Setting up Single Sign-On for your Absolute account
Absolute's Single Sign-On solution supports the Security Assertion Markup Language (SAML) 2.0 protocol only.
Single sign-on (SSO) is an authentication process whereby users provide a single set of credentials to access multiple web applications during a user session. After users are authenticated, they can switch between applications without re-entering their credentials.
If your organization uses one of the following SAML 2.0 identity providers An online service or website that creates, maintains, and manages identity information and authenticates users on the Internet using security tokens. (IdP) for user authentication, you can enable single sign-on to the Secure Endpoint Console:
- Active Directory Federated Services (AD FS)
- Microsoft Entra ID (formerly Azure AD)
- ForgeRock®
- Okta
- OneLogin
- PingFederate®
- PingOne®
Absolute has tested and validated SSO using the IdPs listed above. If you prefer to use another IdP, you should be able to use any IdP that supports the SAML 2.0 protocol.
Note that Absolute's SSO solution supports SAML 2.0 requests and responses that use SHA256 hash algorithms with RSA-SHA256 signing algorithms. For more information about configuring hash algorithms and signing algorithms in an IdP, refer to the documentation provided by your IdP.
When SSO is enabled, Absolute users are authenticated by the configured third party IdP instead of the Absolute IdP.
For more information about installing one of the supported IdPs listed above and setting it up for your organization, refer to the documentation provided by your IdP.
Prerequisites
Before you set up Single Sign-On, the following prerequisites must be met:
- An email address is associated with each user account in the IdP and it matches the user's email address in their Absolute user account.
- Two-Factor Authentication (2FA) is not enabled. If 2FA is enabled for your Absolute account, you can't enable Single Sign-On, and vice versa.
- A compatible IdP is installed and configured to accept new SAML 2.0 service providers A system entity that relies on a trusted identity provider (IdP) for user authentication and authorization. (SP).
Setting up SSO
To set up Single Sign-On, you need to add configurations in both Absolute and your chosen identity provider. You will be working with two metadata files during this process:
- A SP metadata file, which you download from the Secure Endpoint Console
- An IdP metadata file, which you download from the IdP and upload to the Secure Endpoint Console
Your Absolute account can have only one IdP configured at a time.
To set up Single Sign-On:
- Log in to the Secure Endpoint Console as a user with Manage permissions for Authentication. The System Administrator role is the only Default role with this permission.
- On the navigation bar, click
Settings > 
Authentication settings. - In the Single Sign-On area, click to open the Set up Single Sign-On page.
- Click
Download Metadata. The absolute-metadata.xml file is downloaded. -
Click
Download Encryption and Signing Certificates. Depending on the number of certificates included in the package, one of the following files is downloaded:- absolute-cert-<expiration date>.pem: individual certificate file containing the SP public key for both encryption and signature verification
- absolute-certs-<expiration date>.zip: zip file containing multiple .pem files for encryption, signature verification, or both
-
Log in to your identity provider and complete the steps to add Absolute as a new SP.
Depending on your IdP, you may be able to add configurations by uploading the metadata file you downloaded in step 4, the certificate files you downloaded in step 5, or both. For more information about adding a new SP to your IdP, refer to the documentation provided by your IdP.
-
Download the IdP metadata file that was generated when you added Absolute to your IdP in step 6. Save the file to a location on your workstation.
Ensure that the IdP metadata file contains the following content:
<md:SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.org/SAML2/SSO/Redirect"/>
<md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://idp.example.org/SAML2/SSO/Redirect"/>HTTP-POST locations are not supported. If they exist in the file, they are ignored.
- On the Set up Single Sign-On page in the Secure Endpoint Console, click the Name field and enter a name for this new Single Sign-On configuration.
- Click the Description field and enter a description.
-
Click Choose File, navigate to the location of the IdP metadata file you downloaded from your IdP in step 7, and upload the file. The file must be in XML format and be 500 KB or less in size.
If you have multiple Absolute accounts, a message may display stating that the Entity ID referenced in the uploaded metadata file is associated with one or more of your other Absolute accounts. If so, do one of the following:
- To assign the uploaded metadata file to all of your accounts, click Save.
- To upload a new metadata file that references a different Entity ID and assign it to this account only, click Cancel and repeat this step.
-
Click . SSO is enabled and an SSO enabled event is logged to Event History.
It may take up to 30 minutes for these changes to take effect.
- [Optional] Set up SCIM integration to automatically sync user information from your IdP.
Going forward, when a user enters their email address on the Absolute Login page, the user is redirected to the Login page for the configured IdP. After they log in, the Secure Endpoint Console opens without them re-entering their credentials. Alternatively, the user can simply log in to their IdP and then access the Secure Endpoint Console directly from the IdP's portal.
