Skip to content

SAML SSO

To configure SAML SSO authentication in Afi with your identity provider, you will need to create a custom SAML SSO application on your identity provider side and then finish the configuration on the Afi side by providing your application's URLs and certificate for SAML authentication.

Configure SAML connector on the identity provider side

Create a custom SAML connector (application) on your identity provider side, following the steps below.

Connector name and description

Specify a connector name (for example, Afi Backup) and description so that it is clear and easily recognizable to users in your organization.

Connector configuration

Please make sure to fill out the following connector parameters accordingly:

  • Single Sign-on URL: https://app.afi.ai/auth/callback-saml. This field can also be referred to as the Assertion Consumer Service (ACS) URL by identity providers.
  • Audience URI: https://app.afi.ai/auth/callback-saml
  • RelayState: accountd

Info

If an identity provider (for example, OneLogin) asks for the Assertion Consumer Service (ACS) URL Validator, please enter the following value: ^https:\/\/app\.afi\.ai\.com\/auth\/callback-saml\/$.

SAML parameters

Add the following SAML parameters (fields) to be included in the SAML assertion:

  • email
  • name

Identity provider emails of the users accessing the Afi application via SAML SSO should match with the corresponding Microsoft 365 or Google Workspace primary emails in the Afi tenant where SAML SSO authentication is configured.

User assignment

Assign users to the SAML connector (application) so that they can use this connector for authentication and the application is added to their end-user portals in your identity provider.

Setup details

Once the SAML connector (application) is created, please use the provided SSO URL (also referred to as SAML 2.0 Endpoint), Issuer URL, and certificate to finish the configuration on the Afi side.

Enable SAML SSO on the Afi side

To finish SAML configuration on the Afi side, please go to the Service → Settings → SAML/Okta tab, select the SAML provider option, and fill out the following fields:

  • Domain: Your organization's identity provider domain name (for example, <company-name>.onelogin.com).
  • Company name: Your company name.
  • SSO URL: SSO URL provided by the SAML connector.
  • SSO Issuer: Issuer URL provided by the SAML connector.
  • Certificate: SAML connector certificate.

Authenticate in Afi with SAML SSO

Afi supports both service provider-initiated and identity provider-initiated SAML authentication flows.

Service provider-initiated flow

Service provider-initiated flow starts on the custom Afi login screen for SAML SSO where a user is prompted to enter their connector ID (identity provider domain) and then proceed with authentication. Upon successful authentication, the user will be redirected to the Afi portal.

Identity provider-initiated flow

In general, an identity provider usually has an end-user portal where the user can view and access the applications which are assigned to them. Upon selecting the Afi application in the end-user portal, the identity provider communicates with Afi to perform SAML authentication transparently for the user and, in case of success, redirects the user to the Afi portal.