Table of Contents
Single Sign On (SSO) lets users access WeSpire using their existing credentials. SSO reduces friction in user onboarding and increases security and data quality.
The WeSpire platform supports SAML.
Process for SAML 2.0
General
The WeSpire platform supports Identity Provider (IdP) as well as Service Provider (SP) initiated authentication.
Customer will:
- Provide a copy of the certificate used to sign SAML assertions.
- Provide the target URL (the URL we will redirect your users to so that they can login)
- Provide a copy of your IdP metadata.
- Specify whether you are using IdP or SP initiated authentication.
WeSpire will:
- Provide SP metadata
- Provide the Entity ID
- Provide the Callback URL
- If SSO setup occurs prior to WeSpire being made generally available to employee users, configuration and testing of SSO will happen in our production environment.
- If SSO is set up after platform general availability, setup will happen in our staging environment and then a production cutover will occur.
❗️Important - Assertion Requirements
WeSpire requires four attributes to be sent with every SAML assertion, and they have friendly names exactly as specified below.
Errors in the names of the fields account for most of the time spent troubleshooting configuration. Ensure you are sending the exact names.
Required SAML attributes
Other Assertion Notes
- The WeSpire platform requires all incoming SAML assertions to be signed.
- The WeSpire platform does not support encrypted SAML assertions.
- The WeSpire platform does not support signed or encrypted SAML requests (when using SP initiated authentication).
Note for companies using Google OAuth2: You will need to set up your own custom SAML application using the features outlined here: Set up your own custom SAML application - Google Workspace Admin Help
SSO Data Flow Diagram