Setting up Your SSO with SAML
Security Assertion Markup Language (SAML) is an XML standard that allows secure web domains to exchange user authentication and authorization data. Using SAML, an online service provider can contact a separate online identity provider to authenticate users who are trying to access secure content.
Vestorly offers a SAML-based Single Sign-On (SSO) service that provides partner companies with control over authentication and authorization of hosted user-accounts. Using the SAML model, Vestorly acts as the service provider. Vestorly Advisor access is controlled through partners who act as identity providers. These partners maintain control over their usernames, passwords and other information in their organizations.
The Vestorly SSO service is based on the SAML v2.0 specifications. SAML v2.0 is supported by several widely known vendors such as PingFederate.
This section outlines the process for setup and provisioning of SAML for your organization.
Notify your Account Representative or contact email@example.com to enable SAML for your Vestorly accounts.
Review this document with your IT-department and answer any questions.
Partner sends to Vestorly required certificate, metadata.xml, and associated fields along with any test accounts for acceptance testing.
Vestorly confirms configuration with Partner and provides required connection strings and URLs.
Partner updates links and SSOs to Vestorly.
Custom Partner or Vestorly domain is assigned and server certificate is assigned if needed.
Test and signoff.
Vestorly requires the following information:
The X509 Signing Certificate
The Sign In URL or Server URL
The Sign Out URL (optional)
The User Id Attribute (optional)
The Email domains (optional: list of valid domains)
Vestorly website domain (optional: assigned domain that an organization may wish to use for their users’ Vestorly accounts)
Some SAML Identity Providers can accept importing metadata directly with all the required information. If needed, Vestorly can provide access to the metadata for this.
Vestorly will provide the following:
The post-back URL (also called Assertion Consumer Service URL)
The Entity ID of the Service Provider is
The SAML Request Binding (sent to the IdP from Vestorly): HTTP-Redirect
The SAML Response Binding (how the SAML token is received by Vestorly from IdP): HTTP-Post
The NameID format: unspecified
The Connection Name: assigned connection name for the integration
The SAML assertion, and the SAML response can be individually or simultaneously signed
In addition, some assertions can be encrypted. Vestorly provides the following .CER formatted certificate:
Design and User Flow
Upon the user clicking login or first connecting to Vestorly, Vestorly will attempt to route login flow to a partner’s associated login page.
Vestorly Advisor Login –> Partner Organization’s SSO Login Page –> Vestorly SAML –> Vestorly Publisher page
Logout will reverse a user back to the organizations login page.
Dashboard SSO flow
When a user is within a partner’s site, they can follow a SAML assertion directly into Vestorly.
Partner Organization’s Dashboard Page –>Vestorly SAML –> Vestorly Publisher page
SAML Field Mapping
In addition to the standard SAML fields, Vestorly supports the additional mapping through these fields.
Attr_email – advisor email
Attr_firstname – advisor firstname
Attr_lastname – advisor lastname
Attr_phone – advisor phone #
Attr_company – advisor company or firmname
Attr_website – advisor website
Attr_entityid – identifier that identifiers the advisor within the partner’s organization
Attr_repcode – alternative identifier for the advisor within the partner’s organization
Attr_asst_entityid – Assistant (non-advisor) identifier
Attr_asst_repcode – Assistant (non-advisor) identifier
Attr_asst_firstname – Assistant (non-advisor) first name
Attr_asst_lastname – Assistant (non-advisor) last name
Attr_asst_email – Assistant (non-advisor) email
Vestorly also supports organization impersonation through the use the Attr_asst_* fields.
Vestorly’s http://developers.vestorly.com provides additional technical documentation for integrations.