About SSO with SAML authentication

summary

This is a help page on how to perform SSO by SAML authentication at trocco.

About SSO

Single Sign On (SSO) is a mechanism that allows you to log in to multiple web services and applications by performing authentication with a single ID and password once.
The following benefits can be considered by introducing SSO.

• Convenience is improved because you only need to remember one set of IDs and passwords.
• No more hassle of managing passwords as strong as the number of services you use.
• Since the services available to each employee can be managed collectively, the burden on managers is reduced.

There are several SSO authentication methods, but trocco uses the Security Assertion Markup Language (SAML) method. In the SAML method, the side that provides authentication information (Onelogin, Okta, Azure AD, etc.) is called the Identity Provider (IdP), and the side that uses authentication information (trocco) is called the Service Provider (SP).

Setup Procedure

IdP-side settings

Register trocco as an SP with the IdP. Please use the following information when registering.

• Assertion Consumer Service（ACS）URL
  The setting value is different for each account. Manage trocco → Security → SSO using SAML authentication.

• SP Entity ID
  https://trocco.ioPlease set the .

• NameID Format
  Set your email. To use this function, the user's email address must match between the IdP and the SP.

After registering the above, assign the necessary users and groups.

Example) For Okta

1. Add an application
   From the Okta UI menu, click Applications → Applications.

Click Create App Integration.

Select SAML 2.0 and click Next.

2. General Settings
   For the App Name, please enter a name such as "trocco". Set other items as needed.

You can download the trocco logo here.

3. Configure SAML
   The Single sign on URL setting is different for each account. Manage trocco → Security → Check from SS using SAML authentication.

Set the Audience URI (SP Entity ID)https://trocco.io to and EmailAddress for the Name ID format.

4. Feedback
   Respond to the feedback and click Finish.

5. Assigning User Groups
   You can assign the app you created to users and groups by clicking Assignments → Assign, and then clicking Assign to People or Assign to Groups.

6. Retrieving metadata
   Click Sign On → View Setup Instructions.

Copy the metadata displayed in the Optional → Provide the following IDP metadata to your SP provider at the bottom of the screen that appears, and paste it into your trocco dashboard.

Example) In the case of Azure AD

In Azure AD, set the identifier and reply URL.
It is not necessary to set the sign-on URL, relay status, and logout URL.

identifier

https://trocco.io/Please use

Reply URL

Please use the URL displayed in "SSO using SAML authentication" on trocco.
SSO using SAML authentication can be viewed by clicking on the top page of trocco in the order of settings > security.

SP-side settings

Register your IdP with trocco. Settings → Security → Enable SSO using SAML authentication to proceed to the registration screen. Metadata generated by the IdP is used for registration.
Disable password authentication as a login method to trocco, and if you want to use SSO only, select the check box of Login Settings.

User Addition Procedure

You can still add users from the Administration → Account Users → User Invitation.

Be sure to match the email address of the user assigned in the IdP with the email address you add to trocco.