How to Set Up Single Sign-On (SSO)
We encourage all customers to integrate with our platform using single sign-on via SAML. You will need to configure your SAML Identity Provider (“SAML IdP”) with the details for accessing FundApps (the SAML Service Provider or “SAML SP”). To complete the setup, we will need to work with a technical user at your company with knowledge of your identity provider and the authority to configure it.
How does SSO Work?
There are two main ways SSO can be set up:
1) SP initiated: User goes to FundApps login page, enters his/her email, and gets redirected to the Identity Provider for authentication. This requires users to type in email but no password.
2) IDP Initiated: User goes to their SSO first and chooses the link to FundApps to login
This article has two sets of steps to follow - pick the set of steps based on your identity provider. Follow the General Steps for any identity provider other than ADFS. Follow the ADFS-specific steps if you are using ADFS as your identity provider.
Technical notes before we begin:
- FundApps supports both IdP-initiated and SP-initiated sign in.
- Accounts are matched using an email address.
- Provisioning of accounts (including allocation of user roles) is performed manually within Rapptr itself.
- We support encrypted SAML assertions, but only if your identity provider can consume our metadata URL. This is to ensure we can safely rotate certificates without impacting your integration.
- If your IT set up does not allow for automatic rotation of our certificates, please inform your CSM.
- SAML requests must be signed with SHA256 (both the digest and the signature).
General steps to integrate (follow this for any identity provider other than ADFS):
- Please email firstname.lastname@example.org and request SSO to be enabled, specifying which environment(s) for which you require this to be enabled for AND please supply FundApps with your identity provider’s metadata url for the integration you have configured.
- FundApps support will supply you with a “Service Provider metadata URL” of the form https://tenant.fundapps.co/sso/sso-config-name.
- Please supply your identity provider with the metadata URL you have been given, if possible. If they do not support consuming metadata, please configure the following parameters in your identity provider, substituting “sso-config-name” with the identifier supplied:
- "entityID" is available in the metadata XML file which can be downloaded from the URL provided.
- “NameID” format: should be set to ‘emailAddress'
- Once the configuration has been completed, ensure you have the desired users set up - their email addresses will need to match those configured in your identity provider.
- You’re done!
- For clarity, there will be no change to the UI once SAML is enabled. Simply login via inputting your email address.
ADFS-specific steps to integrate (follow this if ADFS is your identity provider):
1. Please email email@example.com and request SSO to be enabled, specifying which environment/(s) you require this to be enabled for. Please supply your identity provider metadata URL.
Please note: You might have to set up a "dummy" Relying Party Trust to get the Metadata URL.
2. FundApps will use this Metadata and configure it on our side and then supply you with a service provider Metadata URL.
- Example: https://tenant.fundapps.co/sso/sso-config-name
Please check if you can download the Metadata file when accessing the provided URL on your browser. The file downloaded should not have an extension on it. But when opened with a text editor, it should be an XML file.
3. On ADFS, set up a new Relying Party Trust. When asked for the metadata URL, you should use our Service Provider (SP) metadata URL provided in Step 2.
4. Click the Test URL. The values from other tabs should auto-populate. (Similar to the screenshots below)
5. You’re done!