Single Sign-On

Single sign-on (SSO) in enterprise refers to the ability for employees to log in just one time with one set of credentials to get access to al corporate applications, websites, and data for which they have permission. SSO solves key problems for the business by providing: Greater security and compliance

SAML 2.0 Compliant Identity Provider Configuration

Security Assertion Markup Language (SAML) is an open standard to securely exchange authentication and authorization data between an enterprise Identity Provider and JESI (the Service Provider)

SAML 2.0 Sign-On Experience

JESI currently supports the Identity Provider Login experience

Identity Provider Initiated Login Experience

With the Identity Provider initiated login experience, users directly access the enterprise’s login manager and sign in to confirm their identity. The enterprise’s Identity Provider sends the SAML2 response directly to the JESI platform. The user is logged in and redirected to the JESI application where they can access resources without requiring further authentication

SAML responses will be matched to pre-configured JESI accounts by an email address attribute assertion. JESI accounts will only be matched if they reside within the context of the configured Identity Provider

Service Provider Initiated Login Experience

Note: Service Provider (SP) initiated enterprise logins are expected to be supported in the future. The experience will differ from Identity Provider Initiated

Single Logout (SLO) Experience
JESI supports the SAML2 Identity Provider initiated Single Logout flow to terminate active user session(s)

Note: Logging out of JESI will terminate the user’s current session and will require re-authentication for access. JESI does NOT support Service Provider initiated SLO

Joining the Organisation Automatically
JESI currently requires user accounts to be created and activated within the JESI platform prior to access being granted via an enterprise Identity Provider

Note: Just in Time (automatic) provisioning of JESI accounts will be supported in the future. Currently, users must have an account set up prior to using SSO (at this stage, the simplest way to do this is to import users)

Configure your JESI access with a SAML Identity Provider

JESI Service Provider Configuration

For configuration within an identity provider, the following settings should be used

Setting Description Value
Entity ID JESI Service Provider Entity ID https://api.jesi.io/
Metadata URL XML document containing information necessary for interaction with SAML-enabled identity providers. The document contains e.g. URLs of endpoints, information about supported bindings, identifiers and public keys. https://apiv2.jesi.io/sso/saml2/metadata
Reply/ACS URL The reply URL will be the destination in the SAML response for IDP-initiated SSO. https://apiv2.jesi.io/sso/saml2/acs
HTTP-POST
Logout URL URL to send the SAML Logout response back to the application. https://apiv2.jesi.io/sso/saml2/logout
HTTP-POST
Login URL URL contains the sign-in page for this application that will perform the service provider-initiated single sign-on. Not currently available
Authn Requests Signed Service Provider requests will be signed true
Want Assertions Signed Identity Provider Assertion responses will be signed true
Encrypted Assertions JESI supports encrypted SAML2 assertion responses. The Identity Provider can optionally encrypt the assertion portion of the SAML2 responses. All SAML2 traffic to and from the JESI platform is already encrypted using HTTPS, but this adds another layer of security. optional

Identity Provider Configuration Required by JESI
For configuration within JESI, the following settings need to be provided.

Setting Description Optionality
Entity ID This will be the audience of the SAML response for IDP-initiated SSO. Required
X509 Certificate BCertificate, encoded in the BASE 64 format, for the enterprise Identity Provider. This is the certificate that allows JESI to verify the digital signature in the SAML responses sent to it from the enterprise Identity Provider. Required
Login URL (Redirect) Identity Provider’s Login URL (that supports HTTP Redirect binding) that JESI should use to allow a member to sign in. Used in the future to enable Service Provider Initiated Login Optional
Login URL (HTTP-POST) BIdentity Provider’s Login URL (that supports HTTP POST binding) that JESI should use to allow a member to sign in. Used in the future to enable Service Provider Initiated Login Optional

Contact the administrator of the Identity Provider if you need help determining which source of metadata information you need to provide.

User Attributes and Claims

JESI requires the following attribute information to be received from the Identity Provider when a user signs in.

Claim Name Description Optionality
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier Unique User Identifier. Persisted to support Identity Provider logout requests. Required
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress User’s Email address. Used to match to an enabled JESI account. Required
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname User’s Given Name. Will be used in the future for Just in Time provisioning. Required
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname User’s Surname. Will be used in the future for Just in Time provisioning. Required
http://jesi.io/sso/saml/2021/01/identity/claims/title User’s Position Title. Will be used in the future for Just in Time provisioning. Missing values will be prompted for completion by the user prior to account provisioning. Optional
http://jesi.io/sso/saml/2021/01/identity/claims/mobilenumber User’s Position Title. Will be used in the future for Just in Time provisioning. Missing values will be prompted for completion by the user prior to account provisioning. Optional

Note: The mobilenumber claim will be used in the future to enhance the just-in-time account provisioning.

Feedback

Was this helpful?

Yes No
You indicated this topic was not helpful to you ...
Could you please leave a comment telling us why? Thank you!
Thanks for your feedback.

Post your comment on this topic.

Please do not use this for support questions.
Customer Support

Post Comment