Setup Multi-SSO with SAML using SSOCircleSummaryThere are three main steps to configure any Identity Provider with an Instance using Multi-Provider SSO: Activate the Multi-Provider SSO PluginSetup Multi-Provider SSOConfigure an Identity Provider using Multi-Provider SSO Steps 1 and 2 are the easy part. These two steps are common for all Identity Providers. The bulk of the work is step 3 and this step is dramatically different depending on the type of identity provider. SAML 2.0Open ID Connect (OIDC)Digest Authentication (Digest Token) In these instructions we will setup a SAML 2.0 Identity Provider. Instructions for the other two types of identity providers will soon be available. ReleaseInstructions performed on an out-of-the-box San Diego Patch 1 instance.InstructionsApproximate time to go through these instructions should be around one to two hours. Step 1: Activate Multi-Provider SSO Plugin note: it takes approximately 10 to 15 minutes for this plugin to install. Navigate to "System Applications" > "All Available Applications" > "All" to go to the plugin listing page. Search for the Multiple Provider Single Sign-On Installer plugin [com.snc.integration.sso.multi.installer] and click Install. Step 2: Setup Multi-Provider SSO Navigate to "All" > "Multi-Provider SSO" > "Administration" > "Properties". You have to check the "Enable multiple provider SSO" box, but you will not be able until you setup SSO Account Recovery (ACR). Click on the "on this page." link to be directed to the Account Recovery Properties page. Note that there are four steps to be completed in this page. Step 1 in this properties page is to check the "Enable account recovery" box. For step 2, we need to setup account recovery. Start by clicking the link in "Click here to ..." to be directed to the "Configure account recovery for Multi-SSO" page: Follow the steps in this page to pair your device and enable account recovery in this instance. Once completed, you should see the following: Step 3 is optional since these changes are not necessary for the feature to work. For step 4, click the link in "... SSO Properties page." to be directed back to the "Multiple Provider SSO Properties" page. You will notice that you can now check the "Enable multiple provider SSO" checkbox. Check the "Enable multiple provider SSO" field and enable debug logging. The external login (Login with SSO) link will now appear on the instance's login page As mentioned above, steps 1 and 2 need to be completed regardless of the type of identity provider. Up until now the instructions for any type of identity provider is the same. From here on, the instructions differ depending on the type of identity provider: SAML 2.0Open ID Connect (OIDC)Digest Authentication (Digest Token) In this article, we are setting up a SAML 2.0 SSO using SSOCircle as the identity provider. Step 3: Configure an Identity Provider using Multi-Provider SSO Note: Before we begin to add the Identity Provider account to the instance, you need to create an account with the Identity Provider (SSOCircle, in this case). You can skip the SSOCircle account creation step if you already have an SSOCircle account. Go to ssocircle.com, then go to "Sign in / Register" > "Login" Click the "New User" button and enter required data. Click the "Register" button once you have entered all the required information for your new account. You will be prompted to accept the terms and conditions. Once you accept the terms and conditions you will be sent an email. Click the link in the email to complete your account registration. When you click the link in the email you will receive a successful message: Once you have an SSOCircle account, you can now start to configure SSOCircle as an Identity Provider in your instance. Start by loggin into SSOCircle and going to "Manage Metadata" Click the "SSOCircle Public IDP Metadata" link. This is going to open this IDP's metadata (an XML). You will need this information for the next step. In a new tab, go to your instance and navigate to "Multi-Provider SSO" > "Identity Providers", click "New" Select SAML as the type/kind of SSO we are creating Once you click the "SAML" link, you will be directed to a new Identity Provider record with a pop-up to import the Identity Provider's metadata. This is where you copy/paste the information from the previous step. In this example, I copy and pasted the URL. Right-click and Save the record, then click the "Generate Metadata" UI Action The Service Provider Metadata will be copied and pasted into the Identity Provider. Go back to SSOCircle and go to "Manage Metadata", then click on the "Add new Service provider" link. In the SAML Service Provider Metadata Import page, enter the following information: FQDN - this is just your instance's URLAttributes sent in assertion - check all boxesSAML Metadata information of your SP - copy the XML text produced in previous step Click Submit to complete creating configuration for the Service Provider (your instance) Navigate back to your instance, locate the Identity Provider record you just created and click the "Test Connection" UI Action from this record. You will be presented with a pop-up window with the SSOCircle login prompt After you login, you will be presented with a prompt to prove you are not a robot. Once you have proven you are not a robot :) you click the "Continue SAML Single Sign On" button You will be directed to a status page. Hopefully, all tests pass so you can click the "Activate" button (this activates the Identity Provider record on the instance) Clicking the "Activate" button re-directs you to the Identity Provider record. Make sure you save the record. We are now finished. If the configuration was successful you will be able to login to the instance using SSOCircle as the IDP. Before we can test, we need an account to test. For this example, we will use the "admin" account. Open the "admin" account and make sure you perform the following: The email address matches the email address you selected for the SSOCircle accountThe SSO Source value is "sso:" followed by the sys_id of the Identity Provider record just created You are ready to test. Logout and go to your instance login page, click the "Login with SSO" link to login with the "admin" account: When you click "Submit" you will be directed to the SSOCircle site to login and to verify you are not a robot. You will be re-directed to your instance and successfully logged in.