This document describes the Beamery SAML SSO solution, how it works and how it can be configured. There are a number of data-points needed in order to configure your Beamery account to allow your users to login via SSO.
The technology that the Beamery SSO system makes use of is called SAML (v2), this defines a common way for different SSO providers to be able to exchange authentication information. Beamery specifically makes use of service provider-initiated SSO exchange.
What follows is a list of terms used in relation to SAML SSO:
- Service Provider (SP); this is Beamery.
- Identity Provider (IdP); this is your chosen SAML SSO provider, e.g. Okta, OneLogin etc.
- Security Assertion Markup Language (SAML); defines the protocol for the way authentication data is exchanged.
- Metadata; this generally relates to a file or endpoint that supplies specific data used in the configuration of SAML SSO.
- There is IdP and SP metadata with one being generated based on the other.
Requirements for Setting up SSO
When setting up Beamery for SAML SSO. Beamery will generally supply you with a Beamery metadata endpoint first. You can get this from your integration consultant, it is key to the next stage of the setup process.
What We Need From You
Before you can be configured to use SAML SSO with Beamery we first need the following information:
- X.509 Certificate (used to secure and verify data being transmitted)
- Login endpoint for the Identity Provider (used to redirect a user to for authentication)
- Logout endpoint for the Identity Provider (not all IDPs have this).
- User identifier format (NameIDFormat), one of either emailAddress or unspecified. (The latter is used when your IDP doesn’t sign-in using email address. Please let us know what you will be using if this is the case)
With the metadata provided by Beamery, you should have everything you need to supply your integration consultant with the data above.
Beamery SSO Architecture
As referenced at the top of this document Beamery makes use of service provider-initiated SSO exchange. In this flow the user browses to a Beamery provided endpoint that is unique to their organisation, this endpoint will then look-up the required company level data and redirect the user to their own company authentication pages at the IdP.