General Requirements
Reflektive can support most Single Sign-On providers if they follow the SAML 2.0 standard. Below you’ll find step-by-step instructions for how to configure Reflektive in some of the more common SSO Providers. Generally speaking, Reflektive requires the pieces of information listed below in order to complete an SSO configuration
- X.509 Certificate
- SAML URL
Once created, please send the two pieces of information to your Customer Onboarding Manager or Reflektive Technical Point of Contact.
(Note: typically the X.509 certificate and SSO URL are part of the overall XML medata file of your SSO configuration. The XML file can also be sent in lieu of just the X.509 certificate as part of the SSO set-up).
Active Directory Federation Services (AD FS)
Below are the recommended steps for configuring an AD FS integration with Reflektive, to support SAML 2.0 SSO for your users. These steps may vary slightly for each customer, but all the necessary actions are listed here.
Step 1: Download the Reflektive Metadata.xml onto your system.
Step 2: On your AD FS server, open the AD FS Management Console. Click Add Relaying Party Trust... in the Actions pane and click Start on the wizard introduction page.
Step 3: Select Import data about relying party from a file and click Browse. Look for Reflektive metadata.xml and click Next.
Step 5: Select I do not want to configure multi-factor authentication settings for this relying party trust at this time. Click Next.
Step 8: Check the Open the Edit Claim Rules dialog for this relaying party trust when the wizard closes, then click Close.
Step 9: Within the Claim Rules dialog, click the Issuance Transform Rules tab and then click Add a Rule.
Step 11: This window has several steps.
- Type the Claim rule name: LDAP Email.
- Select Active Directory as the Attribute Store.
- Under Mapping of LDAP attributes to outgoing claim types: choose Email Addresses as the LDAP Attribute, and Email Addresses as the Outgoing Claim Type.
- Click Finish.
Step 14: This window has several steps.
- Type the Claim rule name: Name ID Transform
- Incoming claim type: Email Address
- Outgoing claim type: Name ID
- Outgoing name ID format: Email
- Click Finish. Then, click Apply and OK.
Step 15: Send your AD FS hostname and metadata.xml.
Step 16: Finally, please ensure that no security certificates are included in the trust for the initial implementation. The Encryption tab of the trust should be left blank for now.
To download the AD FS metadata, access the following link (while on your Windows server):
- https://<your_ADFS_hostname>/federationmetadata/2007-06/federationmetadata.xml
Email both pieces of info to your Customer Success Manager, and we'll turn on your AD FS connection on our end.
Azure Active Directory
Original source found here, published by Microsoft.
Integrating Reflektive with Azure Active Directory (AD) provides you with the following benefits:
- You can control in Azure AD who has access to Reflektive.
- You can enable your users to automatically get signed-on to Reflektive (Single Sign-On) with their Azure AD accounts.
- You can manage your accounts in one central location - the Azure portal.
Below are the recommended steps for configuring an Azure Active Directory with Reflektive, to support SAML 2.0 SSO for your users. These steps may vary slightly for each customer, but all the necessary actions are listed here.
If you want to know more details about SaaS app integration with Azure AD, see what is application access and single sign-on with Azure Active Directory.
IMPORTANT: Please send us the SAML URL and x.509 certificate
Prerequisites
To configure Azure AD integration with Reflektive, you need the following items:
- An Azure AD subscription
- A Reflektive single-sign on enabled subscription
To test the steps in this tutorial, you should follow these recommendations:
- Do not use your production environment, unless it is necessary.
- If you don't have an Azure AD trial environment, you can get a one-month trial.
Scenario description
In this tutorial, you test Azure AD Single Sign-On in a test environment. The scenario outlined in this tutorial consists of two main building blocks:
- Adding Reflektive from the gallery
- Configuring and testing Azure AD single sign-on
Adding Reflektive from the gallery
To configure the integration of Reflektive into Azure AD, you need to add Reflektive from the gallery to your list of managed SaaS apps.
To add Reflektive from the gallery, perform the following steps:
-
In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
-
Navigate to Enterprise applications. Then go to All applications.
-
To add new application, click New application button on the top of dialog.
-
In the search box, type Reflektive, select Reflektive from result panel then click Add button to add the application.
In the Azure portal, on the left navigation panel, click Azure Active Directory icon.
Navigate to Enterprise applications. Then go to All applications.
To add new application, click New application button on the top of dialog.
In the search box, type Reflektive, select Reflektive from result panel then click Add button to add the application.
Configure and test Azure AD single sign-on
In this section, you configure and test Azure AD single sign-on with Reflektive based on a test user called "Britta Simon".
For single sign-on to work, Azure AD needs to know what the counterpart user in Reflektive is to a user in Azure AD. In other words, a link relationship between an Azure AD user and the related user in Reflektive needs to be established.
In Reflektive, assign the value of the user name in Azure AD as the value of the Username to establish the link relationship.
To configure and test Azure AD single sign-on with Reflektive, you need to complete the following building blocks:
- Configure Azure AD Single Sign-On - to enable your users to use this feature.
- Create an Azure AD test user - to test Azure AD single sign-on with Britta Simon.
- Create a Reflektive test user - to have a counterpart of Britta Simon in Reflektive that is linked to the Azure AD representation of user.
- Assign the Azure AD test user - to enable Britta Simon to use Azure AD single sign-on.
- Test single sign-on - to verify whether the configuration works.
Configure Azure AD Single Sign-On
In this section, you enable Azure AD single sign-on in the Azure portal and configure single sign-on in your Reflektive application.
To configure Azure AD Single Sign-On with Reflektive, perform the following steps:
-
In the Azure portal, on the Reflektive application integration page, click Single sign-on.
-
On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable single sign-on.
-
On the Reflektive Domain and URLs section, perform the following steps if you wish to configure the application in IDP initiated mode:
In the Identifier textbox, use one of the below URL as per confirmation from the Reflektive support team:
reflektive.com
https://www.reflektive.com/saml/metadata
-
Check Show advanced URL settings and perform the following step if you wish to configure the application in SP initiated mode:
In the Sign-on URL textbox, type a URL:
https://www.reflektive.com/app
Note: For SP mode you need to get the email id registered with Reflektive support team. When you enter your ID in the Email textbox then the single sign-on option will be enabled.
-
On the SAML Signing Certificate section, click Metadata XML and then save the metadata file on your computer.
-
Click Save button.
-
To configure single sign-on on Reflektive side, you need to send the downloaded Metadata XML to Reflektive support team. They set this setting to have the SAML SSO connection set properly on both sides.
In the Azure portal, on the Reflektive application integration page, click Single sign-on.
On the Single sign-on dialog, select Mode as SAML-based Sign-on to enable single sign-on.
On the Reflektive Domain and URLs section, perform the following steps if you wish to configure the application in IDP initiated mode:
In the Identifier textbox, use one of the below URL as per confirmation from the Reflektive support team:
reflektive.com |
https://www.reflektive.com/saml/metadata |
Check Show advanced URL settings and perform the following step if you wish to configure the application in SP initiated mode:
In the Sign-on URL textbox, type a URL: https://www.reflektive.com/app
Note: For SP mode you need to get the email id registered with Reflektive support team. When you enter your ID in the Email textbox then the single sign-on option will be enabled.
On the SAML Signing Certificate section, click Metadata XML and then save the metadata file on your computer.
Click Save button.
To configure single sign-on on Reflektive side, you need to send the downloaded Metadata XML to Reflektive support team. They set this setting to have the SAML SSO connection set properly on both sides.
Tip: You can now read a concise version of these instructions inside the Azure portal, while you are setting up the app! After adding this app from the Active Directory > Enterprise Applications section, simply click the Single Sign-On tab and access the embedded documentation through the Configuration section at the bottom. You can read more about the embedded documentation feature here: Azure AD embedded documentation
Create an Azure AD test user
The objective of this section is to create a test user in the Azure portal called Britta Simon.
To create a test user in Azure AD, perform the following steps:
-
In the Azure portal, in the left pane, click the Azure Active Directory button.
-
To display the list of users, go to Users and groups, and then click All users.
-
To open the User dialog box, click Add at the top of the All Users dialog box.
-
In the User dialog box, perform the following steps:
a. In the Name box, type BrittaSimon.
b. In the User name box, type the email address of user Britta Simon.
c. Select the Show Password check box, and then write down the value that's displayed in the Password box.
d. Click Create.
Create a Reflektive test user
In this section, you create a user called Britta Simon in Reflektive. Work with Reflektive support team to add the users in the Reflektive platform. Users must be created and activated before you use single sign-on.
Assign the Azure AD test user
In this section, you enable Britta Simon to use Azure single sign-on by granting access to Reflektive.
To assign Britta Simon to Reflektive, perform the following steps:
-
In the Azure portal, open the applications view, and then navigate to the directory view and go to Enterprise applications then click All applications.
-
In the applications list, select Reflektive.
-
In the menu on the left, click Users and groups.
-
Click Add button. Then select Users and groups on Add Assignment dialog.
-
On Users and groups dialog, select Britta Simon in the Users list.
-
Click Select button on Users and groups dialog.
-
Click Assign button on Add Assignment dialog.
Test single sign-on!
Bitium
Reflektive integrates with Single Sign-on (SSO) provider Bitium to provide a SAML authentication option. If your company uses Bitium, follow these instructions to set up the integration:
Step 1: As an administrator, log in to your Bitium dashboard and select Manage Apps.
Step 2: Search for "Reflektive" and select the Reflektive app:
Step 3: Within the Reflektive app, click the Single Sign-On tab.
Step 5: Copy the Login URL and X.509 Certificate displayed, to be sent to Reflektive. Then click Save Changes.
Step 6: Send the URL and Certificate to support@reflektive.com, and Reflektive will complete the connection and notify you when ready.
Step 7: Finally, ensure that all relevant users have access to Reflektive through Bitium.
Google (OAuth)
Reflektive provides Google Login as a Single Sign-On (SSO) option in order to make the onboarding process as seamless as possible for companies using Google Apps.
In order for your Google account to work with Reflektive, we’ll need the primary email address associated with your Google account. This is usually the email address that you use to log into Gmail.
It’s common for Gmail users to have multiple aliases associated with a single account. For example, within his Gmail account, John Smith at WidgetCompany receives emails sent to
- john@widgetcompany.com
- jsmith@widgetcompany.com or
- john.smith@widgetcompany.com (primary email address)
Your company’s Google administrator can retrieve the primary email addresses for all employees by following these steps:
Step 1: Within the Google Admin account click on the grid icon and then click on the Admin Link
Step 2: Within the Admin Console, Click on Users
Step 3: Within the Users screen, click on the rightmost icon on the green toolbar and then Click on the Download users option.
Step 4: Select the Download All Users Option. Save the .csv file when prompted.
Step 5: The generated .csv will contain the primary email addresses (EmailAddress column) for all users your company. Please make sure that the employee email addresses that you send in your Real Time Feedback or Review Setup forms match the EmailAddress column in this file. This will ensure a smooth and painless integration for your team.
Once Reflektive has been customized for your company, you can log into https://www.reflektive.com/app using the Log in with Google option:
Google (SAML via G Suite)
Google G Suite for businesses now supports SAML 2.0 Single-Sign On (SSO). To implement this, please visit these links to see how it can be done.
IMPORTANT: Please send us the SAML URL and x.509 certificate.
Okta
Reflektive integrates with Single Sign-on (SSO) provider Okta to provide a SAML authentication option. If your company uses Okta, follow these instructions to set up the integration. As an administrator:
Step 1: Log in to your Okta dashboard.
Step 3: Within Applications, choose the option to Add Application.
Step 4: In the Add Application screen, search for Reflektive and click Add.
Step 5: Add all relevant users to the Reflektive app, and set their login credentials as you would with any other Okta app.
Step 7: Within the setup instructions, please copy/paste and send the following to your Customer Success Manager:
- The Login URL/SignOn URL
- x509 Certificate
Step 8: That's it! We'll notify as soon as the setup is completed on the Reflektive side, and the Okta integration will be complete.
OneLogin
Reflektive integrates with Single Sign-on (SSO) provider OneLogin to provide a SAML authentication option. If your company uses OneLogin, follow these instructions to set up the integration:
Step 1: As an administrator, log in to your OneLogin dashboard.
Step 2: Select the NEW APP option in the top right corner of the page:
Step 3: Search for Reflektive, and click the search result to add the Reflektive application:
Step 4: On the settings screen, click "Save" in the top right of the page:
Step 5: On the ensuing profile for Reflektive, choose the SSO tab. Here, copy the SAML 2.0 Endpoint (HTTP), to be sent to Reflektive. Then, click View Details in the X.509 Certificate section to retrieve the SHA fingerprint (SHA1/256/512 etc all work):
Step 6: Copy the SHA fingerprint to send to Reflektive:
Step 7: Send both of the following to your Customer Success Manager
- SAML 2.0 Endpoint (HTTP)
- x509 certificate
Step 8: Finally, ensure that all relevant users have access to Reflektive through OneLogin, via the "Users" tab.
That's it! We'll notify as soon as the setup is completed on the Reflektive side, and the OneLogin integration will be complete.
Other SAML 2.0 Providers
Reflektive has a generic SAML 2.0 implementation that supports Single Sign-On through many other integrated providers. While the integration steps may vary slightly in each case, we offer these general guidelines:
1. Reflektive provides our metadata XML files for QA and Production, which contain all relevant information for integration (attached below). This includes:
- Reflektive's Service URL: https://www.reflektive.com/saml/consume
- Reflektive's Identifier: reflektive.com
2. The customer sets up the connection in their SSO provider, and in turn provides Reflektive with their relevant metadata XML files (sent to support@reflektive.com). Specifically, Reflektive requests:
- Sign-on/SAML URL
- x.509 Certificate or Formatted Fingerprint
SSO providers currently integrated with Reflektive in this way include:
- PingFederate
- Centrify
- Azure
Download the Reflektive metadata xml here:
Comments
0 comments
Please sign in to leave a comment.