Introduction.
If you enable the single sign-on functionality for your subscribers, they can log in via any IdP (Identity Provider) when they log in to the UniBaaS administration screen or use the Unifinity Application Player.
Unifinity supports single sign-on using the SAML 2.0 HTTP POST binding and operates as a Service Provider (SP).
Eligible Companies
Single sign-on functionality is available for companies with Enterprise and Standard contract ranks.
ID Provider with confirmed connection
We have confirmed the operation of the following IdPs. Other IdPs that support SAML 2.0 HTTP POST binding are also available.
- Microsoft Azure AD
- Google Workspace
- OneLogin
- Auth0
- Okta.
- Satellite Office Single Sign-On
provisioning
UniBaaS uses Just In Time (JIT) provisioning to automatically create a UniBaaS user the first time a corporate user logs in with single sign-on.
The UniBaaS login ID of the automatically created user is the attribute value specified in the NameID of the SAML Assertion. (It is generally possible for the IdP to set which attribute value on the IdP is specified as the NameID to the SAML Assertion.)
In addition, when automatically creating users, it is possible to map the attributes of the account on the IdP to the attributes of the user on UniBaaS (user name and group affiliation).
[Attention.
- Synchronization of account information between IdPs and UniBaaS using SCIM provided by IdPs such as AzureAD and Okta is not supported.
- Please note that if the number of licenses for the subscribing company is exceeded, automatic user creation via single sign-on will not be possible and authentication will fail.
Single Sign-On Settings
SAML settings for IdP
The UniBaaS single sign-on configuration page provides the information necessary for configuration.
Set Entity ID, ACS URL, etc. to IdP.
- 10.1 SAML Settings Azure Active Directory
- 10.2 SAML Settings Google Workspace
- 10.3 SAML Settings Auth0
- 10.4 SAML configuration Satellite office
2.SAML settings for UniBaaS
Set up the necessary information for SAML on the UniBaaS single sign-on configuration page.
- IdP login URL
- Specify the IdP's SAML Login URL.
- IdP MetaData
- IdP MetaData URL
- Open and paste the metadata (XML) downloaded from the IdP using a notepad, or specify the metadata URL specified by the IdP. The former takes precedence.
- GroupName Mapping
- When automatically creating a UniBaaS user, specify the name of the SAML Assertion attribute that refers to the name of the group to which the UniBaaS user belongs. If unspecified, automatically created users will be assigned to the group specified by the default group name.
- UserName Mapping
- Specify the name of the SAML Assertion attribute that refers to the UniBaaS user name when automatically creating the UniBaaS user. If unspecified, it will be the same as the UniBaaS login ID (the attribute value specified by NameID in the SAML Assertion).
- default group name
- Specify the name of the group on UniBaaS to be assigned when automatically creating UniBaaS users. This value is used if GroupName is not specified or if the Assertion specified for GroupName could not be obtained.
Clicking the Register button will set the specified items and enable single sign-on for each Unifinity product.
ReferenceAbout SAML Assertion
Refers to the attribute information of an entity authorized by the IdP after successful SAML authentication and typically includes the following attributes
In the above sample, the AttributeStatement Attribute Name="GroupDepartment to the element of "", Attribute Name="".FullnameSince the user name is assigned to the element of "User Name", the UniBaaS SAML configuration will use GroupName Mapping with theGroupto UserName Mapping.Fullnameto map IdP attributes to UniBaaS user attributes.
Supported Authentication Flows
The SAML authentication flows supported by Unifinity are as follows
Product |
Supported SAML Authentication Flows |
---|---|
Unifinity Application Player (iOS,Android) |
IdP-Initiated SSO |
Unifinity Application Player |
SP-Initiated SSO |
UniBaaS Enterprise Management |
IdP-Initiated SSO |
Unifinity Portal |
SP-Initiated SSO |
UniBaaS Integrated Management |
incompatible |
IdP provides the ability to make available apps as portals and dashboards in an authenticated state. By selecting Unifinity from the functionality, the Unifinity Application Player will be activated in an authenticated state on iOS and Android, and the UniBaaS corporate administration screen will be activated in an authenticated state on Windows.
Please refer to the user documentation for instructions on initiating the SP-Initiated SSO authentication flow.
Account management for contracted company users
1. hybrid login
Users on UniBaaS are automatically created by JIT provisioning for subscribers who have enabled single sign-on, but users can also be added and used manually on the UniBaaS corporate administration screen. (Using UniBaaS - 6. Managing users)
In this case, a user with a UniBaaS login ID that duplicates a user automatically created by single sign-on cannot be created.
2. restrictions on single sign-on users
The following functions are not available for users automatically created with single sign-on.
- Password reset via user management screen for enterprise management functions
- Password reset in the Unifinity Application Player preferences screen