Skip to main content

Single Sign On (SSO) and SAML Integration

If you are on the Enterprise plan, you can connect Paligo to a Single Sign On (SSO) service. It means that you can use your SSO provider to handle all the company's user accounts (create, edit and delete) and permissions (assign and remove) in one place and allow users to log in to several systems with a single ID.

This has many benefits, including:

  • Reduced administration time - You can manage all software-as-a-service (SaaS) user accounts from a single SSO service. This is especially useful in larger organizations where the workforce regularly changes due to people joining, moving departments, leaving and retiring.

  • Easier access - Users can log in to applications without entering their username and password each time.

  • Security - With centralized user accounts, you can apply security measures to all users, such as password strength, multi-factor authentication and more.

Tip

To find out about setting your SSO service to connect to Paligo, see Set Up Your SSO Service. That topic is a general overview of what you need to set up for SSO. We also have more detailed instructions for Okta and JumpCloud integrations.

How SSO Works - The Basics

To use SSO with Paligo, you first need to set up your SSO service to connect to Paligo . The key things here are that the SSO service is able to authenticate a Paligo user's user account, password, and user group.

When your SSO service is set up to connect to Paligo, the log-in process for users is:

Single Sign On concept. User logs in to Paligo. Paligo contacts SSO service. SSO service approves or denies the user's sign in.

  1. User opens Paligo in a browser and selects a Sign in button. They do not need to enter a user name or password.

  2. Paligo redirects to the SSO service for the user's log-in details.

  3. The SSO service responds to Paligo:

    If the user is signed-in to the SSO service already, the SSO service provides Paligo with the user's username, password, and user group. The user is logged in to Paligo automatically.

    If the user is not signed-in to the SSO service, Paligo redirects them to the SSO service sign-in. When they sign-in, Paligo can log them in automatically.

You can also manage your user accounts in the SSO service. If you add a new user to a Paligo user group in the SSO service, Paligo will create these new users automatically (when a new user attempts to log in to Paligo).

Note

To delete a Paligo user, log in to Paligo as an administrator user and delete the user account manually. SSO services are not designed to delete user accounts.

Connect Paligo to your SSO Service

Before you connect Paligo to your SSO service, you should Set Up Your SSO Service so that it can provide user authentication data to Paligo. As part of the setup, you will export a metadata file that you will be able to import into Paligo.

When the SSO service is set up, you can connect Paligo to it:

  1. Log in to Paligo via a user account that has administrator permissions.

  2. Log in to Paligo via a user account that has administrator permissions.

  3. Select the avatar in the top-right corner. User avatar. It shows the user's image and their name. Next to the name is a downward pointing arrow, which when selected, reveals a menu.

  4. Select Settings from the menu. Cog icon.

  5. Select the Integrations tab. Jigsaw piece icon.

    Paligo settings. The Integrations tab is highlighted.

  6. Select Add in the SAML 2.0 section to expand the connection settings.

    SAML-section.jpg

  7. Enter the Provider Name, a display name for the SSO service, for example, Okta or JumpCloud.

    Connect_To_SSO_small.jpg

  8. Select Upload metadata file and select the metadata file that you exported from the SSO service when it was set up.

  9. In most cases, you should be able to ignore the Advanced Settings section. These settings are filled automatically, as the values come from the SAML XML file you uploaded in the previous step. If, for some reason, the settings need to be added or changed, you can make the changes manually.

    Advanced settings for single sign on include entity id, ssl certificate, single sign on service url and single sign out service url.

    • Entity ID - The identifier for your SAML endpoint. This is sometimes called the identity provider issuer.

    • SSL Certificate - The secure socket layer (SSL) certificate for the SSO service.

    • Single Signon Service URL - The address of the single sign-on service.

    • Single Signout Service URL - The address of the single sign-out service, if used. When this is used, logging out of Paligo logs the user out of the SSO service as well, not just Paligo. This is empty if the feature is not used.

  10. Check the Enable sign-in alternative checkbox so that users can sign in to Paligo manually as well with SSO. This is important the first time you set up SSO, as if there is an error, you will need to be able to log in to Paligo without SSO to fix it.

    Enable sign-in alternative checkbox is selected. This means users can still log in without SSO if needed.

  11. Check the Force authentication to set the forceAuthn parameter to true in the request to the identity provider. This will require the user to authenticate themselves even if there is an active session with the IdP.

    Force_Authentication_SSO_small.jpg

  12. Check the Enable SSO box to activate single-sign in.

    SAML 2.0 integration settings, Enable SSO checkbox is checked.

    Note

    If you want to store the settings without activating SSO, clear this checkbox. You can return to this page and enable SSO later if needed.

  13. Select Save.

  14. Log out of Paligo.

    Caution

    Do not log out of Paligo if the Enable sign-in alternative setting is not checked and you have not yet tested SSO. Logging out could result in you being unable to log in to Paligo.

  15. Log back in again. You should now see an SSO sign in option that, when selected, logs you into Paligo.

    Note

    If you do not see the SSO sign in option or if the SSO sign-in attempt is unsuccessful, log in with your username and password and check that you have completed the steps described in this topic correctly.

    Usually, failed SSO sign-ins are due to incorrect configuration in the SSO service. Please make sure that you have entered the correct URLs and have set the correct attributes for firstname, lastname and email.

    The most common error is that the user group is incorrectly set up in the SSO service. The SSO service has to be able to provide Paligo with the username, email, and usergroup metadata. For more information on the SSO service settings, see Set Up Your SSO Service.

  16. Once SSO works as expected, enter the SAML 2.0 settings.

  17. Clear the checkbox for Enable sign-in alternative.

    If this option is disabled the users can no longer use username and password to login. They have to use SSO to log in.

  18. Select Save.

Set Up Your SSO Service

To use an SSO service with Paligo, the SSO service has to be configured to communicate with Paligo using SAML. Typically, this configuration work is performed by IT specialists who have an in-depth understanding of the SSO service.

There are many different SSO services available and the terminology and settings they use can vary between vendors. This means we cannot provide a detailed set of general instructions that will work for all SSO services. But the main principles are the same, and most SSO services do require similar types of information (see below).

Note

We do provide more detailed instructions for Okta and JumpCloud.

Connect an SSO Service to Paligo

The general instructions for connecting an SSO service to Paligo.

In your SSO provider:

  1. Create one user account for each Paligo user account.

  2. Create a custom SAML 2.0 application.

  3. Configure the SAML 2.0 application. The terminology used for the settings can vary, but you will need to:

    1. Set the Assertion Consumer Service (ACS) URL for Paligo, the endpoint where the SSO service provider connects to Paligo.

      Use this URL: https://your.paligoapp.com/saml/acs. Replace your with the domain name of your Paligo instance, for example: https://acme.paligoapp.com/saml/acs

    2. Set the Service Provider (SP) URL for Paligo.

      Use this URL: https://your.paligoapp.com/saml/metadata. Replace your.paligoapp.com with the domain name of your Paligo instance.

    3. Set the application user name or ID to: email

    4. Create attribute mapping for Paligo's user credentials:

      • user.firstname

      • user.lastname

      • user.email

      Note

      There may be additional settings required, depending on your SSO Service.

    5. Map them to the equivalent attributes in your SSO service. Refer to your SSO service documentation for information on those.

  4. Create a group attribute for Paligo. Depending on the SSO service you are using, this should have the name / value paligo.usergroup or paligo_usergroup.

  5. Export the SSO service's metadata file so that you can import it into Paligo.

  6. Create a user group for each Paligo user group. This step is required in some SSO services, whereas with others, you can add the user group name to the user settings.

    In Paligo, every user account belongs to a user group, such as administrators, authors, contributors, reviewers, publishers, it admins or translation managers. When users log in to Paligo using SSO, Paligo needs the SSO service to provide the user group information (as well as the first name, last name and email). User groups are not included in the default metadata, so you need to add them in your SSO service.

  7. Associate each user account with the appropriate user group.

  8. Associate each user group with the SAML 2.0 application that you have created to represent Paligo.

  9. In Paligo, use the SSO integration settings to Connect Paligo to your SSO Service.

Integration with Okta

You can connect Paligo to Okta for single sign on (SSO). This is only available on the Enterprise plan.

To use Okta with Paligo, you need to set up Okta to provide metadata to Paligo. The metadata includes the name of the user, the user's email address, and the user group that the user belongs to.

Note

The metadata describing the user group is not part of the standard metadata. You must add this metadata to the SAML response.

To be able to Connect Paligo to your SSO Service you need to set up Okta to integrate with Paligo.

Note

For this section, we assume that you have already created your user accounts in Okta.

Create a New Application Connector for Paligo in Okta

The first stage of setting up Okta to communicate with Paligo is to create a new application connector.

In Okta:

  1. Locate your applications and select Add application and then Create New App.

  2. Apply the following settings for your new application:

    • Platform - set to Web

    • Sign on method - set to SAML 2.0

    Okta create a new application integration screen. Select Web and SAML 2.0

  3. Select Create.

  4. In the General settings, enter Paligo as the App name and then select Next.

  5. Define the SAML settings.

    In the General section, enter the following (replace my.paligoapp.com with your Paligo instance name, for example: acme.paligoapp.com).

    Setting

    Value

    Single sign on URL

    https://my.paligoapp.com/saml/acs

    Audience URL

    https://my.paligoapp.com/saml/metadata

    Default RelayState

    https://my.paligoapp.com

    Application username

    Choose email

  6. In the Attribute statements section, add the following attributes:

    Name

    Name format

    Value

    user.firstname

    Basic

    user.firstName

    user.lastname

    Basic

    user.lastName

    user.email

    Basic

    user.email

    paligo.usergroup

    Basic

    appuser.paligo_usergroup

    Your settings should look like this:

    SAML Settings in Okta. The settings show the values that are needed for connecting to Paligo.

  7. Double-check that your attribute statements are exactly as described in the previous step. Look out for typing mistakes as any errors may prevent the connector from working.

  8. Select Next.

The next stage in Okta is to Add the User Group to the Okta SAML Response.

Add the User Group to the Okta SAML Response

When users login to Paligo via Okta, Okta sends metadata to Paligo. The metadata includes the user's first name, last name, email address, and information about which user group they belong to.

The user group metadata is not a standard part of the Okta default metadata. So you need to add the user group to the metadata SAML assertion:

  1. Select Directory > Profile Editor.

  2. Select the Profile button for the Paligo app.

  3. Select Add attribute and enter the details for the Paligo user group.

    Okta Add attribute interface showing the settings for the paligo user group

    Setting

    Value

    Display name

    Paligo user group

    Variable name

    paligo_usergroup

    Description

    Optional. You can leave this blank or add a description to explain the purpose of the user group attribute.

    Data type

    string

    Attribute length

    Between. You do not need to define a min and max value, leave those fields empty.

    Attribute required

    Check Yes.

    Scope

    Check the User personal box if you want to assign the user group attribute (for Paligo) to user accounts individually.

    If you clear the User personal box, the user group attribute (for Paligo) will apply to all user accounts in the Okta user group. Please refer to Okta documentation for more information.

  4. Double-check that you have entered the correct details for the Paligo user group. Look out for typing mistakes as they could prevent the login from working as expected.

  5. Save the attribute.

Next: Assign the Users to Paligo and a Paligo User Group .

Assign the Users to Paligo and a Paligo User Group

Each user that is going to use Okta to access Paligo needs to be assigned to the Paligo application and a Paligo user group.

In Okta:

  1. Select Directory > People and then select a user account.

  2. On the Applications tab, select Assign Applications.

  3. Select Assign for the Paligo application.

  4. In the Paligo user group field, enter the appropriate syntax for the user's role in Paligo. The following table shows the possible values you can use:

  5. Save the user.

  6. Repeat this process for each user account that is going to have access to Paligo via Okta.

  7. Double-check your users to make sure that you have entered the correct syntax. Look out for typing mistakes as any errors could prevent the logins from working.

Get the Metadata from Okta

The final steps to take in Okta are to get the metadata file that is needed for the connection.

In Okta:

  1. Select Applications > Applications.

  2. Select Sign On.

  3. Right-click on the Identity Provider Metadata link and choose to save the link as a file. Give the file a name and an .xml extension, for example, metadata.xml. You will need this XML when you set up the Paligo integration.

You have now completed the configuration that is needed in Okta. The next step is to Connect Paligo to your SSO Service.

Integration with JumpCloud

You can connect Paligo to JumpCloud (https://www.jumpcloud.com) for single sign on (SSO). This is only available on the Enterprise plan.

To use JumpCloud with Paligo, you need to set up JumpCloud to provide metadata to Paligo. The metadata includes the name of the user, the user's email address, and the user group that the user belongs to. The metadata describing the user group is not part of standard metadata. You must add this metadata to the SAML response.

Note

For this section, we assume that you have already created your user accounts in JumpCloud.

To be able to Connect Paligo to your SSO Service you need to set up JumpCloud to integrate with Paligo.

Create a New Application Connector for Paligo in JumpCloud

The first stage of setting up JumpCloud to communicate with Paligo is to create a new application connector.

In JumpCloud:

  1. Go to the JumpCloud console and select SSO and then add an application.

  2. Select Custom SAML App.

  3. In the Settings panel, apply these values (replace the your in your.paligoapp.com with the address of your Paligo instance, for example, acme.paligoapp.com).

    Name

    Value

    Display Label

    Paligo (example)

    IDP Entity ID

    paligo/jumpcloud/sso

    SP Entity ID

    https://your.paligoapp.com/saml/metadata

    ACS URL

    https://your.paligoapp.com/saml/acs

    Samlsubject NameID

    email

    Samlsubject NameID Format

    urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

    Signature algorithm

    RSA-SHA256

    Attributes

    Create attributes for:

    user.firstname

    firstname

    user.lastname

    lastname

    user.email

    email

    Groups Attributes

    Include Group Attribute

    Checked. This option must be checked/enabled.

    Groups Attribute Name

    paligo.usergroup

  4. Select Save.

Next, you need to Create User Groups in JumpCloud .

Create User Groups in JumpCloud

You should create one user group for each Paligo user group (administrators, authors, contributors, reviewers, publishers, it admins or translation managers) in JumpCloud.

  1. Select Groups.

  2. Create a user group for each Paligo user group.

  3. Select the Applications tab.

  4. Select Paligo to associate the Paligo application with the user group.

  5. Select Save Group.

  6. Repeat this procedure for all Paligo user groups.

Associate the JumpCloud User Accounts with the User Groups

In JumpCloud, you need to associate the user accounts with the user groups that you have set up for Paligo.

  1. Select Users.

  2. Select the user you want to add to a Paligo user group.

  3. Select the User Groups tab.

  4. Select the checkbox for the Paligo user group that the user should belong to.

  5. Select Save user.

  6. Repeat this process for each user account that needs access to Paligo.

You can now Connect Paligo to your SSO Service.

Integration with Azure SSO

Before Paligo and Azure can be connected, you need to create an enterprise app registration for Paligo, see Quickstart: Add an enterprise application - Microsoft Entry.

After registering the App and locating the SSO settings in Enterprise Applications:

  1. Select the app you registered → Single sign-on. There will be the claim settings. Some of those are detailed in Set Up Your SSO Service.

    Working_SSO_Settings_Example_small.png

    Example of a working setup

  2. In the claims settings, the paligo.usergroup should have the value user.assignedroles and be added as a regular claim (not a group claim). You can mirror the settings below:

    AdditionalClaims_PaligoUserGroup_UserAssignedRoles_small.png

  3. You also need to create App roles in the Paligo app registration. You can find these by going to Azure Active Directory → App registrations → Paligo (or whatever you named the app on registration) → App roles.

    Important

    Make sure you have App roles for each Paligo user group. Below you can see the correct configuration with the paligo.admin role as an example. Make sure you also "enable this app role" with the checkbox at the bottom of the Edit app role window.

    Edit_App_Role_PaligoAdmin_small.png

  4. Return to your Paligo Enterprise application and select Users and groups to add the Azure users you created in the main Azure active directory.

  5. Select ✚ Add user/group and choose the user.

  6. Assign the user to one of the roles (you created in the "App roles" above).

  7. Return to your enterprise app Single sign-on settings to create a certificate.

  8. Download the Federation metadata XML.

  9. When you upload this file to your Paligo SSO integration, make sure to skip validation if the validation fails.

  10. After your metadata uploads, expand the Advanced settings in the Paligo SSO integration and delete the Single signout service url.

    AdvancedSettings_PaligoSSO_small.png