Tags | Authentication | SAML | SSO | OneLogin |
ADMIN PRIVILEGES REQUIRED
This documentation is for Stack Overflow for Teams Enterprise. Free, Basic, and Business users can access their documentation here. Find your plan.
Overview
These instructions describe how to integrate your Stack Overflow for Teams Enterprise (SOE) site with OneLogin as your Identity Provider (IdP) for authentication. Once configured, your users will be able to use OneLogin and the Security Assertion Markup Language (SAML) for Single Sign-on (SSO) authentication into your site. You can learn more about SAML in our SAML Authentication Overview document.
When setting up SAML authentication, you'll configure your SOE site and the OneLogin IdP in a back-and-forth process. We recommend having a browser tab open to each site.
THIS ARTICLE APPLIES TO STACK OVERFLOW FOR TEAMS ENTERPRISE ONLY.
Other Stack Overflow for Teams users should read this article instead. Find your plan.
Create a new SAML application
In OneLogin, add a new SAML 2.0 application. In this example, we selected SAML Custom Connector (Advanced).
After you select the SAML application type, click Configuration in the left-hand menu.
Configure OneLogin SAML settings
On the Configuration page, leave the RelayState field blank.
Enter your SOE site's Assertion Consumer Service URL (https://[your_site]/auth/saml2/post) into these four fields:
Audience (EntityID)
Recipient
ACS (Consumer) URL
ACS (Consumer) URL Validator
Leave any remaining fields on the Configuration page unchanged.
Click Parameters in the left-hand menu.
Edit the Email, Name, and NameID value fields and select the appropriate value for each. Be sure Include in SAML assertion is checked for all three.
Configure SOE SAML settings
In a new browser window or tab, open your SOE authentication settings by clicking Admin settings in the left-hand menu, then Authentication. Click Configure SAML 2.0.
Set the following values on the SOE authentication settings page. You'll copy and paste some values from your OneLogin application.
Assertion consumer service URL Verify this field is https://[your_site]/auth/saml2/post.
Single Sign-On Service URL Copy and paste the SAML 2.0 Endpoint (HTTP) value from the OneLogin application's SSO page.
Single Sign-On Service Protocol Binding Leave the option that ends in POST.
Issuer Copy and paste the Issuer URL value from the OneLogin application's SSO page.
Audience Restriction Set this to your site's Assertion consumer service URL (https://[your_site]/auth/saml2/post).
Display Name Assertion This is the value you set for the OneLogin application's Name assertion on the Parameters page (for example: Name).
Email Address Assertion This is the value you set for the OneLogin application's Email assertion on the Parameters page (for example: Email).
Checkboxes Leave all unchecked.
Identity Provider Certificates On the OneLogin application's SSO page, click View Details for the X.509 Certificate. Copy and paste the full certificate value to this field (include "-----BEGIN CERTIFICATE-----", the certificate itself, and "-----END CERTIFICATE-----").
Use Subject/NameID as user identifier is checked by default, which allows the IdP to specify the user identifier based on your SAML app configuration. This is the recommended setting.
If you uncheck this option, you can manually specify a User identifier assertion of your choice. Be sure to choose a user identifier that will never change (for example: login or user ID). Email address is not a good choice for user identifier, as email addresses can change.
Validate your certificate by clicking Validate Certificate. You should see a green box with a success message. If you don't, make sure you copied and pasted the full text of the certificate.
Test and save your SAML configuration
To complete the SSO setup, click Save Settings.
When saving settings, SOE will first perform an authentication test. If the test succeeds, SOE will apply your new authentication settings. Logged-in users stay logged in, as all active user sessions remain valid.
If the test fails, SOE will not apply the authentication settings. You'll stay on the SAML settings page so you can troubleshoot and correct problems.
This test acts as a safety net to keep invalid authentication settings from locking users (yourself included) out of your site. If you do find your users locked out of your site, reach out to Stack Overflow product support for help.
You can also click Test currently saved SAML configuration to display technical details about your SAML authentication. You'll find these helpful for understanding what information your IdP and SOE exchange. This is also useful when troubleshooting.
If you can't resolve the authentication errors, reach out to Stack Overflow support for help.