Help > Forum > Website Integration > Single Sign On - SAML

Single Sign On - SAML

Security Assertion Markup Language (SAML) is an XML-based standard that allows you to communicate authentication decisions between one service and another. Website Toolbox supports SAML for single sign-on into a Website Toolbox forum from a corporate portal or identity provider for clients who have purchased a Pro forum subscription plan.

An identity provider is a trusted provider that enables you to use single sign-on to access other websites. A service provider is a website that hosts applications (ie: Website Toolbox).

Note that we also support other single sign on methods which may be easier to setup.

Please follow the directions below to integrate the SAML SSO into your website:

1. Establish a SAML identity provider and gather information from your identity provider. This is the provider that will send single sign-on requests to Website Toolbox.
   1. The version of SAML the idP uses (1.1 or 2.0). We support only SAML 2.0.
   2. The entity ID of the IDP (also known as the issuer).
   3. IDP Metadata XML file.
2. You may need to use following values to setup SAML SSO into your website's Identity Provider. (Replace USERNAME with your Website Toolbox username.)
   1. Entity Id - https://USERNAME.websitetoolbox.com/sp
      
   2. ACS URL - https://USERNAME.websitetoolbox.com/saml/module.php/saml/sp/saml2-acs.php/USERNAME (Assertion Consumer Service)
   3. Subject Type - User's username, federation ID or user ID. (It specifies which field defines the user's identity for the application).
   4. Name ID Format -The allowed NameID formats are:
      
      urn:oasis:names:tc:SAML:2.0:nameid-format:persistent
      urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.
3. Specify your website's log in, log out, and sign up page URLs in the SSO settings to set up the Service Provider initiated log in and log out.

   You can use the URL below as the log in and sign up page URL to have it automatically redirect to the forum after logging in. (Replace USERNAME with your Website Toolbox username.)

   https://USERNAME.websitetoolbox.com/saml/module.php/core/as_login.php?AuthId=USERNAME&ReturnTo=/saml/saml.php?authSource=USERNAME

4. Provide your Identity Provider Metadata file to our customer support team for configuration of SAML.

5. You have to set the following user attributes for users signing in via SAML:

   Attribute

   Description

   userId

   Unique userid of user. (Required)

   username

   Username of user. (Required)

   email

   Email address of user. (Required)

   apikey

   API key of Website Toolbox Forum. (Required) You can get the API key here

   nickName

   The user's nick name. (Required if you are using the Salesforce idP)

   firstName

   The user's first name. (Optional)

   lastName

   The user's last name. (Optional)

   You set these attributes using an attribute statement in your SAML assertion. Example:

   <saml:AttributeStatement xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
   	<saml:Attribute Name="userId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
   	<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">00528000000Seyz</saml:AttributeValue></saml:Attribute>
   	<saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
   	<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">nSrivastava</saml:AttributeValue></saml:Attribute>
   	<saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
   	<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">neeraj@gmail.com</saml:AttributeValue></saml:Attribute>
   	<saml:Attribute Name="apikey" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
   	<saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">0XrYQtH5ZsHf58QtH5Zs8NKRMdKVJFyr8i5hpOO</saml:AttributeValue></saml:Attribute>
   </saml:AttributeStatement>

Website Toolbox expects a SAML assertion that looks like this:

<samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" Destination="http://USERNAME.websitetoolbox.com/saml/module.php/saml/sp/saml2-acs.php/default-sp" ID="_87fcab9d9410312049f835674a7e65d41466607023109" IssueInstant="2016-06-22T14:50:23.109Z" Version="2.0">
   <saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://abc.my.salesforce.com</saml:Issuer>
   <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
     <ds:SignedInfo>
       <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
       <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
       <ds:Reference URI="#_87fcab9d9410312049f835674a7e65d41466607023109">
         <ds:Transforms>
           <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
           <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
             <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml samlp xs xsi"/>
           </ds:Transform>
         </ds:Transforms>
         <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
         <ds:DigestValue>1N29VuJQuNw0bglPXTYSw6L5lgw=</ds:DigestValue>
       </ds:Reference>
     </ds:SignedInfo>
     <ds:SignatureValue>hYyGfKIP+7LLoJI2TKbPLTBfDtiMoDKGmEG4fh2G9Qk0nJNAcjJmiv/9X0n7MZQVvyQ+h38C27Jp
 Rxwl1OwdGp6snec0pHrH1GeGt3TB3Cj6MeGAgA8LvWZpusTChwR/LcIPW9uAkNSg40SEKK8aFjYp
 4rAM0BcGqfs2QSrcloSGfBsGz5VJw9NIavoudKMDbjvGTD21T3k2VFoSmFZshChgfBD3Zb4jC5IL
 7BAOSkLiv/NwLeHjQtizltv5tFNz5eEPryjxgMIynMXI/qJrGrr0ZbQ6EOY4DpPFRkjR+y369ueU
 h6Oq930IoVexF3oGb0fahWjvESQln6VOtXWZKQ==</ds:SignatureValue>
     <ds:KeyInfo>
       <ds:X509Data>
         <ds:X509Certificate>MIIErDCCA5SgAwIBAgIOAU8B/mTiAAAAAEQfI+YwDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMM
 H1NlbGZTaWduZWRDZXJ0XzA2QXVnMjAxNV8wNzUxMzIxGDAWBgNVBAsMDzAwRDI4MDAwMDAwV3ZM
 VTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNV
 BAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMTUwODA2MDc1MTMzWhcNMTcwODA2MDAwMDAwWjCBkDEo
 MCYGA1UEAwwfU2VsZlNpZ25lZENlcnRfMDZBdWcyMDE1XzA3NTEzMjEYMBYGA1UECwwPMDBEMjgw
 MDAwMDBXdkxVddfdfdfDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj
 bzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAKAceZ4/GgiElg3OMOSv6cphKL3czcuIaenqVuKjbhXxEKzL7UwR7ZEU48GnSDG3QvqCGFQq
 9xEm0aLSTvFGRDBP9qpdfdfdfd+71HItGxSZi6YV+TajRM1x31FpiqLl8udI/Iw5WsZHYHy4nsrs
 7O2DD6hJSPNHFNSbxu5zxbzcRAaoW+9EBJuV4uT/22++ztJMx3baSgDQ3EPcGTHUDt+L5gefsPmW
 x8gGl1wtR4sbJb9A4BxiZ+FOv1+o9L3sXQb7po4yqPXCRe9XhdD46YiewZP1+5B0nPudqxPp8F0T
 U4hRfWHSHvzl1FgEhKRyjHF5hwdfgdfdfovKuwwUjF0CAwEAAaOCAQAwgf0wHQYDVR0OBBYEFCTT
 nL3o0HiBU0eH0XyChY7VvQcFMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUJNOcvejQ
 eIFTR4fRfIKFjtW9BwWhgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzA2QXVnMjAx
 NV8wNzUxMzIxGDAWBgNVBAsMDzAwRDI4MDAwMDAwV3ZMVTEXMBUGA1UECgwOU2FsZXNmb3JjZS5j
 b20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFP
 Af5k4gAAAABEHyPmMA0GCSqGSIb3DQEBCwUAA4IBAQBLS6O9Eb86P4FtBiR4YPoGAUn2O48jnXrP
 oIx4677l5zilyt3Wt0KCuMfZZ0aCMzP8Q09XVDuKPYJcNb3zki8+jUw8Uo4elKZ9KPQC3Z2mKmro
 /59qs11p6c1Yrr+k2qtNX/gM4/j1B6shcUctqQPsP763b14vrzKfUkAzDkZ/feuCkey3+87Cucdg
 WnvZoPirfvPYBcYSJkxygUDcv4bPM7y81AnIxZFqrFDqECoicny/On9ZskzwHdN9PnsiWP4N/LqT
 OX3dospwsHrxXCClSi4Ua193vXyDPL6F8UCaUsBr6IzuYunXVcioEHWF5cWBueERSAH+8C/wLjxx
 a9jH</ds:X509Certificate>
       </ds:X509Data>
     </ds:KeyInfo>
   </ds:Signature>
   <samlp:Status>
     <samlp:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/>
   </samlp:Status>
   <saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="_c111e599082e09ec1e67f2c4c5fd53f01466607023109" IssueInstant="2016-06-22T14:50:23.109Z" Version="2.0">
     <saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">https://neeraj3-dev-ed.my.salesforce.com</saml:Issuer>
     <ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
       <ds:SignedInfo>
         <ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
         <ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
         <ds:Reference URI="#_c111e599082e09ec1e67f2c4c5fd53f01466607023109">
           <ds:Transforms>
             <ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
             <ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
               <ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/>
             </ds:Transform>
           </ds:Transforms>
           <ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
           <ds:DigestValue>VWSipDpvJ5SpsmgrjL+7vrlIsCM=</ds:DigestValue>
         </ds:Reference>
       </ds:SignedInfo>
       <ds:SignatureValue>CfehXdklPiozqvyM8igaXQjGntyWdZPkqt1LuQDV2lVbNnR7b+hD/2zQ7oQRmAyl4/SRPMYdwU7+
 nuYINyYyIEmbVPWkxLoKrJYNWqadVTSJcY4AHmqk06xGzQ49Z/7KZpRWBGvrfD5gFkymIB00DUPs
 PqQn/fLi/9tcBk9SVOmMupPANnxpHkZnJ4sy54PYhj4U3SjYkGDLx/FXXS6a4D7wjR2FqZ5ReZi7
 xwB2fUNXYnvf2LsSQ9ubGZLFNd5u1MecwRoGJj74ZYly1/+bscnLQQ0+0ls15JszoV798NUY0UgI
 k/UGEg1nEVfiQabCZrW/ZwqetwXmCuf1CmF2lw==</ds:SignatureValue>
       <ds:KeyInfo>
         <ds:X509Data>
           <ds:X509Certificate>MIIErDCCA5SgAwIBAgIOAU8B/mTiAAAAAEQfI+YwDQYJKoZIhvcNAQELBQAwgZAxKDAmBgNVBAMM
 H1NlbGZTaWduZWRDZXJ0XzA2QXVnMjAxNV8wNzUxMzIxGDAWBgNVBAsMDzAwRDI4MDAwMDAwV3ZM
 VTEXMBUGA1UECgwOU2FsZXNmb3JjZS5jb20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNV
 BAgMAkNBMQwwCgYDVQQGEwNVU0EwHhcNMTUwODA2MDc1MTMzWhcNMTcwODA2MDAwMDAwWjCBkDEo
 MCYGA1UEAwwfU2VsZlNpZ25lZENlsdsdsdsBdWcyMDE1XzA3NTEzMjEYMBYGA1UECwwPMDBEMjgw
 MDAwMDBXdkxVMRcwFQYDVQQKDA5TYWxlc2ZvcmNlLmNvbTEWMBQGA1UEBwwNU2FuIEZyYW5jaXNj
 bzELMAkGA1UECAwCQ0ExDDAKBgNVBAYTA1VTQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
 ggEBAKAceZ4/GgiElg3OMOdfdfdfKL3czcuIaenqVuKjbhXxEKzL7UwR7ZEU48GnSDG3QvqCGFQq
 9xEm0aLSTvFGRDBP9qpaZKE5Mc+71HItGxSZi6YV+TajRM1x31FpiqLl8udI/Iw5WsZHYHy4nsrs
 7O2DD6hJSPNHFNSbxu5zxbzcRAaoW+9EBJuV4uT/22++ztJMx3baSgDQ3EPcGTHUDt+L5gefsPmW
 x8gGl1wtR4sbJb9A4BxdfdFOv1+o9L3sXQb7po4yqPXCRe9XhdD46YiewZP1+5B0nPudqxPp8F0T
 U4hRfWHSHvzl1FgEhKRyjHF5hwnJlJ4GcovKuwwUjF0CAwEAAaOCAQAwgf0wHQYDVR0OBBYEFCTT
 nL3o0HiBU0eH0XyChY7VvQcFMA8GA1UdEwEB/wQFMAMBAf8wgcoGA1UdIwSBwjCBv4AUJNOcvejQ
 eIFTR4fRfIKFjtW9BwWhgZakgZMwgZAxKDAmBgNVBAMMH1NlbGZTaWduZWRDZXJ0XzA2QXVnMjAx
 NV8wNzUxMzIxGDAWBgNVBAsMDzAwRDI4MDAwMDAwV3ZMVTEXMBUGA1UECgwOU2FsZXNmb3JjZS5j
 b20xFjAUBgNVBAcMDVNhbiBGcmFuY2lzY28xCzAJBgNVBAgMAkNBMQwwCgYDVQQGEwNVU0GCDgFP
 Af5k4gAAAABEHyPmMA0GCSqGSIb3DQEBCwUAA4IBAQBLS6O9Eb86P4FtBiR4YPoGAUn2O48jnXrP
 oIx4677l5zilyt3Wt0KCuMfZZ0aCMzP8Q09XVDuKPYJcNb3zki8+jUw8Uo4elKZ9KPQC3Z2mKmro
 /59qs11p6c1Yrr+k2qtNX/gM4/j1B6shcUctqQPsP763b14vrzKfUkAzDkZ/feuCkey3+87Cucdg
 WnvZoPirfvPYBcYSJkxygUDcv4bPM7y81AnIxZFqrFDqECoicny/On9ZskzwHdN9PnsiWP4N/LqT
 OX3dospwsHrxXCClSi4Ua193vXyDPL6F8UCaUsBr6IzuYunXVcioEHWF5cWBueERSAH+8C/wLjxx
 a9jH</ds:X509Certificate>
         </ds:X509Data>
       </ds:KeyInfo>
     </ds:Signature>
     <saml:Subject>
       <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">nSrivastava</saml:NameID>
       <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
         <saml:SubjectConfirmationData NotOnOrAfter="2016-06-22T14:55:23.110Z" Recipient="http://USERNAME.websitetoolbox/saml/module.php/saml/sp/saml2-acs.php/default-sp"/>
       </saml:SubjectConfirmation>
     </saml:Subject>
     <saml:Conditions NotBefore="2016-06-22T14:49:53.110Z" NotOnOrAfter="2016-06-22T14:55:23.110Z">
       <saml:AudienceRestriction>
         <saml:Audience>https://USERNAME.websitetoolbox/sp</saml:Audience>
       </saml:AudienceRestriction>
     </saml:Conditions>
     <saml:AuthnStatement AuthnInstant="2016-06-22T14:50:23.110Z">
       <saml:AuthnContext>
         <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
       </saml:AuthnContext>
     </saml:AuthnStatement>
     <saml:AttributeStatement>
       <saml:Attribute Name="userId" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">00528000000sgQZ</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">nSrivastava</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">neeraj@websitetoolbox.com</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="is_portal_user" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">false</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="apikey" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">uJWAd1W9Q99sdk8vj3ujZqd3e4jJ0PTLLrdUSlkNVf</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="nickName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">neerajs</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="lastName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">neeraj</saml:AttributeValue>
       </saml:Attribute>
       <saml:Attribute Name="firstName" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified">
         <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">srivastava</saml:AttributeValue>
       </saml:Attribute>
     </saml:AttributeStatement>
   </saml:Assertion>
 </samlp:Response>

Here are some links related to SAML2.0 documentation, which may help you to understand the SAML2.0 SSO setup:

• https://en.wikipedia.org/wiki/SAML_2.0
• https://en.wikipedia.org/wiki/Identity_provider
• http://www.slideshare.net/koivimik/introduction-to-saml-20
• https://help.salesforce.com/HTViewHelpDoc?id=identity_provider_about.htm

If you still need help, please contact us.