1. ESChat
  2. Admin Portal
  3. Admin Portal Access

Articles in this section

Configure the Identity Provider for IT Administrators

Nancy Rodgers
  • Updated

This set of instructions is a companion to the customer admin instructions for configuring the portal for Single Sign On (SSO) for ESChat Portal Authentication.

SSO is a session and user authentication service that permits a user to use one set of login credentials -- for example, a username and password -- to access multiple applications.  This feature is configurable with assistance from ESChat Support after the customer has configured the identity provider (IdP). This feature is SAML 2.0 compliant.  

It is the customer's responsibility to configure their identity provider (IdP) to provide the user's email address in a SAML claim named "primary_email".

Note:  Due to a bug in current webservice versions, the primary_email claim must be in all lower case, otherwise authentication will fail (even if the ESChat system has the same mixed case that matches what the IdP provides). 

SSO (Single Sign On) for ESChat Portal Authentication

ESChat portals support SSO via SAML. It is the customer's responsibility to configure their identity provider (IdP) to provide the user's email address in a SAML claim named "primary_email". 

User Identification via "claims"

The IdP must identify the user's email in the SAML response in a claim named "primary_email". The email address provided in that claim (and only that email) is used by the portal to identify the user in the ESChat system. Different IdPs have different ways of configuring claims. Some reference materials are provided below.

Note: Due to a bug in current webservices versions, the primary_email claim must be in all lower case, otherwise authentication will fail (even if our system has the same mixed case that matches what the IdP provides).

Identity Provider (IdP) Configuration References

Determining configuration data required by the IdP

Support Level Admins need to add the license to support SSO. ESChat can then navigate to the  "Authentication" tab, choose the "Single Sign On" tab, then click the "Download SP Metadata" button to retrieve their server's configuration information. It will be provided in an XML document and should contain everything that they need to configure their IdP.

Here is an example (from AWSCA):

<?xml version="1.0" encoding="utf-8"?>
<md:EntityDescriptor xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://ca-portal.sla-ptt.com/simplesaml/module.php/saml/sp/metadata.php/default-sp">
  <md:SPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://ca-portal.sla-ptt.com/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp"/>
    <md:SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://ca-portal.sla-ptt.com/simplesaml/module.php/saml/sp/saml2-logout.php/default-sp"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://ca-portal.sla-ptt.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" index="0"/>
    <md:AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Artifact" Location="https://ca-portal.sla-ptt.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp" index="1"/>
  </md:SPSSODescriptor>
</md:EntityDescriptor>

Identity Provider (IdP) Configuration References

Microsoft Entra ID

 

 
 

Related articles