Setting up Single Sign-On for your Absolute account
IMPORTANT Absolute's Single Sign-On solution supports the Security Assertion Markup Language (SAML) 2.0 protocol only.
Single sign-on (SSO) is an authentication process whereby users provide a single set of credentials to access multiple web applications during a user session. After users are authenticated, they can switch between applications without re-entering their credentials.
If your organization uses one of the following SAML 2.0 identity providers An online service or website that creates, maintains, and manages identity information and authenticates users on the Internet using security tokens. (IdP) for user authentication, you can enable single sign-on to the Absolute console:
- Active Directory Federated Services (AD FS)
- Azure Active Directory
NOTE Absolute has tested and validated the single sign-on process using the IdPs listed above. If you prefer to use another IdP, you should be able to use any IdP that supports SAML 2.0.
When SSO is enabled, Absolute users are authenticated by the configured third party IdP instead of the Absolute IdP.
For more information about installing one of the supported IdPs listed above and setting it up for your organization, refer to the documentation provided by your IdP.
Before you set up Single Sign-On, the following prerequisites must be met:
- An email address is associated with each user account in the IdP and it matches the user's email address in Absolute.
- Two-Factor Authentication (2FA) is not enabled. If 2FA is enabled for your Absolute account, you can't enable Single Sign-On, and vice versa.
- One of the IdPs listed above is installed and configured to accept new SAML 2.0 service providers A system entity that relies on a trusted identity provider (IdP) for user authentication and authorization. (SP).
NOTE Absolute's Single Sign-On solution currently supports SAML 2.0 requests and responses that use SHA1 hash algorithms with RSA-SHA1 signing algorithms or SHA256 hash algorithms with RSA-SHA256 signing algorithms. Absolute highly recommends that you use SHA256 since it is more cryptographically secure than SHA1. For more information about configuring hash algorithms and signing algorithms in an IdP, refer to the documentation provided by your IdP.
To set up Single Sign-On, you need to add configurations in both Absolute and your chosen identity provider. You will be working with two metadata files during this process:
- A SP metadata file, which you download from the Absolute console
- An IdP metadata file, which you download from the IdP and upload to the Absolute console
NOTE Your Absolute account can have only one IdP configured at a time.
To set up Single Sign-On:
- Log in to the Absolute console as a user with Manage permissions for Authentication. The System Administrator role is the only Default role with this permission.
- On the navigation bar, click > Authentication Settings.
- In the Single Sign-On area, click Set up Single Sign-On to open the Set up Single Sign-On page.
- Click Download Certificate and save the absolute-certificate.pem file to a location on your workstation.
- Click Download Metadata and save the absolute-metadata.xml file to a location on your workstation.
- Log in to your identity provider and complete the steps to add Absolute as a new SP.
Depending on your IdP, you may be able to add configurations by uploading the certificate file you downloaded in step 4, the metadata file you downloaded in step 5, or both. For more information about adding a new SP to your IdP, refer to the documentation provided by your IdP.
- Download the IdP metadata file that was generated when you added Absolute to your IdP in step 6. Save the file to a location on your workstation.
- On the Set up Single Sign-On page in the Absolute console, click the Name field and enter a name for this new Single Sign-On configuration.
- Click the Description field and enter a description.
- Click Choose File, navigate to the location of the IdP metadata file you downloaded from your IdP in step 7, and upload the file. The file must be in XML format and be 500 KB or less in size.
If you have multiple Absolute accounts, a message may display stating that the Entity ID referenced in the uploaded metadata file is associated with one or more of your other Absolute accounts. If so, do one of the following:
- To assign the uploaded metadata file to all of your accounts, click Save.
- To upload a new metadata file that references a different Entity ID and assign it to this account only, click Cancel and repeat this step.
NOTE It may take up to 30 minutes for these changes to take effect.
Going forward, when a user enters their email address on the Absolute Login page, the user is redirected to the Login page for the configured IdP. After they log in, the Absolute console opens without them re-entering their credentials. Alternatively, the user can simply log in to their IdP and then access the Absolute console directly from the IdP's portal.