Attentive supports single sign-on (SSO) functionality with a variety of enterprise identity provider (IdP) platforms using the SAML (Security Assertion Markup Language) protocol. Our SSO functionality lets users log in to the Attentive platform using their company login credentials (e.g., firstname.lastname@example.org and password). When using Attentive SSO, they must follow any two-factor authentication flows that are enabled through your IdP. At this time, we don’t support IdP-initiated SAML flows. Users must log in on the Attentive login page, which then redirects them to the IdP.
This article explains the steps you need to complete to set up SSO between your company and Attentive.
Configure the values in the following table for your SAML IdP. Ensure that you complete this IdP configuration prior to reaching out to Attentive to configure SSO for your brand.
CONNECTION_NAME field below can be any unique name. We recommend using the name of your company. The connection name should be all lowercase (e.g., attentive).
|SAML metadata URL
|Assertion Consumer Service URL
|SAML authentication request signature algorithm
|SAML authentication request digest algorithm
|SAML protocol binding
Once you’ve configured an application for Attentive with your IdP, you’ll need to gather your configuration information (SAML IdP metadata) and provide it to our White Glove team (email@example.com) so we can configure it on our side. Please ensure you provide all of the required fields to expedite the configuration process.
Note: The easiest way to provide us this information is by sending us the IdP configuration XML or metadata URL containing the XML.
Our team will provide you a secure folder using box.com for the X.509 Signing Certificate to allow you to upload the PEM or CER file. If you prefer, you can also add your SAML IdP metadata in a document and upload it to the secure folder rather than sending it via email.
- Please provide us the following required fields, which are present in the metadata XML.
|X.509 Signing Certificate* for public key
|You’ll need to retrieve an X.509 signing certificate from the SAML IdP (in PEM or CER format). View your IdP’s documentation for the methods for retrieving this certificate. If this is included in your metadata URL, we can convert it for you.
Note: We can extract your connection configuration information from a SAML metadata URL if you prefer to provide that instead of a signing certificate.
|Sign in URL
|SAML single login URL
|It is common for this to be the same as the sign-in URL. We can extract this from your SAML metadata XML.
|SAML claim attribute containing user email address
|Attentive uses an email address as the unique identifier for a user. By default we check the
NameIDFormat. If this is not the user’s email address, you must indicate the name of the SAML claim attribute you are passing the email in with (e.g.,
- Please also provide us the following values so we can complete your configuration:
|The domain used for your company email addresses. Attentive SSO will associate your users with your SAML IdP by their email address. We currently support a single email domain per SSO connection (e.g.,
|The value of the CONNECTION_NAME you chose in Step 1 when configuring your IdP. These must match exactly.
|Authentication request signed
|True or False
Indicates whether the IdP configuration expects the
|Response messages signed
|True or False
Indicates that the
|Response assertions signed
|True or False
Indicates that the
|Algorithm that the IdP will use to sign response data
|Algorithm that the IdP will use to hash response data
- (Optional) Provide the following additional fields to Attentive:
|Sign out URL
|SAML single logout URL. Note that this can be a redirect to the sign-in page if you prefer.
|Test email address
|We can test the connection for you if you provide a test email address and password to access Attentive through your IdP. If you can’t add a test user, we’ll let you know when we’ve set up the connection and have you test the login.
In this step, the Attentive team will establish connection with your IdP using the information you provided in Step 2.
We’ll provide you with the SAML SP metadata URL containing this certificate.
In this step, a member of your team will test the SSO connection between Attentive and your IdP. If you already have users using the Attentive platform, we’ll share a test page URL, domain, and email address for them to use in testing. They should complete the following steps:
- Navigate to the test page URL provided by our team.
- Sign in to Attentive using the test domain and test email address provided to you by our team (e.g., firstname.lastname@example.org).
Attentive redirects to your IdP without kicking out your current users.
- Confirm that you can sign in to your IdP with your normal domain/credentials.
Once you’ve tested the sign-in process and ensured everything is working correctly, Attentive will make SSO live for users signing in with your real domain.