Overview
Currently, only authentication of existing users is supported via SAML 2.0. New team members cannot be automatically created by logging in through a SAML 2.0 provider. An admin will still need to create/invite the team member through the Agent Connect platform.
Step 1. Configure your Identity Provider
Below are the settings you will need to configure a new app within your Identity Provider, if you are unsure of your subdomain please reach out to your Client Services Manager.
Global Settings
You may not need all of these data points depending on your identity provider
Setting | Value |
Audience URI/Entity ID | https://{your_subdomain}.stellaconnect.net/ |
Assertion Consumer Service (ACS) URL* | https://{your_subdomain}.stellaconnect.net/employees/auth/saml/callback |
Name ID format | Email Address (urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress) |
Application username or Subject Type** | Username or Email |
Start URL | https://{your_subdomain}.stellaconnect.net |
Signed Response | Checked |
* Same for Recipient and Destination URLs
** Choose the field in your IdP where the email address or custom employee ID that is setup in Agent Connect can be found
Setting | Value |
SSO URL | https://{your_subdomain}.stellaconnect.net/employees/auth/saml/callback |
Audience URI (SP Entity ID) | https://{your_subdomain}.stellaconnect.net/ |
Default RelayState | Blank |
Name ID format | |
Application Username | Okta Username / Primary Email |
Steps: Admin> Applications> Create New App> Platform = Web, SAML 2.0
Setting | Value |
Audience/Entity ID | https://{your_subdomain}.stellaconnect.net/ |
Consumer URL | https://{your_subdomain}.stellaconnect.net/employees/auth/saml/callback |
Name ID format | |
User ID (Key-pair Value) | Username / Primary Email |
Setting | Value |
Entity ID | https://{your_subdomain}.stellaconnect.net/ |
Assertion Consumer Service (ACS) URL* | https://{your_subdomain}.stellaconnect.net/employees/auth/saml/callback |
SAML Signing (Encryption Certificate) | Blank |
Steps: Admin> Applications> Add Application> New SAML Application
* Same for Recipient and Destination URLs
Step 2. Provide Your Configuration to Agent Connect
The identity provider should generate a couple of pieces of data that will need to be supplied to the Implementation or Support team.
You will be asked to provide:
Identity Provider Single Sign-On/Login URL
X.509 Certificate
Step 3. Test the Configuration
Once the configuration has been setup within Agent Connect, you will be able to test the Single Sign-on by visiting https://{your_subdomain}.stellaconnect.net/employees/sign_in?sso=true and clicking Sign in with provider.
Step 4. Go Live
When you are completed with testing, just contact us and we will enable your SAML configuration to be the default and ONLY login option for all team members. At this point, all team members that visit the login page for Agent Connect will be immediately redirected to the Identity Provider for login.