search
Beamery SSO Fact Sheet

Last Updated:

Overview

This document describes all aspects of the Beamery SAML SSO solution, how it works. The technology that the Beamery SSO system makes use of is called SAML (v2), this defines a common way for different SSO providers to be able to exchange authentication information. Beamery specifically makes use of service provider initiated SSO exchange.

Terms

What follows is a list of terms used in relation to SAML SSO:

  • Service Provider (SP); this is Beamery.

  • Identity Provider (IdP); this is the customers chosen SAML SSO provider, e.g. Okta, OneLogin etc.

  • Security Assertion Markup Language (SAML); defines the protocol for the way authentication data is exchanged.

  • Metadata; this generally relates to a file or endpoint that supplies specific data used in the configuration of SAML SSO.

    • There is IdP and SP metadata with one being generated based on the other.

Customer Company Configuration

Before you can be configured to use SAML SSO with Beamery we first need the following information from you:

  • X.509 Certificate (used to secure and verify data being transmitted)

  • Login endpoint for the Identity Provider (used to redirect a user to for authentication)

  • Logout endpoint for the Identity Provider (not all IdP’s have this).

  • User identifier format (NameIDFormat), one of either emailAddress or unspecified. The latter is used when a company wants its users to sign-in using an identifier other than email address.

Customer User Configuration

Once you have been configured for SSO an initial admin user will need to be added to the customer account. This will allow a person on the customer side to add in new users they wish to access Beamery, and will also allow the desired access level to be set on a per user basis. If a customer has decided to not authenticate users with email addresses then after adding the users Beamery will need to finalise the configuration (again, this step is only if the company is not using email addresses as a user identifier.

Authentication Flow

As referenced at the top of this document Beamery makes use of service provider initiated SSO exchange. In this flow the user browses to a Beamery provided endpoint that is unique to their organisation, this endpoint will then look-up the required company level data and redirect the user to their own company authentication pages at the IdP. Here you will attempt to sign-in using whatever credentials your organisation requires. If successfully authenticated, the IdP system will redirect the user back to the Beamery assertion endpoint where their user identifier is checked against what is stored within the Beamery database systems. If there is a match they are signed in, if not they are redirected to an error page. The diagram below attempts to illustrate the flow visually.

f4bff047-750d-411d-b41f-f89e30b45bfd.png