Implementing SAML

  • Updated

One of the features Hudu supports as of v. 2.0.7 is the ability to login in via a central identity provider. Single Sign On (SSO) provides a simple way to login securely to multiple websites/applications with a single account.

 

How SSO works

With SSO, there are two main entities in play:

  • Identity Provider. Examples are AzureAD, Okta, OneLogin, etc.
  • Service Provider. This will be Hudu.

When you enable SSO as a Hudu Admin, you will have a button on your sign in pages appear. When you click it, you will be redirected to your Identity Provider. When we redirect you to the Identity Provider, the Identity Provider will authenticate you, and send you back to Hudu with the necessary authentication credentials. We will match the authenticated user with the user in Hudu (via the email address) and log you in to your Hudu account.

Specific Identity Provider Help Articles

This help article will focus on setting up SAML in a generic way that should work with any provider that supports SAML 2.0. We have also published provider-specific articles that may be more helpful if you are using that provider for SSO.

AuthAnvil - Implementing SAML with AuthAnvil

Okta - Implementing SAML with Okta

AzureAD - Implementing SAML with AzureAD

How to enable SSO

  1. Login to Hudu and click the Admin cog on the sidebar. 
  2. Click General.
  3. Click Configure Single Sign-On.
  4. Enter SAML details. See section below on how to fill this information out.
  5. Click "Enable Single Sign-On".
  6. Hit "Update SAML Details" and SAML should now be activated.

 

For the Identity Provider Side:

  • Identifier (Entity ID): Enter your Hudu URL, e.g. https://docs.mywebsite.com
  • Reply URL (Assertion Consumer Service URL): Enter https://docs.mywebsite.com/saml/consume
  • Sign on URL: Enter https://docs.mywebsite.com
  • Relay State: You can skip filling this in.
  • Logout URL: Enter a URL where Hudu can redirect users after they sign out.
  • Make sure to replace docs.mywebsite.com with your URL and subdomain. There is also no trailing slash at the end of the URL.
  •  

For the Hudu Side:

  • SAML Issuer URL. This will be a URL that is the unique identifier for your Identity Provider. It can also be called Identity ProviderEntity IDIdPIssuer, IdP Metadata URL.
  • SAML Login Endpoint. This will be the endpoint you use to login. Also called: SSO Endpoint, Sign-on URLRemote login URLSSO URL,  SAML 2.0 URLIdentity Provider Sign-in URLIdP Login URL, Single Sign-On Service URL.
  • SAML Logout Endpoint. This will be where we redirect you after logging out. Also called: SAML Logout URL, Trusted URL, Identity Provider Sign-out URL, Single Sign-Out Service URL.
  • SAML Fingerprint. This will come from from your Identity Provider. Also called Thumbprint.
  • SAML Certificate field. This will come from your Identity Provider. It should be a base-64 encoded X.509 certificate. Make sure there is no extra space trailing at the end!

What should I use for the signing algorithm?

The signing algorithm (no matter the provider) should be set to SHA-1.

Testing SAML

Open an incognito window and try and access Hudu. You should be redirected to the login page, where you will see a "Use Single Sign On (SSO)" button. If you are able to successfully login via this button, your SAML is working!

Disabling password access for non-administrators

You have the option to disable password logins for non-administrators (users that are not super admins or admins). Click "Disable Password Access for non-Admins" and all users below admin will have to use single sign on.

Admins will be able to via an admin sign in page. This will prevent you from being locked out of your account when your Identity Provider is unavailable.

Still have questions?

Contact us