SAML/SSO with AuthAnvil (Passly)

One of the SAML identity providers (IdP) you can use is AuthAnvil/Passly.
Before setting up your AuthAnvil/Passly integration, please read over our Understanding SAML/SSO article to learn basic concepts and useful tips.
 
In order to get started with the setup of SSO with AuthAnvil/Passly, you will need:
 
  • AuthAnvil/Passly account with admin permissions.
  • Admin or super-admin user role within Hudu.
  • All users are provisioned in AuthAnvil/Passly with the same exact email address. We don't create new user accounts with SSO.
  • Ensure that the users have already been created in Hudu before starting this process.

 

Guides

How to Enable SSO

  1. Login to Hudu and click the Admin tab on the top toolbar.
  2. Click General.
  3. Click Configure Single Sign-On.
  4. Enter SAML details. See the relevant section below on how to fill this information out.
  5. Click Enable Single Sign-On.
  6. Hit Update SAML Details and SAML should now be activated.

 

Configuring AuthAnvil (Passly)

  • In AuthAnvil/Passly, as an administrator:
    • First, configure a user group. Go to Directory Manager >> Groups.

1.png

  • In the bottom right corner, click the green ((+)) circle. A Create New Group sidebar will appear.
  • Name the group and click Add Group.
  • Add users to the group by clicking the ellipsis next to the newly created group.

1.png

  • Add a new user by clicking on the green ((Profile)) icon in the bottom right corner of the screen.

1.png

  • Click on SSO Manager on the left sidebar.

1.png

  • Click the green ((+)) icon in the bottom right corner and then click the Catalogue button. 

1.png

  • Click on Custom Application. 

1.png

  • Give the Application a name. For example, Hudu. Enable the application. Then choose an icon for the application. If you need one, we have included one for you to use here.

1.png

  • Then, navigate to the tab for Protocol Setup. 
    • Type in your Hudu instance URL followed by /saml/consume into the Assertion Consumer Service URL. Should look like this: https://docs.mywebsite.com/saml/consume
    • Click on Allow Multiple Audiences and make sure your Audience URI is your Hudu Instance URL and matches your Service Entity ID (Issuer) field.
    • Type in your Hudu instance URL for the Service Entity ID (Issuer) field.

1.png

  • Under Advanced Settings,
    • Select either SHA-1 or SHA-256 as the signing algorithm.
      • Please note that depending on which option you select, you'll need to adjust the certificate fingerprint to match.

1.png

  • In the Attribute Transformation page, choose Just issue an attribute as the username and choose {User.EmailAddress} as the value.

1.png

  • Go to the Permissions tab and add the Group you created earlier. 

1.png

  • Click Save Changes. Leave the page open as you fill out the information on Hudu.

 

Configuring Hudu

  1. In Hudu, with a user role of Admin or Super Admin:
    • Navigate to your Hudu admin area >> General >> SAML/SSO Configure.
  2. Provide Identity Provider (IdP) information:
    • SAML Issuer URL: This is what AuthAnvil/Passly call their Identity Issuer.
      • Go to AuthAnvil/Passly >> SSO Manager and open the Hudu application you created earlier.
      • Click Protocol Setup at the top of the screen.
      • Copy the Identity Issuer and paste it into the SAML Issuer URL field.
    • SAML Login URL:
      • Go to AuthAnvil/Passly >> LaunchPad.
      • Right-click on the Hudu Application and click Copy Link Address.

1.png

    •  
    • Paste into the SAML Login Endpoint field on Hudu.
  • SAML Logout URL: Choose a location where Hudu can redirect users after successful logout. This cannot be blank, but AuthAnvil does not provide a location.
    • An example could be https://hudutestapp.my.authanvil.com/apps or https://hudutestapp.my.passly.com/apps
    • Paste this value into SAML Logout Endpoint.
  • SAML Fingerprint:
    • Go to AuthAnvil/Passly >> SSO Manager and click on the Hudu application you created earlier.
      • Click Signing and Encryption.
      • Obtaining the correct fingerprint (thumbprint):
        • To ensure that you are obtaining the correct fingerprint (thumbprint) for your algorithm:
          • Click < > Copy, to copy the certificate.
          • Paste the certificate into a tool such as https://developers.onelogin.com/saml/online-tools/x509-certs/calculate-fingerprint
          • Choose either SHA-1 or SHA-256 as the algorithm.
            • If choosing SHA-256, you will also need to ensure that the 'Use SHA-256' option is checked (in the Hudu SAML setup area).
          • Copy either the non-formatted or formatted fingerprints provided and paste them into Hudu SAML Fingerprint.
  • SAML Certificate: This is provided by AuthAnvil/Passly, and should be the same certificate used to configure the fingerprint; copy this exactly.
    • -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- should be included.
    • Go to AuthAnvil/Passly >> SSO Manager and click on the Hudu application you created earlier.
    • Click Signing and Encryption.
    • Click the < > Copy, to copy the certificate.
    • Paste into the SAML Certificate field. Make sure there is no extra space trailing at the end!
  • SAML ARN: This signifies the Authentication Context that Hudu will provide to the IdP. AuthnContext is the method by which a user tries to log in (i.e. via password, passwordless, etc.).
    • If you specify Do not pass RequestedAuthnContext in your request, the URN is used by the IdP to say "I don't want to tell you how I identified the user".
      • Requested Authentication Context may be required for your IdP, but it is typically optional.
      • If you have users that use Passwordless login to your IdP; do not pass RequestedAuthnContext must be selected.
    • If you specify Password in your request, the IDP knows it has to authenticate the user through login/password.
    • If you specify PasswordProtectedTransport in your request, the IDP knows it has to authenticate the user through login/password, protected by SSL/TLS.
  1. Click Enable Single Sign-On.
  2. Hit Update SAML Details and SAML should now be activated.

 

Testing SAML

Open an incognito window and try and access Hudu. You should be redirected to the login page, where you will see a "Use Single Sign On (SSO)" button. If you are able to successfully login via this button, your SAML is working!
 
 

Disable Password Access for non-Admins

You have the option to disable password logins for non-administrators (users that are not super admins or admins). By clicking "Disable Password Access for non-Admins"; all users below admin will have to exclusively use single sign-on to access your Hudu environment.
Admins will be able to access via an admin sign-in page. This will prevent you from being locked out of your account when your Identity Provider is unavailable.
Was this article helpful?
1 out of 1 found this helpful