​Prerequisites:
​
➔ The user responsible for managing SSO configurations must be an admin in all Candis organisations where the configuration will apply.
➔ The user should have admin or sufficient privileges in the Identity Provider to configure the SAML application.
➔ The feature needs to be activated for your organisation, please contact Candis support to request access to the SSO configuration
panel.
​
Note:
The user who creates the SSO configuration in Candis automatically assumes the role of owner and administrator for that
configuration.
This user is exempt from SSO discovery and will access Candis using Candis credentials to address any issues associated
with the SSO configuration, such as updating a signing certificate.

Create SSO configuration
​
1. In Candis go to Settings > My Company > Create new

2. Setting up the SSO SAML configuration in Candis
​

SP entity provider ID: Candis service provider(SP) ID.
​

ACS URL: Assertion Consumer Service and Redirect URI. SP endpoint where the IDP sends SAML assertions after successful
authentication.
​
​Note: ACS URL generated for your IDP, depends on the value entered in Identity provider alias text field. By default is equal to the ID of
the current organization

3. Go to your Azure portal and navigate to Intra ID
​
Always create a new “Enterprise Application
​
Enterprise Applications ➔ New Application ➔ Create your own application > Give your application a name ➔ Select “Integrate any other
application you don't find in the gallery (Non-gallery)” Select point 2 ➔ “Set up single sign on” ➔ In the next step select “SAML”.
​
Now you enter the “Set up Single Sign-On with SAML” area.
​
​Identity provider entity ID = Microsoft Entra Identifier from Intra ID Provider details (under point 4 in the Azure set up form)
​
​Single sign-on service URL = LOGIN URL from Intra ID Provider details

4. Configure Azure Intra ID IDP with Candis SP values.
​
Take the SP-relevant values from Candis (we described above in step 2) and enter them into the Service provider details on the configuration of the SAML application.

The form in Intra ID should look like this:

5. Add Candis required mappers
​
By default, we required three attributes for SSO users: email, first and last name. Add the following mappers in the last step (Attribute mapping) of the wizard in Intra ID (Azure portal) and click save. This will complete the initial setup of the SAML application in Intra ID.
​
​Note: You have to open and edit every single claim (manage claim). Please also delete the content in the “Namespace” field

This is how the editing view looks like (when the correct “Name” and “Source attribute” are added and the “Namespace” field is cleared:

Afterwards, it should look like this (correct attributes and claims)
​

6. Enter your certificate in the Candis set up form

In the Azure Intra ID platform, go to the SAML area and open the Federation Metadata XML in your browser. Copy the X509 certificate.

And Please make sure you copy the whole value!

7. Go back to Candis and finish the configuration

Always make sure, to keep the “NameID policy format” on “Persistant”.

Select the “HTTP-POST binding for AuthnRequest” AND “HTTP-POST binding response” as well as “Validate signatures” toggle.
​
The setup form should look similar to this:

8. Check if everything is set up correctly
​
Once you have saved the configuration in Candis, a new link “Service provider metadata endpoint” will appear in the Candis form.
You can open this link in your browser to check that everything is set up correctly.
​
If everything is set up correctly, save the SSO configuration in the Candis application.
Go back to the organization setting and select the created SSO configuration from the drop-down list.

Run the first test by inviting a user to the organization or by asking some users that are already part of the organization to login.

Candis will detect that the user belongs to an organization setup for your identity provider and redirect the user to login via your IDP.

Remember: You can not test it yourself, since the creator of the SSO set up will always log in with credentials and cant use SSO login.

9. Assign the configuration to all Candis companies, that should use this configuration
​
In every Candis organisation, you can use an already configured SSO configuration or simply create a new one.

Prerequisites:
​
➔ The user responsible for managing SSO configurations must be an admin in all Candis Organizations where the configuration will apply.
➔ The user should have admin or sufficient privileges in the Identity Provider to configure the SAML application.
➔ The feature needs to be activated for your organization, please contact Candis support to request access to the SSO configuration
panel.
​
​Note: The user who creates the SSO configuration in Candis automatically assumes the role of owner and administrator for that configuration.
This user is exempt from SSO discovery and will access Candis using Candis credentials to address any issues associated with the SSO configuration, such as updating a signing certificate.

Create SSO configuration
​
1. In Candis go to Settings ➔ My Company ➔ Create new

2. It opens the SSO SAML configuration.

​

The configuration form shows the relevant SP values to start the IDP configuration. In the case of google SAML applications, we get first the Google Identity Provider details before entering the SP details.

Therefore let’s jump directly to step 3.

The showed SP values are explained here just for reference.
​
​SP entity provider ID:
Candis service provider(SP) ID. Please copy this value
​ACS URL: Assertion Consumer Service and Redirect URI. SP endpoint where the IDP sends SAML assertions after successful
authentication.
​
Note: that ACS URL generated for your IDP, depends on the value entered in Identity provider alias text field. By default is equal to the ID
of the current organization

3. Create the SAML Identity Provider application in Google Admin Console.
​
In Google Admin console, go to Menu ➔ Apps ➔ Web and mobile apps ➔ Add app ➔ Add custom SAML app.
Check the Google help article to create SAML applications for more references.
The configuration wizard’s first step will ask for an application name. Enter a name and hit continue,
From step number 2 in Google: Google Identity Provider details
Take the following values to fill up the Candis setup form.
​
​SSO URL ➔ https://accounts.google.com/o/saml2/idp?idpid=some-id-from-google-to-your-idp
​Entity ID ➔ https://accounts.google.com/o/saml2?idpid=some-id-from-google-to-your-idp
​Certificate ➔ Your IDP Google certificate.
​
​Single sign-on service URL = SSO URL from Google Identity Provider details.
​Identity provider entity ID = Entity ID from Google Identity Provider details

X509 certificates = Certificate
​
The setup form should look similar to this:

4. Configure Google IDP with Candis SP values.
​
Take the SP-relevant values we described above in step 2 and enter them into the Service provider details on the configuration of the SAML application.

The form in Google should look like this:
​

let the rest of the default values for now and hit continue on Google side.

5. Add candis required mappers
​
By default, we required three attributes for SSO users: email, first and last name. Add the following mappers in the last step (Attribute mapping) of the wizard in Google and click save.

This will complete the initial setup of the SAML application in Google.

6. Assing the SSO configuration to the organization
​
Save the SSO configuration in the Candis application.

Go back to the organization setting and select the created SSO configuration from the
drop-down list.

Run the first test by inviting a user to the organization or by asking some users that are already part of the organization to login. Candis will
detect that the user belongs to an organization setup for your identity provider and redirect the user to login via your IDP.

7. Complementary SSO features
Some features are still not covered in the SSO configuration form.

Please contact Candis support if need or want to configure the following
features.
​
​Allow registration via SSO: It is possible to add email domains for your IDP and allow automatic registration for users that SSO login via
your IDP, this eliminates the need to invite users to each organization.

​Role mapping: We allow organizations using SSO to define the authorization on their IDP, so role management does not happen anymore
in the Candis application. Please contact candis in this case and we will assist you with the mappers from your IDP to Candis roles.

Avoid SSO redirection for some users in your organization:
Sometimes organizations need to invite users who are not part of the
organization and are not part of the IDP, e.g. consultants or auditors. Please contact Candis in this case and we will make those users non-
sso users.
​

Complementary SSO features
Some features are still not covered in the SSO configuration form. Please contact Candis support if need or want to configure the following
features.
Allow registration via SSO: It is possible to add email domains for your IDP and allow automatic registration for users that SSO login via
your IDP, this eliminates the need to invite users to each organisation.

Role mapping: We allow organisations using SSO to define the authorisation on their IDP, so role management does not happen anymore
in the Candis application. Please contact candis in this case and we will assist you with the mappers from your IDP to Candis roles.
Avoid SSO redirection for some users in your organisation: Sometimes organisations need to invite users who are not part of the
organisation and are not part of the IDP, e.g. consultants or auditors. Please contact Candis in this case and we will make those users non-
sso users