This article describes how SSO (via SAML2) can be achieved to power login for your users with the SimplyDo platform.

Whilst most SimplyDo functionality can (and usually will) be set-up for you by your account manager during onboarding, it may be worth taking a look through this guide in case there are other options you may wish to take advantage of.

This document covers the SimplyDo setup in addition to settings you may need to configure your SAML2 identity provider.

1. Introduction

SimplyDo has inbuilt support for handling login flows via the SAML2 (Security Assertion Markup Language) protocol.

Setting-up SSO via SAML2 involves configuration changes on both sides: the Service Provider (in this case, SimplyDo) and the Identity Provider (your organisation’s SAML2-compliant identity provider system). This document covers the set-up on both sides, where possible.

Login with SAML2 is available to all SimplyDo organisational accounts.

The Login with SAML2 flow involves the following steps:

  • The user arrives at the SimplyDo platform (web or mobile app);

  • The user is redirected automatically to login with your organisation’s identity provider, along with a SAML request generated by SimplyDo;

  • Upon successful login, your identity provider generates a SAML response and redirects the user back to SimplyDo.;

  • SimplyDo parses and validates the SAML response and extracts the necessary data;

  • The user is then logged-in to SimplyDo and is returned to the web or mobile app they started from.

These steps are handled automatically in concert between SimplyDo and your identity provider’s systems.

2. Alternatives

If you use Azure Active Directory (for example, if your organisation already uses Microsoft Teams or Office 365) then we would recommend instead that you use SimplyDo’s Login with Microsoft facility, which leverages the more modern OpenID Connect (OAuth2) protocol. This is generally much easier and quicker to setup, and allows for additional extensibility (e.g. integration with other Microsoft systems).

Organisations can switch between using SAML2 or Microsoft login, should this be necessary.

3. Configuring SAML2 on SimplyDo

SimplyDo needs to be provided with some information in order to communicate correctly with your identity provider.

This section describes how the SimplyDo platform can be configured to allow users to login to SimplyDo via SAML2.

Please note: these steps will likely be carried out by your account manager on your behalf, if you are able to provide the necessary details.

3.1. Complete the SAML2 SSO setup

In your SimplyDo account navigate to the Sign-on tab of your organisational Settings.

Here click “Manage” next to the SAML SSO option.

You will then be presented with the SAML2 settings for SImplyDo.

On this screen you will need to provide:

  • Sign-on URL (the URL that SimplyDo will direct users to with the SAML request)

  • Sign-out URL (the URL that SimplyDo will direct users to upon logout)

  • An X.509 certificate (in PEM format) for validating the assertions

You may also wish to provide attribute mappings. These represent the attribute names (or OIDs) used to contain user profile data in the SAML assertion from your identity provider. Some examples are shown in the image above, and they will between identity providers, but we recommend supplying attribute mappings for:

  • Email address (this is required)

  • First name

  • Last name

On this screen you may wish to also provide Authorisation settings. Here, SimplyDo can approve/reject login attempts based on an attribute’s value. For example, if SimplyDo should only be available to users in the “Finance” department, which is supplied in an assertion attribute called “department”, then you could use “department” as the Attribute name and “Finance” as the Pattern to match, as shown in the image below.

3.2. Switch on SAML2 login

Once the setup has been completed as explained in section 3.1, SAML2 can be turned on for your organisational account.

To do so, navigate to the Sign-on tab of your organisational Settings. Here, enable the toggle for SAML SSO.

Users visiting the sign-on page for your organisation can now choose to Login via single sign-on.

4. Setting-up your identity provider

Your identity provider (IdP) will need to be provided with some information in order for it to be able to communicate properly with SimplyDo.

4.1. Find the necessary details in SimplyDo

Generally, your account manager will be able to provide the SAML2 connection details to you. Additionally, all of the information needed should be available from within SimplyDo.

To find these details, navigate to the Sign-on tab of your organisational Settings. Here, click the “Manage” link next to “SAML SSO”.

At the bottom of the next screen, you will see some details displayed in the Configure your provider section.

Make a note of these details in order to configure your identity provider later.

4.2. Create a SimplyDo service provider for your identity provider

The next stage is to provide the necessary information to your identity provider.

Depending on the particular SAML2 software used for your identity provider, the interface will vary. However, the key concepts should remain the same.

To start, open up the management console for your organisation’s identity provider. In the console, find the section called Connected apps (this may be called Service Providers or Apps, depending on your software).

In the Connected apps section, choose the option to Register a new SP (this may be called Create app or Register Service Provider, depending on your software).

In the Register a new SP flow, provide the information you noted from SimplyDo earlier in section 4.1.

Please note the following:

  • The Friendly name (or App name) can be anything. We recommend using “SimplyDo”.

  • For the Service URL (or App URL) use the Sign-on URL (noted from SimplyDo)

  • For the Entity ID we recommend using the Metadata URL (noted from SimplyDo).

  • For the ACS URL (or Assertion URL) use the ACS URL (noted from SimplyDo).

If your identity provider allows you to select an HTTP method for making login assertions, please make sure to use POST requests.

Once you’re happy with the settings, complete the setup, and you should see the SimplyDo app listed as a service provider.

4.3. Configure your identity provider’s attribute mappings

Earlier, in section 3.1, we provided some attribute mappings to SimplyDo. You should ensure these are correctly configured in your identity provider so that the data can flow seamlessly between the identity provider and service provider.

Depending on your identity provider software, these steps might be different, but the concepts should remain largely the same.

In your identity provider console’s Settings or Users area, find the appropriate configuration for managing your attributes. Here, you should be provided with options to check or change the SAML2 mapping for specific attributes.

In the example below, we are inspecting the information about the “Group” attribute, which has a default value of “staff” (which can be overridden on a per-user basis) and has a SAML2 mapping of “group”.

Repeat the process for the attributes for the user’s email address, their first name, and their last name, and ensure they match against what was configured earlier in SimplyDo:

Once configured correctly, and the relevant settings are enabled on your particular identity provider, single sign-on via SAML2 will now be ready for use.

5. Conclusion

In this article we have outlined the process for configuring SimplyDo single sign-on via the SAML2 login flow.

If you have any questions or problems with this setup, please just get in touch with your account manager.

Did this answer your question?