You can configure Freshworks to provide SAML SSO for your users. With this release, all the Freshworks suite of products will have SSO capability. The authentication of the user is done by any SAML provider you configure on your side and the user attributes like Email address are sent back to Freshworks.


Overview of SAML

 

Security Assertion Markup Language (SAML) is a mechanism used for communicating identities between two web applications. It enables web-based Single-Sign-On and hence eliminates the need for maintaining various credentials for various applications and reduces identity theft. 



How does SAML SSO in Freshworks work?

  1. A user wants to log into Freshworks using SAML SSO

  2. Freshworks redirects the user to the login URL the Identity Provider, for example, OneLogin, provides

  3. User enters their credentials and OneLogin validates the user

  4. OneLogin redirects the user to Freshworks’ Consumer Assertion URL and passes a SAML Assertion telling Freshworks that the user is valid

  5. User Attributes like Email address, First name, and Last name of the user will be sent along with the Assertion by OneLogin to Freshworks

  6. Freshworks verifies OneLogin’s certificate and grants the user access

 

The address of the user is the only required field that Freshworks needs. Here is a sample code of how the email address is passed:

 

  <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">example@test.awesomecompany.com</saml:NameID>


SAML usually involves three things:

 

A user


The person requesting the service.

A service provider


The application providing the service or protecting the resource.

An identity provider


The service/ repository that manages the user information.


The user requests for a SAML SSO to access a resource that is protected by a service provider. The service provider requests the identity provider to authenticate the user. The identity provider checks the existence of the user and sends back an assertion to the service provider that may or may not include the user information. The communication between the identity and service providers happens in the SAML data format. 

 

You can configure Freshworks to act as a service provider in this mechanism. Choose to use your own SAML server to act as an Identity provider or some third party applications like OneLogin, Okta etc.


A quick guide to configuring SAML 2.0 SSO on Freshworks:


  • Log into your Freshworks account as an Administrator

  • Go to Admin > Security

  • Toggle ‘SSO’ ON and choose SAML SSO

  • Enter the following details (obtained from your SAML Identity provider)
    • SAML Entity ID
    • SAML SSO URL
    • Logout URL
    • Security Certificate
  • Ensure your SAML responses are signed by default
  • Click on Save

    


 

Fields required by your Identity Provider

 

The identity provider requires a Consumer Assertion (ACS) URL to which it redirects the user after the authentication. Freshworks team will provide a custom assertion URL for your account and you can use this URL to configure SAML in your Identity Provider. This information can be obtained when you select SAML as the login method under the single sign on section, in the security page.


SP Entity ID is also provided by Freshworks and can be found below the ACS URL. This helps the Identity provider to identity Freshworks service provider (SP).


When the user requests for SAML SSO by arriving at the Freshworks URL, the XML Assertion will be sent to this URL.