Setting up Single Sign-On for your Absolute account
IMPORTANT Absolute's Single Sign-On solution supports the Security Assertion Markup Language (SAML) 2.0 protocol only.
Single sign-on (SSO) is an authentication process whereby users provide a single set of credentials to access multiple web applications during a user session. After users are authenticated, they can switch between applications without re-entering their credentials.
If your organization uses one of the following SAML 2.0 identity providers An online service or website that creates, maintains, and manages identity information and authenticates users on the Internet using security tokens. (IdP) for user authentication, you can enable single sign-on to the Absolute console:
- Active Directory Federated Services (AD FS)
- Azure Active Directory
NOTE Absolute has tested and validated SSO using the IdPs listed above. If you prefer to use another IdP, you should be able to use any IdP that supports the SAML 2.0 protocol.
Note that Absolute's SSO solution supports SAML 2.0 requests and responses that use SHA256 hash algorithms with RSA-SHA256 signing algorithms. For more information about configuring hash algorithms and signing algorithms in an IdP, refer to the documentation provided by your IdP.
When SSO is enabled, Absolute users are authenticated by the configured third party IdP instead of the Absolute IdP.
For more information about installing one of the supported IdPs listed above and setting it up for your organization, refer to the documentation provided by your IdP.
Before you set up Single Sign-On, the following prerequisites must be met:
- An email address is associated with each user account in the IdP and it matches the user's email address in Absolute.
- Two-Factor Authentication (2FA) is not enabled. If 2FA is enabled for your Absolute account, you can't enable Single Sign-On, and vice versa.
- One of the IdPs listed above is installed and configured to accept new SAML 2.0 service providers A system entity that relies on a trusted identity provider (IdP) for user authentication and authorization. (SP).
To set up Single Sign-On, you need to add configurations in both Absolute and your chosen identity provider. You will be working with two metadata files during this process:
- A SP metadata file, which you download from the Absolute console
- An IdP metadata file, which you download from the IdP and upload to the Absolute console
NOTE Your Absolute account can have only one IdP configured at a time.
To set up Single Sign-On:
- Log in to the Absolute console as a user with Manage permissions for Authentication. The System Administrator role is the only Default role with this permission.
- On the navigation bar, click > Authentication Settings.
- In the Single Sign-On area, click Set up Single Sign-On to open the Set up Single Sign-On page.
- Click Download Metadata. The absolute-metadata.xml file is downloaded.
- Click Download Encryption and Signing Certificates. Depending on the number of certificates included in the package, one of the following files is downloaded:
- absolute-cert-<expiration date>.pem: individual certificate file containing the SP public key for both encryption and signature verification
absolute-certs-<expiration date>.zip: zip file containing multiple .pem files for encryption, signature verification, or both
- Log in to your identity provider and complete the steps to add Absolute as a new SP.
Depending on your IdP, you may be able to add configurations by uploading the metadata file you downloaded in step 4, the certificate files you downloaded in step 5, or both. For more information about adding a new SP to your IdP, refer to the documentation provided by your IdP.
- Download the IdP metadata file that was generated when you added Absolute to your IdP in step 6. Save the file to a location on your workstation.
- On the Set up Single Sign-On page in the Absolute console, click the Name field and enter a name for this new Single Sign-On configuration.
- Click the Description field and enter a description.
- Click Choose File, navigate to the location of the IdP metadata file you downloaded from your IdP in step 7, and upload the file. The file must be in XML format and be 500 KB or less in size.
If you have multiple Absolute accounts, a message may display stating that the Entity ID referenced in the uploaded metadata file is associated with one or more of your other Absolute accounts. If so, do one of the following:
- To assign the uploaded metadata file to all of your accounts, click Save.
- To upload a new metadata file that references a different Entity ID and assign it to this account only, click Cancel and repeat this step.
NOTE It may take up to 30 minutes for these changes to take effect.
Going forward, when a user enters their email address on the Absolute Login page, the user is redirected to the Login page for the configured IdP. After they log in, the Absolute console opens without them re-entering their credentials. Alternatively, the user can simply log in to their IdP and then access the Absolute console directly from the IdP's portal.