Skip to main content
All CollectionsSettingsSecurity
Single sign-on with SAML 2.0
Single sign-on with SAML 2.0

Learn to configure Single Sign-On (SSO) with SAML 2.0 in Fresh Relevance.

Updated over 5 months ago

Fresh Relevance supports SAML 2.0, which enables secure single sign-on (SSO) capabilities. You can set SAML-based SSO as the mandatory authentication method for your account. This means that all users accessing your account must log in using the secure SSO process offered by your Identity Provider (IdP). This ensures consistent and secure access across all user accounts.


Before you start

Things you need to know:

  • You must have:

    • SSO/SAML feature access within your package.

    • An Identity Provider (IdP) and the ability to configure it


Enable SAML

To enable SAML on your account:

  1. Expand the User menu, then go to Settings > Security and Privacy > SAML / Azure Single Sign-On.

  2. Select the Enable SAML SSO for this account checkbox.

  3. Select SAVE.

Require login via SAML SSO for this account

Don’t select Require login via SAML SSO for this account until you have set up and fully tested the integration.


Set up your SAML 2.0 identity provider

To create a new Identity Provider (IdP):

  1. On the SAML / Azure AD Single Sign-On page, select Create new IdP Configuration.

  2. Select Download SP Metadata XML to download the Service Provider (SP) metadata for your configuration.

  3. In your IdP, upload the SP metadata.
    This process is different for every IdP.

  4. In Fresh Relevance, enter the metadata XML from your IdP in the IdP Metadata XML field as text or a URL.

  5. Select SAVE.


Map attributes

Map the following required attributes:

  • User Permanent ID

  • Username

  • Email

  • First Name / Given Name

  • Last Name / Surname


General configuration / Just in time account creation (JIT)

JIT account creation can be enabled in Fresh Relevance by checking the JIT checkbox you want to enable.

The following table shows the general configuration settings for JIT:

Setting

Description

Allow Just In Time (JIT) Account Creation

Enables automatic creation of new user accounts when a new nameID is encountered

JIT - Update available accounts on each login

Updates user access to all system accounts linked to the IdP on each login

JIT - Use roles from SAML

Maps role values from SAML to a set of permissions in Fresh Relevance

Show Debugging Information

Displays enhanced attribute debugging information on sign-on failure

When JIT is enabled, new user accounts are created upon encountering a new nameID. These accounts have access to all Fresh Relevance system accounts connected to the IdP and are granted three permissions:

  • User is allowed to log in

  • View dashboard

  • View help

If JIT is not enabled, no user account is created and login is denied.

Enabling updates for system account access on each login guarantees that the user account has access to all system accounts associated with the IdP and with the same permissions. This means that existing SAML users get access to any newly added system accounts.

If you don’t enable this feature, you must manually provide access to additional system accounts in User Settings.

If your Identity Provider (IdP) supports it, you can configure Role-Based Access Control (RBAC). With RBAC, a role claim is passed along with each login, and the role value is then mapped to a set of permissions in Fresh Relevance. Here is a table that outlines the different role values and their corresponding permissions:

Role value

Permissions applied

Administrator

Everything

PowerUser

dashboard, help, reports, bulk data reports, content (Edit), web_personalisation (Publish), reports, settings

BasicDashboard

dashboard, help

Reporting

dashboard, help, reports

BulkReporting

dashboard, help, reports, bulk data reports

ContentViewer

dashboard, help, reports, content (View), reports

ContentEditor

dashboard, help, reports, content (Edit), reports

WebContentEditor

dashboard, help, reports, content, web_personalisation (Edit), reports

WebContentPublisher

dashboard, help, reports, content, web_personalisation (Publish), reports

TriggerEditor

dashboard, help, reports, triggers, reports

If you don’t enable JIT

If Just-In-Time (JIT) account creation is not enabled in your system, you will need to pre-provision user accounts before they can log in.


Additionally, if SAML is enabled, the "Create New User" form includes a field for the SAML Name ID. This value must match the Name ID value passed from the Identity Provider (IdP) exactly.


Add secondary system accounts to the same IdP

If you have several Fresh Relevance system accounts and you want to provide access to them through a single IdP (Identity Provider), you must set up the IdP in one of your accounts first.

Then copy the IdP ID from the "RelayState Value" field in the IdP configuration and paste it into the "Use Existing IdP" field on the main SAML configuration page.

Did this answer your question?