You can configure Freshworks to provide SAML SSO for your users. With this release, all the Freshworks suite of products will have SSO capability. The authentication of the user is done by any SAML provider you configure on your side and the user attributes like Email address are sent back to Freshworks.
Overview of SAML
Security Assertion Markup Language (SAML) is a mechanism used for communicating identities between two web applications. It enables web-based Single-Sign-On and hence eliminates the need for maintaining various credentials for various applications and reduces identity theft.
How does SAML SSO in Freshworks work?
A user wants to log into Freshworks using SAML SSO
Freshworks redirects the user to the login URL the Identity Provider, for example, OneLogin, provides
User enters their credentials and OneLogin validates the user
OneLogin redirects the user to Freshworks’ Consumer Assertion URL and passes a SAML Assertion telling Freshworks that the user is valid
User Attributes like Email address, First name, and Last name of the user will be sent along with the Assertion by OneLogin to Freshworks
Freshworks verifies OneLogin’s certificate and grants the user access
The address of the user is the only required field that Freshworks needs. Here is a sample code of how the email address is passed:
SAML usually involves three things:
The person requesting the service.
A service provider
The application providing the service or protecting the resource.
An identity provider
The service/ repository that manages the user information.
The user requests for a SAML SSO to access a resource that is protected by a service provider. The service provider requests the identity provider to authenticate the user. The identity provider checks the existence of the user and sends back an assertion to the service provider that may or may not include the user information. The communication between the identity and service providers happens in the SAML data format.
You can configure Freshworks to act as a service provider in this mechanism. Choose to use your own SAML server to act as an Identity provider or some third party applications like OneLogin, Okta etc.
A quick guide to configuring SAML 2.0 SSO on Freshworks:
Log into your Freshworks account as an Administrator
Go to Admin > Security
Toggle ‘SSO’ ON and choose SAML SSO
- Enter the following details (obtained from your SAML Identity provider)
- SAML Entity ID
- SAML SSO URL
- Logout URL
- Security Certificate
- Ensure your SAML responses are signed by default
- Click on Save
Fields required by your Identity Provider
The identity provider requires a Consumer Assertion (ACS) URL to which it redirects the user after the authentication. Freshworks team will provide a custom assertion URL for your account and you can use this URL to configure SAML in your Identity Provider. This information can be obtained when you select SAML as the login method under the single sign on section, in the security page.
SP Entity ID is also provided by Freshworks and can be found below the ACS URL. This helps the Identity provider to identity Freshworks service provider (SP).
When the user requests for SAML SSO by arriving at the Freshworks URL, the XML Assertion will be sent to this URL.