Setting up Your SSO with SAML

Category: Integrations

Overview

Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorization data. Using SAML, an online service provider can contact a separate online identity provider to authenticate users who are trying to access secure content.

Vestorly offers a SAML-based Single Sign-On (SSO) service that provides partner companies with control over authentication and authorization of hosted user-accounts. Using the SAML model, Vestorly acts as the service provider. Vestorly Advisor access is controlled through partners who act as identity providers. These partners maintain control over their usernames, passwords and other information in their organizations.

The Vestorly SSO service is based on the SAML v2.0 specifications. SAML v2.0 is supported by several widely known vendors such as PingFederate.

Process

This section outlines the process for setup and provisioning of SAML for your organization.

  • Notify your Account Representative or contact success@vestorly.com to enable SAML for your Vestorly accounts.
  • Review this document with your IT-department and answer any questions.
  • Partner sends to Vestorly required certificate, metadata.xml, and associated fields along with any test accounts for acceptance testing.
  • Vestorly confirms configuration with Partner and provides required connection strings and URLs.
  • Partner updates links and SSOs to Vestorly.
  • Custom Partner or Vestorly domain is assigned and server certificate is assigned if needed.
  • Test and signoff.

Setup

Vestorly requires the following information:

  • The X509 Signing Certificate 
  • The Sign In URL or Server URL
  • The Sign Out URL (optional)
  • The User Id Attribute (optional)
  • The Email domains (optional: list of valid domains)
  • Vestorly website domain (optional: assigned domain that an organization may wish to use for their users’ Vestorly accounts)

Some SAML Identity Providers can accept importing metadata directly with all the required information. If needed, Vestorly can provide access to the metadata for this.

Vestorly will provide the following:

  • The post-back URL (also called Assertion Consumer Service URL)
  • The Entity ID of the Service Provider is
  • The SAML Request Binding (sent to the IdP from Vestorly): HTTP-Redirect
  • The SAML Response Binding (how the SAML token is received by Vestorly from IdP): HTTP-Post
  • The NameID format: unspecified
  • The Connection Name: assigned connection name for the integration
  • The SAML assertion, and the SAML response can be individually or simultaneously signed

In addition, some assertions can be encrypted. Vestorly provides the following .CER formatted certificate:

 -----BEGIN CERTIFICATE-----
MIIDDTCCAfWgAwIBAgIJALM0E8roT2LCMA0GCSqGSIb3DQEBCwUAMB0xGzAZBgNV
BAMMEnZlc3Rvcmx5LmF1dGgwLmNvbTAeFw0xNTAyMTAxNTU2MDlaFw0yODEwMTkx
NTU2MDlaMB0xGzAZBgNVBAMMEnZlc3Rvcmx5LmF1dGgwLmNvbTCCASIwDQYJKoZI
hvcNAQEBBQADggEPADCCAQoCggEBAKALCMmdo6Wyu4h79scm7ekQDROFy2DnythN
sayROeoR6wJHJ70SfU3BKRxdnooZF5WK1V38A7m0gVCEHttnXyapJbgf1eJPCcPO
aD80RMG/llXfi10nTw7nlWsVbOfvCgN4oHt8ROos1TBGBlG58zXRO1n70rRKSXNp
bEC9BcbmTBmxiy0aCz+fCVB4xWUxsz8ofI6REgG/XUlFlg/H4cyrA8TcWPV+ePFf
Obj69OREavyWd5nwvIfPhIetDk/G8EqBzURceWUXrathhRjoiknSzCYrxhVvu7dR
IjRiElrkx6Jez5xix/hrR1TgfABNczayYQgdV1+AArfIcf1FBC0CAwEAAaNQME4w
HQYDVR0OBBYEFCBi+mYXVejiNYQXqlicNfQilZlgMB8GA1UdIwQYMBaAFCBi+mYX
VejiNYQXqlicNfQilZlgMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB
ABG/5/uk2o1q51QieBs3WqzEBUo6uS6ZiS6gp5Yf4W9qjVzJkjBEGQg/eI8zFWoP
eVRVvV74WIrCKqptmdvLStcPAYXerbiPRYgCXtKzLRh/nN2eYARMINZJj22IQpZE
fx1aN6fW5iZVpwMQdavvvl2T2AHKH+X/k9fcXiE7QtHa589er+VUggpLlk7dlSTC
3ARXSIESTgQfQtLfMoUpPg7kNry9olZLfpfzxiQlT3z7RMy65bwBDFTbY3qH11s6
zzlez+n1fQ7R82Ew+L1vEI7EGt1G4Z103IQYTUlm7OPRpUkhvDTcHMG285RWOkhv
cZ4SBJzqKfRaDY0K7RHTJMw=
-----END CERTIFICATE-----

Design and User Flow

Login/Logout flow 

Upon the user clicking login or first connecting to Vestorly, Vestorly will attempt to route login flow to a partner’s associated login page.

Vestorly Advisor Login –> Partner Organization’s SSO Login Page –> Vestorly SAML –> Vestorly Publisher page

Logout will reverse a user back to the organizations login page.

Dashboard SSO flow

When a user is within a partner’s site, they can follow a SAML assertion directly into Vestorly.

Partner Organization’s Dashboard Page –>Vestorly SAML –> Vestorly Publisher page

SAML Field Mapping

In addition to the standard SAML fields, Vestorly supports the additional mapping through these fields.

  • Attr_email – advisor email
  • Attr_firstname – advisor firstname
  • Attr_lastname – advisor lastname
  • Attr_phone – advisor phone #
  • Attr_company – advisor company or firmname
  • Attr_website – advisor website
  • Attr_entityid – identifier that identifiers the advisor within the partner’s organization
  • Attr_repcode – alternative identifier for the advisor within the partner’s organization
  • Attr_asst_entityid – Assistant (non-advisor) identifier
  • Attr_asst_repcode – Assistant (non-advisor) identifier
  • Attr_asst_firstname – Assistant (non-advisor) first name
  • Attr_asst_lastname – Assistant (non-advisor) last name
  • Attr_asst_email – Assistant (non-advisor) email

Vestorly also supports organization impersonation through the use the Attr_asst_* fields.

See additional

Vestorly’s http://developers.vestorly.com provides additional technical documentation for integrations. 

Did this answer your question?