SAML 2.0 Single Sign On

Security Assertion Markup Language (SAML) is an XML-based open standard data format for exchanging authentication and authorization data between an identity provider and a service provider. Moxtra offers a SAML-based Single Sign-On (SSO) service that provides partners and customers with full control over the authorization and authentication of the user accounts.

The following diagram explain how the user is authenticated into Moxtra application through a SAML-based SSO service:

Meet SSO Flow

Enable SAML SSO in Moxtra

Get the following data from your identity provider (IdP) and configure SAML SSO in Moxtra via the admin console:

Identity Provider Entity ID http://www.moxtra.com
Identity Provider Login URL The IdP URL where Moxtra sends a user to log in.
Identity Provider Certificate "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

The authentication certificate issued by your identity provider.

Configure IdP

Configure your identity provider with the Moxtra's metadata information shown below:

SP Entity ID http://www.moxtra.com
SP ACS (Access Consumer Service) endpoint https://www.moxtra.com/sp/startSSO?idpid=IDP-ID&orgid=ORG-ID

IDP-ID: Replace with the actual IdP ID you configured in Moxtra.

ORG-ID: Replace with the actual Org ID provided by Moxtra.

AuthnContextClassRef "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"

This is the default value used by most of the identity providers, however several IdP adapters provide the capability of changing the value.

Name ID Format Default is "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified".

Following five formats are supported

  • Unspecified: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
  • urn:oasis:names:tc:SAML:1.1:nameid- format:emailAddress
  • urn:oasis:names:tc:SAML:1.1:nameid- format:X509SubjectName
  • urn:oasis:names:tc:SAML:2.0:nameid- format:entity
  • urn:oasis:names:tc:SAML:2.0:nameid- format:persistent
SP Certificate PEM format certificate file (.crt or .pem) provided by Moxtra.

SAML Assertion

Email is the identity of the user in Moxtra and that is the value of NameID tag for the user to login. Moxtra supports auto account creation. If an org enables this feature, user's first name and last name need to be set in the attributes of SAML assertion.

Email is set in NameID tag
<ns2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">joesmith@test.com</ns2:NameID>
First name and Last name are set through attribute tag
<ns2:AttributeStatement>
    <ns2:Attribute Name="lastname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <ns2:AttributeValue>Smith</ns2:AttributeValue>
    </ns2:Attribute>
    <ns2:Attribute Name="firstname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
        <ns2:AttributeValue>Joe</ns2:AttributeValue>
    </ns2:Attribute>
</ns2:AttributeStatement>