity ID (Issuer) and ACS URL values that were generated after you clicked Save and use them to configure your identity provider outside of the AppDirect platform.
   See the Troubleshooting guide for help with resolving integration issues.