Last updated 1 month ago

Attentive SSO Login: SAML Setup Instructions

Attentive supports single sign-on (SSO) functionality with a variety of enterprise identity provider (IdP) platforms. Our SSO functionality enables users to use their company login credentials -- for example, an email@brand.com and password -- to access the Attentive platform. When using Attentive SSO, you must follow any two-factor authentication flows that are enabled through your IdP.

Note: If you are using an enterprise identity provider (IdP) solution other than SAML, or, if you don’t have an IdP but want increased login security, reach out to our White Glove team (whiteglove@attentivemobile.com).

Attentive SAML Service Provider (SP) Configuration

The following table outlines the values that must be configured for your Security Assertion Markup Language (SAML) IdP.

Name Value
Entity ID https://ui-api.attentivemobile.com/identity/connections/{CONNECTION_NAME}/saml/metadata
SAML metadata URL https://ui-api.attentivemobile.com/identity/saml/metadata?connectionName={CONNECTION_NAME}
Assertion Consumer Service URL https://ui-api.attentivemobile.com/identity/login-with-sso/connections/{CONNECTION_NAME}/callback
SAML authentication request signature algorithm RSA-SHA256
SAML authentication request digest algorithm SHA256
SAML protocol binding HTTP-POST
Public key certificate To create .crt file, just create a file with .crt extension with below:

-----BEGIN CERTIFICATE-----

MIICyTCCAbGgAwIBAgIGAXt48mM7MA0GCSqGSIb3DQEBCwUAMBsxGTAXBgoJkiaJ k/IsZAEZFglhdHRlbnRpdmUwHhcNMjEwODI0MTYxNTU2WhcNMjIwODI0MTYxNTU2 WjAbMRkwFwYKCZImiZPyLGQBGRYJYXR0ZW50aXZlMIIBIjANBgkqhkiG9w0BAQEF AAOCAQ8AMIIBCgKCAQEAojYrP6GwwzN2UeBaCUvnEHrG6h+E7n0F9C1c3RhSx2S+ kNAy4BwITCd62otFbGsOV2hoxXPPZzftTkPOZsroQeJFh1A9pty3cayLUsCWvg5s 3n9onasw52E7e+9nUH7JF4mFxkHwRupvaE6rvaLwlpbf1QdSNj+tAajgEl2hxtki 2WrISSk5e4KquT/iGOSlSpjQIi7Jy4h1T+zM/aRhZtiCSDqW1JjDvQyEIhpYeZk5 CCoBZBOsK78WqHQL+GvgpT9jXqxDdIQaxPVovww3AkjGJDZOyiA51fHR41neDZlU 5Rgp/8Nr0S97hKoNrObT/U5HTRVIJeqqzvJkySBtzwIDAQABoxMwETAPBgMAAAAB Af8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQBhIRROtDKeaAgmmdPUwyy/6ifs yMWuLv2/uoMr7uOYyHPnCwZKP2h42CTHiqd6wdAYBcIizY5wGiHM0otq8I7no6S8 NmYB3dg3guYgjDZGZSS0U5JYNlHUYWQWgcMMEs/7IeC8dHfLmA0ZufyhEuzPmrkt rjs9ZJewzOKunMWmODP92v6g0piaGt0Iiu9KR4l68dYbb3+vajl+g9F9JYGKoUxn RujFNnz1V8m3BChWS3IuczI289a6M6PLfhgTy35O7hIzjgf+1UF6hhD8oB6ZK0rD MIOxaJe4JpP4bSFxgzVblCd6ibCE2XC5uQOwS/aoT5M5+hVUI0caO6XaK1MX

-----END CERTIFICATE-----

(This can also be found in the SAML SP metadata URL)

Customer SAML Identity Provider (IdP) Configuration

The following table outlines the values that you must provide to our team so that we can configure your SAML IdP metadata on our side. Note that some of these values are optional.

Input Description Required
IdP name A unique name for your identity provider. For example: Secureauth Optional
Email domain The domain used for your company email addresses. Attentive SSO will associate your users with your SAML IDP by their email address. We currently support a single email domain per SSO connection. For example: brand.com Required
Metadata URL SAML Idp metadata URL Optional
X.509 Signing Certificate* for public key You’ll need to retrieve a X.509 signing certificate from the SAML IdP (in PEM or CER format). View your IdP’s documentation for the methods for retrieving this certificate. If this is included in your metadata URL, we can convert it for you.

*Note: We can extract your connection configuration information from a SAML metadata URL if you prefer to provide that instead of a signing certificate.

Required if signing SAML response
Sign in URL SAML single login URL. Required
Sign out URL SAML single logout URL. Note that this can be a redirect to the sign in page if it is preferred. Optional
Entity ID It is common for this to be the same as the sign in URL. Required
SAML claim attribute containing user email address Attentive uses an email address as the unique identifier for a user. You must indicate the name of the SAML claim attribute you are passing the email in with. For example: emailaddress Required
Logo URL URL of image used to customize the login button for Universal Login. This is displayed in a 20 x 20px image. Optional
Authentication request signed True or False (Default false)

Indicates whether the <samlp:AuthnRequest> messages sent by this SP (Attentive) will be signed.

Optional
Response messages signed True or False (Default false)

Indicates a requirement for the <samlp:Response>, <samlp:LogoutRequest> and <samlp:LogoutResponse> elements received by this SP (Attentive) to be signed.

Optional
Response assertions signed True or False (Default false)

Indicates a requirement for the <saml:Assertion> elements received by this SP (Attentive) to be signed.

Optional
Signature algorithm Algorithm that the SP (Attentive) will use in the signing process.

Options:

  • RSA-SHA1
  • RSA-SHA256
  • RSA-SHA384
  • RSA-SHA512
Optional
Digest algorithm Algorithm that the toolkit will use on the digest process.

Options:

  • SHA1
  • SHA256
  • SHA384
  • SHA512
Optional
Test email address We need a test email address of an employee to test the SSO connection. This person must have an Attentive account configured. For example: email@brand.com Required

Transfer of connection information

Contact our White Glove team (whiteglove@attentivemobile.com) to provide them with your SAML IdP metadata you collected in the previous step. Our team will also provide a secure folder using box.com for the X.509 Signing Certificate to allow you to upload the PEM or CER file. Note that you can add your SAML IdP metadata in a document and upload it to the secure folder rather than in an email.

Establishing Connection / Testing

Our team will take the above information and establish connection with your IdP. We will then share a test page URL where a member of your team can test going through the sign in process to ensure everything is working correctly before we make this live on your production account.