Setting up Single Sign-On
After deciding how you want to implement SSO, you are ready to set it up.
- Send the SAML XML file that contains your SAML 2.0 federated metadata to the Pega Workforce Intelligence Service Delivery Team.
- Create a relying party in your identity provider configuration, using the URN
and Assertion Consumer URL provided by Workforce Intelligence.
Value Example URN urn:amazon:cognito:sp:<user_pool_id> URL URL: https://<domain-prefix>.auth.<region>.amazoncognito.com/saml2/idpresponse - Configure the relying party to provide the following SAML 2.0 Assertion
claims:
Assertion Claim Example Persistent NameID urn:oasis:names:tc:SAML:2.0:nameid-format:persistent Email http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress First Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname Last Name http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname - Choose an identity provider display name (if SSO fails and the user is taken to the login page).
- Ensure that the identity provider supports the following:
- a SAML 2.0 Relay State
- an HTTP-Redirect endpoint for SAML Requests
- use of the POST binding for the SAML Response to the service provider
- Ensure that the authorization endpoints domain is approved on the client network proxy. For example: https://<domain-prefix>.auth.<region>.amazoncognito.com.
Previous topic Automatic SSO Next topic Signing in with an email and password