Single Sign On

Currently, only SAML2 is supported for SSO

SAML2

Prerequisites

  1. You have superuser permissions in your Grape installation
  2. You have a SAML2 SSO Server running that is reachable for the Grape server

Enable SAML2 SSO for an organization

  1. Go the admin site (https://grape.example.com/admin)
  2. Click on “Organizations”
  3. Click on the organization that needs SSO
  4. Scroll down to “Features”
  5. Select “SAML2 Single Sign On” From the drop-down menu
  6. Scroll down to the bottom
  7. Press “Save”

Configure SAML2 SSO

In the Web Client or in your Desktop Client:

  1. Click the cogwheel cogwheel
  2. Click “Organization Settings”
  3. Click on “Single Sign On (SSO)” in the menu on the left (this option is only available after you enabled SSO in the admin site!)
  4. Follow the steps on the website

NameIDFormat

  1. In the advanced sso settings, make sure to set NameIDFormat to unspecified (it is the default) NameIDFormat
  2. Email address is mandatory in assertions. Make sure your IdP sends the user’s email address under one of those 2 names:
  • urn:oid:0.9.2342.19200300.100.1.3
  • http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

See the following screenshots for examples of ADFS configuration ADFS_1 ADFS_2

note: Grape is using the email address as the unique identifier. If for example AD Users are added they can be matched with SSO users if their email address is identical.

Changing the certificate

If you want to change your server certificate that is being used for SAML2,:

  1. Update the certificate on your IDP
  2. click “Update SSO” in the Grape SSO Settings. The Grape server will pull the new metadata including the new certificates.

In case you have problems, you can manually change the certificate:

  1. Click on “Advanced SSO Settings”
  2. Check “IDP signing Certificate” and “IDP encryption Certificate” and change them manually if needed
  3. Click “Update Advanced SSO Settings”

We don’t support automatic certificate rollover. If you need this functionality, get in touch with us.