Implementing SSO with EchoInk requires the following steps:
- Email your EchoInk representative your SSO IDP data.
- Implement the service provider metadata received from EchoInk.
Provide SSO IDP Data
The table lists the data EchoInk needs to set up your SSO implementation on the EchoInk platform. Email the following information to your EchoInk representative.
| Configuration parameter | Description | Required? |
|---|---|---|
| Identity Provider Id | The unique identifier for your identity provider. | Required |
| SAML Login Request Address | The address to which the SAML login request is sent. EchoInk uses the | Required |
| SAML Logout Request Address | The address to which the SAML logout request is sent. EchoInk uses the | Strongly Recommended |
| X509 Certificate Signature Verification | The certificate that is used to verify the signature on the messages and assertions. It is a large block of encoded text found in the X509Certificate node within the IDPSSODescriptor node. | Required |
| Signed Messages Required | Boolean flag that indicates whether we require that messages from the IDP are signed or not. The default is true. | Optional |
| Signed Assertions Required | Boolean flag that indicates whether we require that assertions from the IDP are signed or not. The required value is true. | Required |
| Company Username | The claim field in the assertion that is used as your company’s username within the EchoInk system. | Optional |
| Requested Authentication Context | The AuthNContextClassRef that we can request from your identity provider. By default this is set to urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport. | Optional |
| Site Id Required in URL Path | Indicates whether the siteId is specified in the path or as a query parameter. Defaults to true so that requests are in the format: https://api.inkling.com/saml/v2/sso/mySiteId. | Optional |
| Enable Automatic User Provisioning | Boolean that indicates whether users who have not previously been registered with EchoInk are created on demand the first time they are authenticated by SAML SSO. Defaults to You must provide EchoInk with details of which SAML claims to use to populate the mandatory user attributes: User Id, Username, First Name, and Last Name. | Optional |
| Enable Automatic User Provisioning | Boolean that indicates whether single-valued attributes in the AttributeStatement sent through as part of the SAML Authentication Response are captured as EchoInk custom user attributes for use with EchoInk Distribution Rules functionality. Defaults to | Optional |
Implement SP metadata
Once EchoInk has processed your SSO data, we will send you the following service provider metadata. Work with your SAML Identity Provider to configure this information for your organization.
| Field | Value |
|---|---|
| Post Back URL | https://api.inkling.com/saml/v2/acs?siteId=<siteid> |
| Recipient | http://api.inkling.com/saml/v2/acs |
| Audience Restriction | http:api.inkling.com/saml/v2/metadata |
| Response | Signed |
| Assertion | Signed |
| Request | Compressed |
| Destination | http://api.inkling.com/saml/v2/acs |
| Default Relay State | https://www.inkling.com/read |
| Attribute Statements | username |