1. ESChat
  2. Admin Portal
  3. Admin Portal Access

Articles in this section

Configure the Identity Provider for IT Administrators

Nancy Rodgers
  • Updated

This set of instructions is a companion to the customer admin instructions for configuring the portal for Single Sign On (SSO) for ESChat Portal Authentication.

SSO is a session and user authentication service that permits a user to use one set of login credentials -- for example, a username and password -- to access multiple applications.  This feature is configurable with assistance from ESChat Support after the customer has configured the identity provider (IdP). This feature is SAML 2.0 compliant.  

It is the customer's responsibility to configure their identity provider (IdP) to provide the user's email address in a SAML claim named "primary_email".

SSO (Single Sign On) for ESChat Portal Authentication

ESChat portals support SSO via SAML. The customer must configure their identity provider (IdP) to provide the user's email address in a SAML claim named "primary_email".  If applicable, the customer should use an applicable  "SAML Tracer" browser plugin for troubleshooting.

Note: ESChat systems require that either the SAML claims or the entire SAML message be signed by your IdP. Unsigned responses from an IdP are untrusted and therefore are ignored, so the user will see a flashing error screen or will not get to the login prompt.

User Identification via "claims"

The IdP must identify the user's email in the SAML response in a claim named "primary_email". The email address provided in that claim (and only that email) is used by the portal to identify the user in the ESChat system. Different IdPs have different ways of configuring claims. Some reference materials are provided below.

Note that only the "primary_email" claim is used, and the claim name must be exactly "primary_email" (not a URI like "http:\/\/schemas.xmlsoap.org\/ws\/2005\/05\/identity\/claims\/primary_email". All other values (including "emailaddress") are ignored.

Identity Provider (IdP) Configuration References

Determining configuration data required by the IdP

Support Level Admins need to add the license to support SSO. ESChat can then navigate to the  "Authentication" tab, choose the "Single Sign On" tab, then click the "Download SP Metadata" button to retrieve their server's configuration information. It will be provided in an XML document and should contain everything that they need to configure their IdP.

Here is an example (from AWSCA):

<?xml version="1.0" encoding="utf-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://ca-portal.sla-ptt.com/simplesaml/module.php/saml/sp/metadata.php/default-sp">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ca-portal.sla-ptt.com/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://ca-portal.sla-ptt.com/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ca-portal.sla-ptt.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" index="0"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://ca-portal.sla-ptt.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" index="1"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

Identity Provider (IdP) Configuration References

Microsoft Entra ID

 

 
 

Related articles